Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
This manual has been produced by the Twinning Project TR07-IB-FI-02 which is funded by the European Union
2
TABLE OF CONTENTS
LIST OF ABBREVIATIONS 6
INTRODUCTION 7
TABLE OF ROLES AND RESPONSIBILITIES 10
CONTROL ENVIRONMENT 15 1 INTRODUCTION 15
2 Internal Control Standards 15
3 LEGISLATION 16
31 Legal Basis 16
4 ETHICAL VALUES AND INTEGRITY 19
41 What is Ethics 19
42 Current Legislation on Ethics 19
43 Main Ethical Behaviours that are Expected from Civil Servants 21
44 Ethical Behaviours That are Expected from Public Managers 21
45 Ethics Training 21
5 MISSION ORGANISATIONAL STRUCTURE AND DUTIES 21
51 Mission 22
52 Organisational Structure 22
53 Job Descriptions 23
6 COMPETENCE AND PERFORMANCE OF PERSONNEL 26
61 Transition to Human Resources Management from Personnel Management 27
62 Activity Areas in Human Resources Management 27
7 DELEGATION of AUTHORITY 28
71 Determination of Delegation of Authority 29
72 Delegation of Authority and Work Flow Process 29
73 Delegation of Authority and Responsibility 29
74 Factors of Delegation of Authority 29
75 Delegation of Authority and Communication 30
8 INTERNAL CONTROL AND RISK STEERING BOARD 30
81 Roles and Members of the Board 30
82 The Boardrsquos Scope of Duty 31
RISK MANAGEMENT 33 1 Introduction 33
2 Risk Management standards 33
3 Benefits of Risk Management for Administrations 33
4 Critical Achievement Factors for an Effective Risk Management 34
5 Risk Strategy and Policy Paper 34
6 TASKS AUTHORITIES AND RESPONSIBILITIES 35
61 Head of Administration 36
62 Internal Control and Risk Steering Board (ICRSB) 37
63 Administrative Risk Coordinator 37
64 Unit Risk Coordinator 38
65 Sub-Unit Risk Coordinator 38
66 Employees 38
67 Internal Auditor 39
68 Strategy Development Unit 39
69 Central Harmonisation Unit 39
7 RISK MANAGEMENT PROCESS 39
71 Identifying Risks 41
3
72 Risk Assessment 45
73 Responding to Risks 49
74 Reviewing Risks 54
75 Communication and Reporting 55
76 Learning 57
RISK MANAGEMENT ANNEXES 59 ANNEX 1 Using the brainstorming method to identify assess and record risks 59
ANNEX 2 Risk Voting Form 61
ANNEX 3 Risk Register 61
ANNEX 3 Risk Register 62
ANNEX 4 Consolidated Risk Report 64
ANNEX 5 Risk Assessment Criteria Table 66
ANNEX 6 Case Study Example of Inherent and Residual Risk 68
ANNEX 7 Case Study Example of completed Risk Voting Form Risk Register and
Consolidated Risk Report 69
CONTROL ACTIVITIES 72 1 Introduction 72
2 Control Activities Standards 72
3 Planning Process of Control Activities 73
4 Classification of control activities 73
4 1 Preventive controls 73
42 Corrective Controls 74
43 Directive Controls 74
44 Detective Controls 74
5 Methods of control activities 75
51 Authorisation and approval 76
52 Segregation of duties 76
53 Double signature system 76
54 Reconciliation of data 77
55 Supervision procedures 77
56 Ex-ante financial controls 77
57 Procedures for accounting operations 77
58 Anti-corruption 78
59 Access to assets and information 78
510 Documentation archiving and storing of information 78
511 Business continuity (or emergency plans) 79
512 Control activities related to Information Technology (IT) 79
513 Assessing costs and benefits of control activities 80
6 Practıcal Stages For Control Actıvıtıes 81
7 Steps to identify and implement control activities 83
Control Activities Annexes 84 Annex 1 ndash Examples of some common risks and controls 84
Annex 2 List of common control activities 87
Annex 3 - Illustrations for cost benefit analysis 95
INFORMATION AND COMMUNICATION 97 1 INTRODUCTION 97
2 Information and Communication Standards 97
3 ROLES AND RESPONSIBILITIES IN INFORMATION AND COMMUNICATION 98
Minister 98
Head of Administration 98
4
Internal Auditor 98
Authorising Officer 98
Realisation Officer 99
Accounting Officer 99
Strategy Development Units 99
Central Harmonisation Unit 99
4 INFORMATION 99
41 Characteristics of Information 99
42 Information Management 100
43 Information Security 106
5 MANAGEMENT INFORMATION SYSTEMS (MIS) 108
51 Stages of Establishing MIS 109
6 COMMUNICATION 110
61 Internal and External Communication 111
62 Communication Methods 113
7 WHISTLEBLOWING OF FAILURES IRREGULARITIES AND FRAUD 114
71 Concepts of Failure Irregularity Fraud and Whistleblowing 115
72 Scope of Notifications 115
73 The Responsibility for Detecting Faults Irregularities and Fraud 116
74 Whistleblowing System 116
8 RELATIONS AMONG UNITS 119
81 Information and Communication between the CHU and SDUs 119
82 Information and Communication between SDUs and Spending Units 119
INFORMATION AND COMMUNICATION ANNEXES 120
Annex 1 - Legislation on Information and Communication 120
Annex 2 - Widely Used Methods of Communication 121
Annex 3 Reports Prepared under PFMC Law No 5018 124
Annex 4a Whistle-Blowing Process Related to Ethical Values 125
Annex 4b Whistleblowing and Evaluation Process for Crimes Committed by Civil Servants
126
MONITORING 127 1 Introduction 127
2 Monitoring Internal Control Standards 128
3 Roles And Responsibilities 128
31 Senior Manager 128
32 Internal Audit 128
33 Internal Control and Risk Steering Board (ICRSB) 128
34 Authorising Officers 128
35 Strategy Development Units (SDU) 129
36 Other Managers and Employees 129
37 External Audit 129
38 Central Harmonisation Unit (CHU) 129
4 Guidance by the CHU 130
5 Assessment and Reporting Role of SDUs 131
51 Assessment of Internal Control System by SDUs 131
52 Reporting of Internal Control System Evaluation Results 132
53 Monitoring of Internal Control System Evaluation Reports 133
54 Work to be carried out by SDUs concerning Internal Audit Reports 134
6 Internal and External Audits 136
61 Internal Audit 136
5
62 External Audit 137
7 Internal Control Assurance Declarations 138
71 How to complete Internal Control Assurance Declarations 139
MONITORING ANNEXES 146 Annex 1 Internal Control System Question Form 146
Annex 2 Internal Control System Evaluation Report 162
Annex 3a Internal Control Assurance Declarations Senior Manager 163
Annex 3B Internal Control Assurance Declaration Authorising Officer 167
Annex 3b Internal Control Assurance Declaration Head Of SDU 170
Annex 4 Example Of A Complete Declaration 171
GLOSSARY 174
6
LIST OF ABBREVIATIONS
ARC Administrative risk coordinator
BiMER Prime Ministry Communication Centre
CHU Central Harmonisation Unit
COBIT Control Objectives for Information and Related Technology
COSO Committee of Sponsoring Organisations of the Treadway Commission
DHSDU Declaration by Head of Strategy Development Unit
e- SAC Electronic System Audit and Control
FMC Financial Management and Control
HRM Human Resources Management
ICAD Internal control assurance declaration
ICRSB Internal Control and Risk Steering Board
INTOSAI International Organisation of Supreme Audit Institutions
ISOIEC International Organisation for Standardization International Electrotechnical
Commission
IT Information Technology
MERNIS Central Civil Registration System
MIS Management Information System
PESTLE Political Economic Social Technological Legal and Environmental
RSPD Risk Strategy and Policy Document
SDU Strategy Development Unit
SMART Specific Measurable Achievable Relevant Time-related
SURC Sub-unit Risk Coordinator
SWOT Strengths Weaknesses Opportunities and Threats
TGNA Turkish Grand National Assembly
TSE Turkish Standards Institute
URC Unit Risk Coordinator
UYAP National Judicial Information System
7
INTRODUCTION
From the late 20th century onwards the focal point of governments in the whole world
has been to establish mechanisms to increase performance ldquoGood governancerdquo put
forward to serve this end has recently come to be a guiding principle both for the private
sector and the public sector Within the framework of the principle of good governance such
factors as ensuring accountability for the provision of better quality public services
improvement of transparency delegation of authorities and responsibilities by means of
managerial flexibility outcome-oriented management and budgeting understanding and
meeting the expectations of citizens have come to the foreground
On the other hand provision of quality public services has brought along the need for
the public resources to be used effectively efficiently and economically thus necessitating
the usage of effective tools in public administrations in many areas from organisational
structure to information and monitoring which are related to financial management and
control The most important tool for accountability adopted in this reform process is internal
control
Internal Control Internal control which is internationally used is a system designed to give reasonable
assurance to attain the objectives of a given administration Within the framework of
Committee of Sponsoring Organisation (COSO) which is the mostly widely-known system
among the others internal control aims to ensure compliance of actions and works with the
legislation as well as the reliability of financial and managerial reporting and effective and
efficient asset protection COSO which is made up of control environment risk management
control activities information and communication and monitoring components is such an
internal control model which is also accepted as a reference point by such institutions as the
International Organisation of Supreme Audit Institutions (INTOSAI) and the European
Commission The following figure shows the components of COSO
IN Figure 1 The COSO Cube
8
Our country on the other hand which has been carrying on membership negotiations
with the EU has been going through a reform process since the early 2000rsquos with a view to
strengthen its public internal control system The basic factors of the internal control system
which is recommended by the European Commission to all the candidate countries and is in
compliance with COSO can be summarized as financial management and control (FMC)
system based on managerial responsibility and accountability functionally independent
internal audit activity and Central Harmonisation Unit (CHU) responsible for the harmonisation
of these two areas in the whole public sector
FMC refers in the most general terms to the management and control processes
related to public revenues expenditures assets and obligations In this context public
managers of every level are responsible for the establishment and sustainability of a sound
FMC system to ensure resource-based planning programming budgeting accounting
controlling reporting archiving and monitoring Internal audit on the other hand which
assists the manager in assuming this responsibility and attaining the objectives gives based
on risk management objective assurance and provides guidance regarding the compliance
of the current FMC system with the identified rules and standards Furthermore a full capacity
and quality central harmonisation activity is required in order to identify and develop
methodologies legislation and standards in the areas of FMC and internal audit in public
administrations as well as to coordinate and monitor them and provide the training needed
In the light of the best practice examples our country has taken important steps in
strengthening transparency and accountability in public financial management and ensuring
an effective internal control function Public Financial Management and Control Law No
5018 which is the most important step among the others and adopted in 2003 defines the
functioning of internal control system and the roles and responsibilities of the actors involved
in the system and assigns the Ministry of Finance (MoF) the duty of identifying standards and
methods as well as ensuring coordination and providing guidance in this area As per this
duty the MoF published a Public Internal Control Standards Communiqueacute in 2007 which was
in compliance of the international standards
Financial Management and Control Manual which is an extension of all these works
has been prepared with a view to supporting decision-making and implementation
processes for a better management and thus contributing to the rational usage of public
resources The Manual which has been started to be prepared in 2010 and completed in the
first quarter of 2011 is the outcome of a painstaking work carried out by the Experts both from
the United Kingdom and our country within the framework a twinning project financed by the
European Union
FMC Manual has been designed with a view to ensure the implementation of internal
control standards as a guideline which explains all the basic factors of internal control by
means of methods tools and examples which can be used by all the stakeholders In
addition it is also possible for administrations to use according to their own needs other tools
than this Manual which can be modified and revised in time in line with the changing
circumstances and needs in public administrations however it is foreseen than tools
adopted should not be in conflict with the basic requirements contained in the Manual
This Manual is made up of five main parts based on Internal Control Standards
Following this introduction there is a table showing the main responsibilities of the major actors
in financial management and control
In the first part conceptual explanations regarding ethical values and integrity
mission organisational structure and duties competence and performance of personnel and
delegation of authority which are the milestones of the control environment as well as
information on the legislation and implementing tools are given
In the second part information on the importance and aim of risk management
stages of risk management process and roles and responsibilities of the actors involved in the
process Risk Strategy and Policy Document and communication and reporting tools that can
be used is given
9
In the third part control strategies and methods identifying and documenting
procedure principle of separation of authorities hierarchical controls sustainability of
activities and information processing controls are explained within the framework of control
activities which is closely related to risk management and a set of control activities (approval
authorisation verification reconciliation of accounts etc) are dealt with
In the fourth part the concept of information and its management functioning of
Management Information Systems internal and external communication tools and reporting
mechanisms are handled within the framework of information and communication
component
In the fifth part information on the roles and responsibilities of Financial Management
and Control Central Harmonisation Unit (FMC CHU) in the overall public sector and of
Strategy Development Units (SDU)Financial Services Units in each public administration as
well as the tools used internal control system quality assurance development program roles
of internal and external audit content of Internal Control Assurance Declaration and
guidance on how to fill the Declaration is given within the framework of regular monitoring
and assessment of internal control system
In the last part of the manual a glossary of the concepts used in the manual is given
Users of the Manual Besides for the relevant stakeholders and users it is believed that this Manual will be a
reference document for the followings
Senior mangers responsible for establishing an effective and adequate FMC system as
well as observing and monitoring it
Authorising officers who have responsibility within the scope of their duties and
authorities to ensure the functionality of the internal control regarding administrative and
financial decisions and proceedings
Relevant managers and employees of the Ministry of Finance who carry out the
central harmonisation duty in the area of FMC
Managers of SDUs and financial services experts who have responsibility concerning
the development of internal control system and implementation of the standards
Realization officers and accounting officers who are involved in the financial
processes and accountable to authorising officers
The other public managers who have responsibilities arising from the activities
conducted in the area of FMC in units
All the employees working in public administration
Internal auditors who have the responsibility to assess and report to the Head of
Administration the effectiveness of FMC system
External auditors who responsible for examining the accounts financial transactions
and activities and internal control systems of public administrations as well as whether
resources are used effectively efficiently and economically as well as in compliance with
laws and reporting the results to the TGNA
10
TABLE OF ROLES AND RESPONSIBILITIES
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
MINISTER
Within the framework of the
responsibility for ensuring
effective economic and efficient
utilisation of public resources the
Minister should be aware of the
potential risks to the
administrationrsquos objectives
He ensures coordination and
cooperation with the other
ministries and informs the public
opinion and the TGNA about the
annual performance programme
and activity report of the
administration
Within the framework of the
responsibility for ensuring
effective economic and efficient
utilisation of public resources the
Minister is responsible for ensuring
effective monitoring of the
internal control system
HEAD OF ADMINISTRATION
He defines strategies and policies
for an effectively functioning risk
management system in
accordance with the aims and
objectives of his administration
He explicitly defines tasks roles
and responsibilities He ensures the
participation of the stakeholders
and the public opinion
As the quality of the information
exchange and communication
between the head of
administration and the other
actors has a direct effect on the
accountability of the head of
administration he must inform the
relevant units about the
frequency and methods of
feedback he prefers
He ensures effective
communication among spending
units SDUs and internal audit
He is responsible for observing
and monitoring the functioning of
financial management and
control system
He approves annual internal
control system evaluation reports
and signs the Internal Control
Assurance Declaration
INTERNAL CONTROL AND
RISK STEERING BOARD
The Board develops policies for
improvement of risk management
in the administration and submits
them for the approval of the
Head of Administration The Board
notifies the unit of the policies and
procedures for coordination
purposes ICRSB determines a
particular number of risks which it
deems significant as the key risks
It provides the Head of
Administration with timely and
accurate information about the
effectiveness of internal control
and risk management
It assesses internal control system
evaluation reports prepared by
the strategy development unit as
a result of annual evaluation of
internal control system and
following to defining shortcomings
of the report if any submits it with
the relevant opinions for the
approval of Head of
Administration
11
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
among those risks that are
submitted to itself and reports
whether these key risks function
well or not to the Head of
Administration in regular periods
or whenever it deems necessary
AUTHORISING OFFICER
He acts as the unit risk
coordinator or assigns someone
to act so URC coordinates the
management of the unitrsquos risks
that may have an impact on
objectives of the administration
and provides guidance to this
end
He ensures that tasks authorities
and responsibilities of staff are
defined clearly and in writing and
communicated to all the staff
He ensures that sub-units are
informed about the activities of
each other
He ensures that an effective
communication and archiving
system is established for the
information related to the
objectives and activities of the
unit
He has responsibility for
continuously monitoring internal
control system
He provides necessary
information for strategy
development units regarding the
annual evaluation of internal
control system completes internal
control questionnaire and
annually signs internal control
assurance declaration to be
submitted to the Head of
Administration
HEAD OF DEPARTMENTUNIT
He is responsible for the
coordination of risk management
activities within sub-units (if having
such units or their management
at this level is deemed
appropriate) of the spending units
in administrations He is directly
accountable to URC regarding
risk management
He ensures that an effective
communication and archiving
system within the sub-unit is
established for the information
related to the objectives and
activities
He ensures that tasks authorities
and responsibilities of staff are
defined clearly and in writing and
communicated to all the staff
He is accountable to the
authorising officer
He has responsibility for
continuously monitoring internal
control system
He supports the authorising officer
in providing SDUs with information
Every employee is directly Every employee is responsible for They observe the functioning of
12
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
EMPLOYEES responsible for managing risks in
their fields of duty (identifying
assessing responding to
reviewing and reporting risks
delivering accurate and timely
information to managers
colleagues and stakeholders by
using right communication
means
internal control system and in
case of a problem they inform
senior management and
contribute to the evaluation
process of internal control system
by providing information
STRATEGY DEVELOPMENT
UNIT
It organises trainings on risk
management in the
administration and provides
guidance in this respect
It is responsible for providing the
Head of Administration and the
units with accurate and timely
information In addition it is
responsible for providing the unit
with guidance and trainings on
the area of internal control
It annually assesses internal
control system on behalf of the
Head of Administration It signs
the declaration on functioning of
internal control system with a view
to ensuring effective efficient
and economical execution of
administrationrsquos activities Staff of
Strategy Development Units take
active role in the evaluation
process of internal control systems
and guide the units in completing
the reports regarding evaluation
ACCOUNTING OFFICER
Within the scope of his duty the
Accounting Officer should identify
and manage the financial risks
The Accounting Officer is
responsible for performing
accounting services and keeping
accounting records in a regular
transparent and accessible way
Accounting Officers must
regularly report to the authorising
officer on the accounting
records
CENTRAL HARMONISATION
UNIT
It is responsible for such activities
as making regulations and
chances when necessary
carrying out developmental
activities as well as ensuring
guidance harmonisation inter-
administrational coordination and
reporting
It is responsible for making
arrangements setting out
standards providing guidance
and advice ensuring
harmonisation and coordination
among administrations
monitoring and reviewing the
implementation in the fields of
financial management and
It annually assesses the
functioning of internal control
systems in public administrations
based on Internal Control
Evaluation Reports approved and
submitted by senior managers
and submits the evaluation report
it prepared to the Head of
Administration and the Minister of
13
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
control and internal audit Finance
INTERNAL AUDIT
Internal auditor provides the
Head of Administration with
advice regarding risk
management by making
evaluations on whether risk
management process is effective
and risks are managed in the right
way or not
He examines the functioning of
information and communication
system in the administration and
reports the results to the Head of
Administration There must be an
effective communication system
between
Head of Administration and
internal audit
It has the function to provide the
management with information
about the sufficiency
effectiveness and functioning of
internal control system as well as
making evaluations and giving
recommendations
EXTERNAL AUDIT
Within the framework of
performance management it
can audit the functioning of risk
management processes in
administrations
Within the framework of
performance management it
can audit the functioning of
information and communication
systems in administrations
Court of Accounts can assess
internal control systems in
administrations during the audits it
conducts and give
recommendations
14
15
CONTROL ENVIRONMENT
1 INTRODUCTION
According to the COSO model control environment is creation of the basic
infrastructure for the other components of internal control by providing internal control
awareness for employees working in a particular administration Control environment
generally includes internal control awareness values working styles and procedures of the
administration Basic factors of control environment are summarized below
CE Box 1 Basic Factors of control Environment
Creation and sustainability of a positive and supportive environment for internal
control by the management is of great importance As employees also have their relevant
roles in carrying out internal control all the individuals within the administration need to know
hisher responsibilities and authorities very well Employees need to uphold personal and
professional integrity and ethical values and comply with the current behavioural norms In a
well-functioning control environment the public administration should previously determine its
mission organisational structure and terms of reference and should regularly assess the
performance of personnel
2 Internal Control Standards
Four standards were determined regarding control environment among Public
Internal Control Standards
CE Box 2 Control Environment Standards
Standard 1 Ethical values and integrity
It should be ensured that rules which regulate how personnel behave are known by the
personnel
Standard 2 Mission organisational structure and duties
Mission of the administration and job descriptions for units and personnel should be set out
Risk Management
Control Environment
Control Activities
Info amp Communicattion
Monitoring
Principles of personal and professional integrity
Adoption of ethical values by management and personnel
Supportive attitude of senior management towards internal control
Organisational structure
Professional competence and performance of personnel
Human resources policies and practices
Management philosophy and working style
16
in writing and announced to the personnel and a suitable organisational structure should
be established in the administration
Standard 3 Competence and performance of personnel
Administrations should ensure the compatibility between the competence and duties of
personnel and take actions about performance appraisal and improvement
Standard 4 Delegation of authority
Administration should explicitly identify authorities and limits of delegation of authority and
announce them in writing Authority should be delegated by taking the importance and
risk of authority to be delegated into consideration
This part gives explanations regarding the relevant legislation and standards with a
view to rendering Public Internal Control Standards more comprehensible and to guide the
practices Besides it stresses upon the methods to be applied for ethical values and integrity
principles to be owned by senior management and adopted by personnel which is very
important for a well-functioning control environment Besides criteria are determined for the
assessment of competence and performance of personnel as well as giving explanations on
determination of mission organisational structure and duties Moreover the part explains how
the delegation of authority which is a priority for accountability needs to be conducted
3 LEGISLATION
31 Legal Basis
In utilising of public resources or in providing effective and efficient public services the
principles and procedures of a work financial or non-financial are determined by the
regulations made by laws or the central administration
Internal Control standards provide the minimum and overall framework for managers
for giving an assurance on the provision and sustainability of services In the following
diagram the international and national standards and legislation relating to Control
Environment are given
17
CE Figure 1 Legal Basis Framework regarding Control Environment
Part Five of Law No 5018 regulates lsquointernal control systemrsquo Within this framework in
order to establish an effective and sufficient internal control system the top manager and
the other managers should take necessary action to ensure that the following factors are
implemented
bull Having professional values and an integral management understanding
bull Assignment of financial authorities and responsibilities to informed and competent
managers and personnel
bull Compliance with the standards set
bull Prevention of actions that are opposed to the Legislation
bull Provision of a proper working environment and transparency with a comprehensive
management understanding
The main legislation related to control environment is given below
CE Table 1 Main Legislation on the Control Environment Standards
CONTROL
ENVIRONMENT
STANDARD
RELATED LEGISLATION
1 Ethical Values
and Integrity
Behaviour Principles and Application Principles Law No 5176 on
the Establishment of Civil Servants Ethical Board and Making
Amendments on Some Laws
Legislation on Ethical and Procedures of Civil Servants
2 Mission
organisational
structure and Tasks
Law No 3046
Decree of Law No 217 on the Establishment and Duty Principles
of State Personnel Presidency
Strategic Planning Guideline for Public Administrations
3 Competence
and Performance
of Personnel
Turkish Constitution
Law No 657 on Civil Servants Law No 2802 on Judges and
Public Prosecutors Law No 2914 on High Education Staff Law No
926 on Turkish Armed Forces Personnel Law No 3269 on
18
CONTROL
ENVIRONMENT
STANDARD
RELATED LEGISLATION
Specialized Sergeants Law No 3466 on Specialized Gendarmerie
Law No 4678 on Contracted Officers and Petty Officers to be
Recruited into Turkish Armed Forces
Regulation on Examinations for Those to be Appointed for Public
Duties for the First Time
Regulation on Appointment Conditions for Public Services of
Disabled Persons and Competition Examinations to be Conducted
Special Regulations Prepared by Administrations (expert
coordinator inspector etc)
General Regulation on Training of Candidate Civil Servants
Registry Regulation for Civil Servants
Regulation on Civil Servants to be Sent Abroad for Training
Purposes
General Regulation on the Principles of Promotion and Title
Change in Public Administrations and Entities
Regulation on Promotion and Title Change in Supreme Institutions
and Agencies of High Education
4 Delegation of
Authority
Law No 3046
Law No 2547 on High Education
Law No 5393
Organisational Laws
Communiqueacute Serial No 1 on Authorising Officers
19
4 ETHICAL VALUES AND INTEGRITY
41 What is Ethics
Ethics is a body of moral principles which forms the basis for the behaviours of a
person In other words ethics is the guidelines values principles and standards which help
people determine lsquohow to do worksrsquo Ethics is at the same time a process In this process while
making and implementing decisions actions are carried out upholding particular values
The aim of observing ethical behaviour principles is to prevent corruption and
upholding integrity in a state and community
42 Current Legislation on Ethics
Law No 5176
The Law determines the establishment duty and working principles and procedures for
Civil Servant Ethical Board to determine and monitor the implementation of such ethical
values that civil servants must observe as transparency impartiality accountability and
observing public interests However scope of the law is too narrow that it diverges from its
original aim (Provisions of the Law on President Members of TGNA Members of Council of
Ministers officials of Turkish Armed Forces and officials of jurisdiction are not enforced)
Civil Servants Ethical Board is authorised and responsible for determination of ethical
behaviour principles through the legislations it will prepare conduction of the relevant ex-
officio examinations and investigations as well as conduction of examinations and
investigations upon applications on ethical behaviour violations and notification of the results
to the relevant authorities carrying out studies to settle ethical behaviours in a community
and supporting studies to be carried out in this field
Within the framework of laws the Board can be applied to with allegations of violation
of ethical behaviour principles about the civil servants of at least director general or
equivalent positions in a public administration and institution
Applications to be made with allegations of violation of ethical principles about the
other civil servants are evaluated by the concerned boards of the relevant administrations to
see whether there is a condition that is opposed to ethical value principles or not Results of
the evaluations are communicated to the applicant and to whom it may concern
The Board conducts its examinations and investigations regarding the applications
referred to itself to see whether ethical value principles are violated or not The Board has to
conclude the examinations and investigations to be conducted upon the whistle blowing or
complaint applications in three months at most Results of the examinations and
investigations are communicated to the relevant authorities and to the Prime Ministry in
writing (For further information please refer to ldquoInformation and Communicationrdquo chapter
Legislation on Civil Servants Ethical Behaviour Principles and Application Procedures
Civil servants are liable to observe ethical behaviour principles while fulfilling their duties and
sign the Ethical Contract document Authorised appraisal managers in administrations and
institutions assess the performance and employment records of personnel in terms of
compliance to ethical values
CE Figure 2 demonstrates ethical behaviour principles determined in the Legislation
20
CE Figure 2 Ethical Behaviour Principles
Granting
decleration
of property
Relations with
the previous
civil servants
Accountability
requirement for
managers
Informing
transparency
and
participation
Binding
explanations
and unreal
declerations
Being
economic
Utilisation
of public
properties
and
resources
Prohibiton
of giving
presents and
drawing
benefits
Not abusing
duties and
authorities to
draw benefits
Avoiding
conflict of
interest
Notification
of authorised
bodies
Courtesy
and
respect
Esteem
and trust
Integrity and
Impartiality
Commit
ment to
aims and
mission
Compliance
with service
standards
Service
awareness
for public
Public service
awareness in
fullfilment of
duties
ETHICAL
BEHAVIOR
PRINCIPLES
21
43 Main Ethical Behaviours that are Expected from Civil Servants
Observing all the time high ethical standards and working to increase public belief in
the state and civil servants for public benefit
Behaving in compliance with the ethical values and principles when fulfilling duties
obtaining and using public resources and purchasing goods and services from
outside
Showing respect for colleagues and users of services exhibiting impartial and fair
behaviours
Having a participatory decision-making process by taking the views of colleagues
and users of the services into consideration
Appreciation and announcement of good works colleagues do
Not abusing public authorities and resources for personal benefits and not favouring
relatives or friends in using public services
Being careful about the possible and real conflict of interests
Assuming responsibility for decisions and behaviours
Filling in the property declaration forms in time accurately and without any reserve
Not working in a second job that is prohibited by the Legislation other than his public
service
Not establishing private relationships with the persons and firms that are in connection
with the administration that civil servant works in
Warning other civil servants whose behaviours are not in compliance with the ethical
principles and notifying authorities in case that warning turns out fruitless
44 Ethical Behaviours That are Expected from Public Managers
While fulfilling their duties managers should
Inform all the civil servants of the overall aims main objectives and values of the
administration
Create a positive working environment where behaviour expectations are clearly
defined and violations are identified and corrected if any
Assume all the responsibility for the activities of administration
Take into consideration the merits current behaviours and developmental potential of
personnel while appointing for a position
Behave in a fair equal and impartial way towards all the personnel
Solve the problems and conflicts in a quick and fair manner
Be consistent reliable predictable fair and objective in decisions and behaviours
Set a personal example in terms of ethical principles and values
Maintain the highest standards possible to be followed in the field of efficiency and
effectiveness at work
45 Ethics Training
One of the most important prerequisites of establishing a culture in the administration that
is based on ethical values and principles is ethics training All the personnel of every level that
are employed in public administrations and institutions need to be informed of the ethical
behaviour principles and their responsibilities related to these principles
Administration and institution managers are liable to include ethical behaviour principles
in the basic preparatory and in-house training programs that are implemented for civil
servants
5 MISSION ORGANISATIONAL STRUCTURE AND DUTIES
Mission of an administration is the cause of existence of the administration and its
place within the state structure Organisational structure ensures that duties that are carried
22
out to attain the objectives and aims of the administration are controlled and monitored
Duties that are carried out by the administration are led by the mission and organisational
structure These factors in question which complete each other form an important basis for
the other components of internal control system
51 Mission
Public administrations set out their missions visions aims objectives and strategies in
strategic plans As Strategic Planning Guideline for Public Administrations states mission is the
cause of existence of an administration In this regard mission covers all the services and
activities an administration carries out In other words mission is the answer to such questions
as what the public administration does and how and for whom it does what it does Mission
should be sound realistic and participatory to lead the administration and should be
developed according to the changing conditions and needs It will also be proper to receive
opinions from personnel and stakeholders in forming and updating the mission
The following should be taken into consideration in mission declarations of administrations
The mission should be up-to-date precise and clear
The mission should be determined in line with the established aims of
administration not process of service provision
While determining the mission tasks and authorities granted to the
administration with legal regulations should be taken into consideration
In mission promotion people and entities that the administration provides
services for and the goods and services that the administration offers should
be stated
CE Box 3 Mission Example
For the mission which is very important for public administration to be achieved
personnel should be informed enough about the mission of administration they are affiliated
to Being informed about the mission and adopting it will guide the decisions and activities of
the administration and help the personnel understand their duties within the administration To
this effect firstly mission should be set down in writing and it should be announced to the
personnel and a system should be developed for the mission to be adopted by the
personnel On the other hand job descriptions of the sub-units should be determined in
writing in compliance with the mission and compliance with the mission should be regularly
reviewed
52 Organisational Structure
Organisational structure of the administration is another important factor which
influences the control environment Organisational structure is the provision of a framework
for the attainment of the aims and objectives of administration
In order to establish a proper control environment organisational structure should
Indicate the division of authorities and responsibilities within the organisation
Include accountability mechanisms and relevant reporting line which will ensure
the functionality of these mechanisms
Indicate the coordination and integration points
Carrying out research training and publishing activities developing and supporting
projects for strengthening and increasing the problem-solving capacity of families and for
identification and solution of the problems in cooperation with the institutions and
organisations in the light of scientific and ethical valuesrsquorsquo
(General Directorate of Family and Social Research 2007-2011 Strategic Plan)
23
Organisational structures of administrations are generally determined by the
organisational laws that are prepared in compliance with the framework that is set in Law No
3046 and duties of administrative units (main services consultationaudit and support units)
are shaped in these organisational laws Duties of the sub-units of administrations on the
other hand are determined in administrative regulations such as circulars and regulations
not in the organisational laws
Furthermore organisational structures of public administrations which fall under the
scope of the local administration are determined by Law No 5393 on Municipalities Law No
5216 on Metropolitan Municipalities Law No 5302 on Special Provincial Administration and
Law No 5355 on Local Administration Unions
Mission of the administration is achieved by the activities carried out by the units of the
administration and their sub-units and the units of the local administration Within this
framework duties of both the units and sub units should be in compliance with the mission of
the administration
Relevant chances regarding the organisational structure units and sub-units of the
administration and duties that are carried out by these units and sub-units can be made by
amending organisational law or revising administrative regulations according to the
circumstances within the framework of the reviewing activities in question
53 Job Descriptions
As it is stated in Public Internal Control Standards written definition of duties to be
carried out by units and sub-units of administrations and formation of a task distribution chart
covering duties of the personnel in the administrative units and their relevant authorities and
responsibilities assume importance for the mission of the administration to be accomplished
Within this framework preparation stage of job descriptions is demonstrated below
Public administrations can prepare their job descriptions by following the below given
process
CE Figure 3 Preparation Process of Job Descriptions
Job analysis is a process in which information regarding
the quality of every job carried out in the administration and
working environment the job will be carried out in as well as
working conditions is collected and collected information is
systematically examined and assessed While making job
analysis the followings should be followed
Determination of jobs to be analysed taking into
consideration the organisational structure of the
administration
Determination of the objective
Formation of the team to make the analysis ( it is
essential that the team members to make the
analysis should be selected from inside the
administration However it possible to receive
counselling from outside when necessary)
MAKING JOB ANALYSIS
24
KEY QUESTIONS IN JOB ANALYSIS
What are the requirements of the job (In terms
of knowledge experience and competence)
How is the job done
When is the job done
Where is the job done
Why is the job done
What are the assistive tools for the job
(Equipment)
What kinds of outputs are obtained
Job analysis does not have a value on its own It is only
valuable when it contributes to attaining the objectives of
administration Therefore analysing should start by
understanding the philosophy mission and objectives of the
administration and the role and importance of every unit
within the administration and should continue in this
direction
The findings gathered from the job analysis should be
submitted in a systematic and consistent way and the job
descriptions that are formed according to these findings
should be submitted to the top management for the job
description whose final draft has been completed
At minimum job descriptions should include the following
Unitamp Sub Unit
Name of the job (Name of the position)
Title that the job has
Level of competence (areas of responsibility
information problem solving)
Basic duties and responsibilities
Authorities
Required skills and abilities for the job
Its relation with the other jobs
Approval section and section regarding communiqueacute to
personnel
25
State Personnel Presidency determined standard job descriptions for some
titles (chief programmer warehouse official statistician personnel titled as inspector in the
municipalities etc) In this process it is possible that public administrations receive guidance
form State Personnel Presidency
531 Sensitive Duties
Some of duties that are carried out in public administration assume more importance
because of their nature than the other duties do in terms of esteem of administration risk of
corruption disclosure of secret information etc Therefore integrity of the personnel who
carry out the duty in question is attached more importance
It would be convenient to assess at least the followings while deciding whether a duty
is sensitive or not
Capacity to make important decisions that can impact administrationrsquos objectives
Its relations with the third parties and administrations outside the administration
which can impact decisions
Regular accession to confidential information
Whether financial transactions of high value are involved
The duty requiring special expertise at high levels
Other criteria that can be introduced by administrations
According to the criteria in question administration should determine sensitive duties
develop control mechanisms to mitigate the risks identified and review the chances to occur
at the level of the risk
The following table demonstrates the fields of activity which can be sensitive for
administrations and gives examples regarding these fields
CE Table 2 Examples of Sensitive Duties
Areas of Management Examples for Sensitive Duties
Financial management Accounting
Managing payments
Analysing the financial reports
Job descriptions should be announced to the personnel for
them to learn what they need to do under which rules they
work and what their objectives are
Job descriptions should be reviewed and updated annually
ANNOUNCING JOB
DESCRIPTIONS TO THE
PERSONNEL
UPDATING JOB DESCRIPTIONS
26
Commitment process Membership for the Tender
Commission
Contracting process
Process of examining and accepting
Publishing tender documents
Human resources management Definition of positions
Job description
Recruitment process
Assessment
Implementation of salary system
Information management systems Accession to the system and controls
Security of the systems and key
documents
Developing the system
Support Services Controlling valuable stocks
532 Monitoring the Results of Duties
Administrations should continuously assess sensitive duties and decide what steps to
take in accordance with the changes in the level of the risks (such as renewing controls
identifying new sensitive duties re-evaluating sensitive dutiesrsquo risk levels by taking into
consideration the cost-effectiveness)
Managers carry out the activities of administrations through written or spoken
instructions However it may be difficult for the management to monitor the results of duties
due to such reasons as the structures of units organisational complexity scattered
organisations the number of the personnel being high and duties being varied Managers
should develop such methods as introducing reporting mechanisms and holding regular
meetings to overcome this difficulty
6 COMPETENCE AND PERFORMANCE OF PERSONNEL Good management of human resources aims to ensure the efficiency effectiveness and
productivity of personnel
27
CE Box 4 Humans first
The basic aim is the selection of proper personnel for the fulfilment of the mission of
administration appraisal of personnel career planning for those who are successful and
ensuring they have the basic skills and adequate knowledge with a high sense of
responsibility and identity
61 Transition to Human Resources Management from Personnel Management
As it assumes the responsibility for identifying policies objectives and standards in
human resources management (HRM) top management plays a significant role in HRM
Besides top management should create a transparent and accountable environment
complying with laws and legislation
The expertise that human resources managers have in this area should lead the
other unit managers to apply human resources standards at every level of the administration
Furthermore HRM is a responsibility for all levels of management starting from top
management In line with the policies in question the unit managers when they carry out in
an effective way the tasks given to them by the senior managers should also assume such
duties as orientation and training of the new personnel improvement of their work
performance developing a proper work environment and relations in which they will work in
cooperation boosting the moral and motivation of personnel safeguarding the health of
personnel and improving the working conditions of the personnel
62 Activity Areas in Human Resources Management
The basic functions of HRM can be listed as follows
Conduction of job analyses
Job descriptions
Job requirements
Labour force assessment
Staff analysis
Cost-benefit analysis
Limitations of various legal regulations (Budget Law Decree of Law on General Cadre
Procedure etc)
Recruitment process
SWOT analysis (of the recruitment process)
With the principle lsquogood people make good organisationsrsquo we can say the quality of the
employees of an administration is the quality of the outputs of that administration First of
all it must be kept in mind that employees are humans and a balance must be
established between the needs of administration and employees It is important for
personal motivation that assignments be conducted in line with merits and careers of
employees in every stage from recruitment to retirement The only capital an
administration has which can not be materially measured is human
Humans First
28
Announcements on newspapers internet and administrationrsquos billboards
Developing easy application methods which meet the needs are fair and do not
lead to discrimination
Examination process being open which will give confidence
Merit and career evaluation system
PromotionAchievement criteria
Personnel performance indicators
Appraisal system
Rewarding mechanisms
Training Activities
Training needs questionnaire
Training programs (theoretical and practical)
Abroad trainings and internships
Post-training assessments
Participation in such activities as conferences and workshops which support personal
development
Poor performance management and disciplinary practices
Determining the data on which decisions about non- appropriateness for duty will
based and announcing this to all the personnel
Clearly determining the criteria to terminate duties and announcing these criteria to
the personnel
7 DELEGATION of AUTHORITY Authority refers to the power of administrative bodies to make administrative decisions
and to conduct administrative transactions
Responsibility can be defined as a body of rules and sanctions that those who assume
roles in administrative activities are subject to
Delegation of authority is the transfer of authority and responsibility to make decisions
to another body within the framework of the applicable legislation Delegation of authority
does not remove the managerial responsibility of the delegator
Rigid and traditional administrative structures in which all the authorities as well as
transferring and execution functions gather in a single centre are not preferred In such
administrations motivation of employees and managers of lower levels will be decreased to
own the administration and produce services in line with the objectives of the administration
Administrations on the other hand in which managers delegate all their authorities to
lower levels with insufficient capacity and do not monitor the results are not desirable either
Delegation of authority forms a step for transition form an authoritarian management
understanding to a transparent and accountable management understanding In modern
administrative structures a proper control environment is created employees are assigned
responsibilities and authorities at the level of their duties and employees together with the
lower level managers are included into the decision-making mechanisms In such
administrations working motivation will increase therefore effectiveness and efficiency
indicators will go up with the attainment of the aims and objectives
In relation to delegation of authority authorities to be delegated and their limits are
defined by regulations on various laws The main regulations in this regard are as follows
Law No 3046 on Ministries
Law No 5442 on Provincial Administration
Law No 2547 on High Education
Law No 5393 on Municipalities
Law No 5018 on General Management
Organisational Laws of Administrations
29
71 Determination of Delegation of Authority
Delegation of authority should be carried out according to the hierarchical structure of
the organisation With a top-down approach authorities to be delegated from Minister to
undersecretary (-authorities to be delegated to Head of Administration-) to his deputies and
to heads of units from head of unit to head of department from head of department to
director of branch should be determined in writing and consulted with whom it may concern
72 Delegation of Authority and Work Flow Process
Work flow processes of administrations should be determined and the officials to take part
in the processes and their authorities and responsibilities should be set out These processes
which are determined should be analysed and who to be assigned which authority in the
processes should be determined
What is expected in the delegation of authority is that the official who is to be delegated
the authority should be well-informed of the process and have the quality and experience to
manage the process Employees that are delegated authority are expected to report the
current situation of the process to the delegator and the delegators are expected to seek for
this report
73 Delegation of Authority and Responsibility
We can handle responsibilities in three different categories
Managerial responsibility
It refers to the responsibility to the senior level in hierarchical terms Besides it is
defined as performance responsibility
Delegation of authority will not remove the managerial responsibility of the
delegator
Financial (Compensation) Responsibility
It is the financial responsibility for public andor personal loss caused by using
the authority delegated Financial responsibility to arise from the usage of this
authority will belong to the user of the authority
Legal (punitive) Responsibility
Legal responsibility covers managerial and financial responsibility Legal
responsibilities are defined in the Constitution organisational laws Turkish Penal
Code and special legislations It is a must that all the employees and political
authorities working in the public administration behave with legal responsibility
while carrying out their duties
74 Factors of Delegation of Authority
Those authorities that can be delegated and those that cannot be delegated
should be determined with their limits on senior management level and announced
The basic factors to be taken into consideration in delegation of authority are as
follows
Delegation of authority must be in writing
Legally there are authorities which can not be delegated and these are
not at the administrationrsquos discretion (For example authority to give
disciplinary punishment or the authority of administrative tutelage etc)
Limits of the authority to be delegated must be set out
As long the as the delegation of authority continues the delegator will not
be able to use that authority
That the official delegatingdelegated authority leaving the job will
terminate the authority
30
75 Delegation of Authority and Communication
Employees taking over the authority should periodically report the current situation of
the process to the delegator and the delegator should seek for this report which will provide
feedback to Head of Administration regarding the process This forms an example about
monitoring function
8 INTERNAL CONTROL AND RISK STEERING BOARD
81 Roles and Members of the Board
The Board has a consultation role which will provide additional value for the activities
of administration in development of methods and processes regarding internal control system
such as monitoring internal control practices preparation of action plans and implementation
of the current plans
The Board is formed by the approval of Head of Administration for commencement of
studies on the internal control system within the framework of Action Plan Manual on
Harmonisation with Public Internal Control Standards The Board consists of authorising officers
(or their deputies) under the chairmanship of the deputy Head of Administration and when
the deputy Head of Administration is not available an authorising officer to be assigned by
the Head of Administration will take over as chairman All or some of the authorising officers
are selected for the ICRSB and how many to select should be determined with a view to
provide efficiency in line with the organisational structure When deemed necessary The
Head of Administration can invite those authorising officers who are not members of the
Board to meetings of Board to get their opinions provided that they are not included in the
decision-making Secretarial services of the Board are provided by strategy development
units
The Board periodically convenes Experts from inside and outside the administration
can be invited to the Board if deemed necessary in order to contribute to the objectives and
aims The Board is free within the framework of the duties and responsibilities given to itself in
determination of the dates and content of meetings and notifies the relevant persons of the
relevant arrangements in advance
Decisions are made based on majority voting Each member has only one voting right
including Chairman of the Board However when the voting of both sides is equal the
majority is considered to be the side that the chairman takes Those members who do not
side with the decisions state their justifications for not siding with the decision in writing
Deputy senior manager authorising officers or the deputies they assign should have a single
equivalent voting right in the meetings however the other representatives and experts
whose opinions are received should not have a voting right The Head of Administration on
the other hand should be able to participate in the Board meetings without having a voting
right and should encourage the participation of authorising officers for strengthening internal
control system For meetings which are not participated by Head of Administration briefing
should be made through reporting system
Details about how the Board works should be specified in the relevant legislation
The Board regularly monitors internal communication activities and processes and
revises them when deemed necessary and determines new communication methods to fit
the changing organisational structure
31
CE Figure 4 Information Flow in Internal Control and Risk Steering Board
82 The Boardrsquos Scope of Duty
The Board works to support the accountability of senior management in the fields of
management internal control and especially risk and is authorised to carry out the followings
with the approval of senior manager Within this framework its duties in the field of risk can be
listed as follows
It prepares the Risk Strategy and Policy Document (RSPD) or reviews the available RSPD
and submits it for the approval of senior manager
It determines policies in establishment of the risk management culture in the
administration
It determines the risks of spending units to be managed in partnership and the related
policies and procedures and communicates them to the unitrsquos risk coordinator for
coordination purposes
It determines the risks to be managed in partnership with the other administrations and
communicates them to the relevant administrative risk coordinator to ensure that
necessary precautions are taken for management in partnership with the relevant
administrations
The Board periodically assembles to assess whether risk management process functions
well or not and the level achieved regarding risks and reports the level achieved to the
senior manager
The Board fulfils following duties other than risk management
Assessing internal audit reports and providing guidance for implementation of
recommendation and ideas regarding internal control environment and the other
components in line with the requirements of the administration
Monitoring the activities of the administration carried out within the framework of
strategic plans and policies of the administration by means of periodical meetings
Making decisions on dissemination of good practice examples both inside and outside
the administration as a result of monitoring activities that are carried out
Deputy Head of
Administration
Internal Control and
Risk Steering Board Strategy
Development
Unit
Authorising
Officer
(A) Spending Unit (B) Spending Unit (C) Spending Unit
Authorising
Officer Authorising
Officer
32
33
RISK MANAGEMENT
1 Introduction Administrations utilise the resources allocated for them in order to reach the set out
objectives Activities processes and projects which are carried out for utilisation of these
resources bring along risks Risk management is a good tool for administrations to achieve the
aims they set out in accordance with their missions and visions Box RM1 describes Risk
RM Box 1 Definition of Risk
Risk is the uncertainty of events that may emerge in the future (if positive it is an opportunity if
negative then it is a threat) For the administrations this means that aims and the objectives
they set out to achieve these aims can be affected positively or negatively by internal or
external factors
Risk management covers risk assessment determination of effective control activities
monitoring and continuous improvement of these processes Risk management must be
practised corporately for consistency purposes which brings us to the concept of Corporate
Risk Management Corporate risk management covers the entire administration and ensures
that risk management processes are considered and handled as a whole
2 Risk Management standards Administrations while implementing risk management take into account the following
standards
RM Box 2 Risk Management Standards
3 Benefits of Risk Management for Administrations
The followings are the important benefits of a properly applied risk management in
corporate terms
Helps improve performance of administrations and assists administrations in attaining
their aims and objectives
Helps provide the continuity of services the administration provide and improve the
quality of activities the administration carries out
Info amp Communication
Monitoring
Control Activities
Risk Management
Control Environment
Standard 5 Planning and Programming
The administrations shall establish and announce their activities goals objectives and indicators as well as the
plans and programs including the resources which are required for the realization of above listed elements They shall
also ensure that the activities are in compliance with plans and programs
Standard 6 Determination and assessment of risks
The administrations shall define and assess the internal and external risks that could prevent the achievement of
goals and objectives by performing a systematic analysis and determine the measures to be taken
34
Ensures cost-benefit balance between the risks identified and the controls applied
and therefore increases the efficiency in resource allocation
Helps control the impacts of potential losses and decrease the costs of such losses
Ensures compliance with the legislation and regulations
Helps strengthen decision making mechanisms by supporting evidence and risk-based
decision making
Enhances accountability by supporting the clear definition of tasks roles and
responsibilities within the administration
Helps the administration have a more positive image in the eyes of public opinion
4 Critical Achievement Factors for an Effective Risk Management
For administrations to obtain the expected benefits from risk management the
followings are required
Ownership of the risk management process and determination of a risk strategy
encouraging its implementation in accordance with the mission and vision
Establishment of necessary mechanisms to have a single risk management language
Provision of sufficient information guidance and advice regarding risk management
Simplicity flexibility and practicality of risk management processes and integrated
planning and implementation with the other basic processes (strategic planning
performance management human resources management etc)
Supporting the assessments regarding risks with reliable evidence at all times
Systematic monitoring reporting and evaluation of risk management processes
Increasing within the administration awareness that everyone has an important role to
play in risk management and risk management should be fulfilled as an integral part of
the existent processes
Having an organisational communication strategy and proper and functional
communication channels inside and outside the administration
5 Risk Strategy and Policy Paper Risk Strategy is the organisational approach defined for risk management and top
level policies whereas Risk Strategy and Policy Paper (RSPP) is the document in which this
approach and policies are set down in writing Risk strategy sets out the administrationrsquos
attitudes towards risks and forms a framework for the risk management process The RSPP of
an administration is prepared by the Internal Control and Risk Steering Board (ICRSB) for the
endorsement of the head of administration and should be available to and known by all
staff
The Organisational risk strategy should clearly set out the structures regarding the
management and ownership of risks how to address risks at strategic level and program and
activity levels the structures regarding communication monitoring assessment and getting
assurance the criteria for key risks risk register format and risk measurement criteria Attention
must be paid the risk policies of the organisation comply with national level policy papers
The Risk strategy must be set out to reflect the risk appetite of the administration at
strategic level As risk appetite can change in time based on various conditions (for example
risk appetite may be low in periods of financial crisis) risk strategy of the administration should
be reviewed at least once a year and updated when deemed necessary Box RM3 gives a
basic explanation about Risk Appetite
RM Box 3 Risk Appetite
Risk appetite is the amount of risk an administration is ready to take at any time
(toleratebe exposed to) in accordance with its mission vision and objectives Risk
appetite should be taken into consideration while preparing strategic plans
35
Risk appetite is affected by internal and external environment people business systems
and policies Within this framework risk appetite should be set out with a top down
guidance
It is possible for the administration to set different appetite levels as long as the
administration does not exceed its overall risk appetite limits
Both taking too many risks and taking too few risks may lead to failure Although low risk
appetite is considered to be a reliable management method it may constrain the
administration in terms of creativity innovation and taking advantage of
opportunities
Another prerequisite in risk management is the existence of a common risk language
While producing this common language what is needed is a joint terminology and
mechanisms to disseminate it Otherwise it is not possible to build a strong common
understanding to manage risks
Corporate risk management requires a contribution from all employees Ownership of
the risk management process by the staff (Identifying addressing responding reviewing and
monitoring the risks) and considering it as a part of their jobs can increase the effectiveness of
corporate risk management
In order for the risk management to contribute the achievement of objectives and to
improve management quality and also to reduce costs it should be embedded in the
activities Embedding risk management in the processes means that activities are carried out
as a whole including risk management
Box RM4 gives details of the content of the Risk Strategy and Policy Paper
RM Box 4 Risk Strategy and Policy Paper
6 TASKS AUTHORITIES AND RESPONSIBILITIES Good risk management is only possible if the administration is well organised Clear definition
of tasks roles and responsibilities awareness of staff on the expectations of them within the
framework of policies and practices of the administration existence of horizontal and vertical
communication mechanisms and mechanisms for communication that are outside the
administration are the requirements for a good control environment The assignment of tasks
roles and responsibilities to appropriate competent and authorised people in risk
management will provide a strong infrastructure for risk management in the administration
While it is necessary to define roles and responsibilities all staff are responsible for risk
management Diagram RM1 explains the structure of roles and responsibilities in risk
management
RM Figure 1 Tasks and Responsibilities in Risk Management
RSPP should include at least the following
Aim of risk management
Risk appetite
Compliance with the legislation and binding policy papers
Risk methodology to be adopted
How to determine key risks (criteria)
Organisational structure and duties
Roles and contributions of the employees
Communication Plan
36
61 Head of Administration
This person is defined within the framework of Law no 5018 on Public Financial
Management and Control and is authorised and responsible for risk management at the
highest level
Regarding risk management the Head of Administration
Ensures the establishment of the strategy regarding the management of risks in
accordance with the aims and objectives of his administration at the outset of each year
and approves the Risk Strategy Policy Paper (RSPP) which demonstrates how the strategy
will be implemented and notifies all staff of this in writing
In the RSPP he clearly defines all the tasks roles and responsibilities and the necessary
structures (for example the ICRSB) within the scope of this manual for risk management
Provides the Administrative Risk Co-ordinator (ARC) with necessary support regarding the
risks to be jointly managed with other administrations
Ensures that the proper mechanisms are established to provide for the necessary
sensitivity and participation regarding the management of risks for the public opinion and
the stakeholders
Sets out the strategic actions for the future in accordance with the considerations and
recommendations by the ICRSB and the ARC
Receives assurance on risk management from the ICRSB and presents an assurance
declaration to the Minister on whether the risks are managed effectively
He encourages the consistency of risk management processes
He reviews monitoring of reports and encourages the effectiveness of risk management
He sets an example in terms of his behaviours particularly in strategic risk management
He encourages the employees for identification of risks
He should show leadership in risk management
37
62 Internal Control and Risk Steering Board (ICRSB)
The Board develops policies for the improvement of risk management in the
administration and submits them for the approval of Head of Administration The Board
notifies the units of the policies and procedures On the advice of the ARC the ICRSB
determines a particular number of risks which it deems significant as the key risks among the
risks that are submitted to itself and reports whether these key risks are managed well or not
to Head of Administration in regular periods or whenever it deems necessary
Secretarial services of the board are carried out by the Administrative Risk
Coordinator (Head of SDU) Whenever necessary people with the relevant expertise from
within or outside the administration can be invited to the meetings ICRSB has the authority to
enforce the elements it determined regarding the following duties with the approval of the
Head of Administration
Regarding risk management the ICRSB carries out the following
Preparing Risk Strategy and Policy Paper (RSPP) of the administration or annually
reviewing the already available RSPP and submitting it to the Head of Administration
for approval
Defining policies for establishment of a risk management culture
Ensuring that risks are consistently managed in the administration
Determining critically strategic risks of the administration
Determining the risks of spending units which require a joint management and related
procedures and policies and submitting them to URC for coordination purposes
Setting out the risks that require joint management with other administrations and
ensure that necessary measures are taken for the joint management by notifying the
ARC
Meeting at least quarterly in order to consider whether the risk management processes
in the administration work effectively and assess the current status of risks and
reporting it to the Head of Administration
Ensuring that good practice cases are determined and spread to a larger place
63 Administrative Risk Coordinator
It is advisable that the Head of the SDU takes the role of Administrative Risk Co-
ordinator The ARC is a member of the ICRSB and is responsible to the Head of Administration
for consistency of risk management processes of the administration and their compliance
with the standards
Regarding risk management the ARC
Is responsible for the efficient operation and coordination of all risks processes in all units
Calls the relevant Unit Risk Coordinators (URC) for meeting at least once in three months
Prepares the Consolidated Risk Report (using the report form in this manual) on the basis
of the reports submitted by the URCs and submits this Consolidated Risk Report to the top
management and the ICRSB on a quarterly basis The report should include the ARCrsquos
personal considerations on the key risks
Carries out secretarial services of ICRSB and such tasks as setting out meeting agendas for
the Board keeping minutes of meetings submitting decisions of the Board to Head of
Administration for approval
Discusses the issues on common risk fields with the ARCs of other administrations and
coordinates these within the administration
ARC provides technical support to the units on risk management of the administration
Identifies the needs of units regarding risk management and reports them to the ICRSB
and the Head of Administration before each meeting
Sends feedback to URCs regarding opinions advice and decisions of ICRSB and takes
necessary precautions for the consistency of risk management processes of the
administration
38
64 Unit Risk Coordinator
The Unit Risk Coordinator (URC) is the authorising officer or the person who is determined
by the authorising officer Regarding risk management URC
Coordinates the identification of the unitrsquos risks that may have an impact on the
objectives of the administration and provides relevant guidance at the beginning of the
year URC associates risks that are determined with the activities of the sub-units using
their knowledge and expertise and pays attention to ensure that all important issues are
addressed Important risks included in the risk register are submitted to the ARC to be
presented to the ICRSB for consideration
Reviews the risk registers and relevant reports that are annually prepared on periods (such
as monthly quarterly semi-annually) to be set out by the administration and reports them
to the ARC
Monitors the risks managed and reported by the Sub-Unit Risk Coordinators (SURCs) at unit
level Evaluates the changes on the risks or the arising risks if any and reports them to the
ARC upon the approval from the unit director
Submits an assurance declaration to the ICRSB on whether the risks are managed
effectively
Provides feedback to SURCs regarding opinions advice and decisions of ARC and ICRSB
Determines training needs regarding risk management
65 Sub-Unit Risk Coordinator
The SURC is responsible for the coordination of risk management activities within sub-
units of the units in administrations (if such units exist or it is seen to be appropriate to manage
the risks at this level) and is the person to be determined by the authorising officer Heshe is
directly accountable to URC regarding risk management Sub-unit risk coordinators must be
selected from among those who have the sufficient competence and experience
Regarding risk management the SURC
Coordinates the conduction of tasks of identifying assessing addressing reviewing and
reporting of the sub-unitrsquos risks that are associated with the objectives of the
administration
Reports in line with the risk strategy of administration the recently identified risks that are
related to the activities of the sub-unit those risks with changing scores and the
effectiveness of controls carried out to decrease these risks to the Unit Risk Coordinator
(URC) on periods determined by URC
Is accountable to the URC and furthermore responsible for providing the Administrative
Risk Coordinator (ARC) with requested information and documents
66 Employees
The most important factor for risk management to be successful is the ownership of risk
management by employees Therefore every employee is responsible for managing risks in
their field of duty (identifying assessing responding to reviewing and reporting risks)
Regarding risk management employees
o Contribute to the risk management processes in their respective units by defining
communicating and responding to the expected emerging and changing risks
Manage the risks within their own fields of responsibility through the power and
responsibility assigned to them by the administration
Provide evidence to the SURCURC regarding the effectiveness of the management of
risks in their respective fields
Employees should not hesitate to identify risks and submit them to the relevant risk
coordinator It is important to bear in mind that just one loose screw could cause a plane
crash
39
67 Internal Auditor
The Internal Auditor provides the Head of Administration with advice regarding risk
management by making evaluations on whether risk management process is effective and
risks are managed in the right way or not Internal Audit can also provide advice on whether
any key risks have been overlooked or inappropriately controlled
68 Strategy Development Unit
The Strategy Development Unit (SDU) is responsible for providing training identifying
training needs and facilitating delivery of necessary training They are also responsible for
identifying best practice in risk management encouraging such practice to be shared and
providing guidance where necessary
69 Central Harmonisation Unit
The Central Harmonisation Unit (CHU) carries out such activities as making regulations
on internal control including risk management and activities for the development of risk
management The CHU also provides guidance ensures harmonisation and inter-
administrational coordination and reports on the effectiveness of risk management
7 RISK MANAGEMENT PROCESS
Basically the risk management process should start simultaneously1 with strategic planning
studies In cases when strategic plans should be renewed or amended studies concerning
risks should be carried out with current amendments in mind Within the framework of risks
identified in light of strategic objectives attitude of an administration towards risk
management are set out in the Risk Strategy and Policy Paper with information on risk
appetite involved Within this framework administrations identify risks at strategic
programproject level and operational (activity) level In identifying risks an administration
can start with strategic level (top-down) or activity level (bottom-up) or it can start the risk
management process by implementing both methods together
Figure RM2 shows the Risk Management process
1 If strategic plans are already prepared the risk management process should then begin as soon as possible
40
RM Figure 2 Risk Management process
The administration should manage the risks at strategic programme and operational level as
shown in figure RM3
RM Figure 3 Hierarchy of Risk
Administration level This is the area which covers the whole administration where decisions
related to strategic objectives are made and for which senior management of administration
is responsible Strategic objectives are medium and long term objectives and are associated
Idetification of
risks
Assessment of
risks
Monitoring and
reviewing risks
Responding to
risks
Risk
Managament
strategy
Risk Managament
Process
Idetification of
risks
Assessment of
risks
Monitoring and
reviewing risks
Responding to
risks
Risk
Managament
strategy
Risk Managament
Process
41
with senior level policy documents Therefore while making decisions for the future decision-
makers (top management) have to take into consideration a lot of uncertainties This is the
area where risks have the highest impact Besides this is the area which is affected most by
external risks such as governmental policies general economy and technological
developments This area assumes specific importance as those risks which are not managed
well at strategic level affect the other levels as well
Unit level This refers to units where policies of senior management are implemented and
which are responsible at the highest level for the usage of public resources within the
administration Impacts of such risks last for a shorter period of time comparing to those of the
strategic risks This is the area where units should identify their objectives and manage related
risks for the administration to achieve its strategic objectives This is the area which is affected
by risks both form inside and outside the administration For risks from upper and lower levels
to be assessed and coordinated it is vital that this level be managed well Besides there
should be strong communication in this area
Sub-Unit level In this area there are only those works which are carried out at operational
level with a view to achieving unitrsquos objectives Daily activities of all employees fall within the
scope of this area This is the area where short-term-decisions are made products and
services are produced and fewer uncertainties are experienced This area is affected more
by internal risks than external risks Risks not being managed well at this level may affect the
achievement of strategic objectives
71 Identifying Risks
Risk identification process which is the first stage of risk management is the process of
identifying categorising and updating the risks that prevent or limit the achievement of
administrationrsquos strategic objectives using previously defined methods The following box
suggests some questions to be considered when starting to identify risks
RM Box 5 Questions to be considered when starting to identify risks
The following should be considered while identifying risks
As a generally accepted rule strategic risks that can affect the administration are
determined at the stage of strategic plan preparation and risks identified are included
in the strategic plan
Risks should also be identified at programme and operational level Programme and
operational risks should include all the strategic risks However when identifying the
programme and operational risks we should not limit our scope with strategic risks but
have a wider spectrum
When identifying risks the administration can determine a top-down or bottom-up
method preferably used at the same time
What are the main objectives
What are the key activities
Who are the stakeholders
42
Risks identified should be associated with objectives of the administration It must be
taken into consideration that some risks can indirectly affect the objectives such as
those which damage the reputation of the administration
Risks should be identified systematically with previously determined methods These
methods can vary according to the characteristics of administrations and its activities
In this process administration can either use one or more of the below defined
methods or develop a new method in line with its own needs
Risks identified should be expressed as lsquoxrsquo risk or risk that lsquox may emergersquo It will be
convenient to register them this way in the risk register (see Annex 3 for the risk register
form)
Assess whether risks identified are internal or external risks
o Internal risks are the risks stemming from the events directly controlled by the
administration itself Internal risks can be grouped into three as strategic risks
program risks and activity risks
o External risks on the other hand are the uncertainties arising due to the
events that are out of the control of the administration which hampers or
prevents the achievement of objectives While identifying external risks it will
be useful to classify them by their subjects (Generally PESTLE analysis is used
see Box RM7)
After risks are identified their owner or the person to be responsible from them must
be defined and this information must be included in the risk register
Since risk identification is a dynamic process emerging risks should be identified and
changes to the existing risks should be consistently followed-up
RM Box 6 Factors and methods to be taken into consideration during the process of
identifying risk
The following box explains the PESTLE and SWOT analysis
HHHooowww dddooo III iiidddeeennnttt iiifffyyy rrriiissskkksss
Firstly decide how to identify the risks namely at strategic
level operational level or both
Identify and categorise the risks (social cultural political
scientific etc) taking into consideration the threats
opportunities and the scope
Decide on the required human resource tools and methods
Mostly the following methods are used to identify risks
However administrations can determine different methods
other than these methods in light of their needs
o PESTLE analysis (see Box RM7)
o SWOT Analysis (see Box RM7)
o Brainstorming (this method can be used both for
identification and assessment See Annex 1)
Group risks as internal and external ones
Make a stakeholder analysis (identify the risk tolerance
position and attitude of the stakeholders )
Repeat the identification regularly and in periods of change
43
PPPEEESSSTTTLLLEEE AAAnnnaaalllyyysssiiisss Pestle Analysis is the identification of risks by making assessments based on the
following categories
Politic
Economic
Social
Technologic
Legal
Environmental
Example
o Politic change of governmental priorities
o Economic inflation rate going above the expected levels
o Social population growth rate going much above the
expected levels
o Technologic information process infrastructure not being set up
o Legal cases in courts turning against
the administration
o Environmental an earthquake strike
SSSWWWOOOTTT AAAnnnaaalllyyysssiiisss (((IIInnn---hhhooouuussseee aaannnaaalllyyysssiiisss)))
SSStttrrreeennngggttthhhsss
WWWeeeaaakkknnneeesssssseeesss
OOOppppppooorrrtttuuunnniii tttiiieeesss
TTThhhrrreeeaaatttsss
EEExxxaaammmpppllleee
SSSttt rrreeennngggttthhhsss SSSpppeeeccciiiaaalll iiissseeeddd pppeeerrrsssooonnnnnneeelll
WWWeeeaaakkknnneeesssssseeesss OOOlllddd ttteeeccchhhnnnooolllooogggyyy
OOOppppppooorrr tttuuunnniii ttt iiieeesss EEEcccooonnnooommmiiiccc gggrrrooowwwttthhh
TTThhhrrreeeaaatttsss SSSuuuddddddeeennn pppooolll iiicccyyy ccchhhaaannngggeee
For detailed information refer to Strategic Planning Guideline for Public Administrations SPO June
2009
RM Box 7 PESTLE and SWOT analysis
44
What could go wrong in the achievement of
objectives
What are the critical achievement factors
Who are our stakeholders and what can their
negative or positives impact be on our activities
What are our risk categories Tables diagrams etc
What are our weaknesses
Which assets assume more critical importance
What areas are open to irregularities and fraud
Which events or situations can hamper our
activities
What are our most critical sources of information
In which areas do we spend most
Which activities or processes are more
complicated
In which areas are we subject to penal sanctions
What are the legal requirements
What are the resource limitations
The following two boxes give some tips for the process of risk identification and some questions to
ask
RM Box 8 Tips for Risk Identification
RM Box 9 Questions to ask in the process of risk identification
WWWhhhaaattt aaarrreee ttthhheee TTTiiipppsss
Whether there is available information regarding the risks and how
accurate it is if any should be taken into consideration
A working group including different fields of expertise would
increase the likelihood of identifying new risks
Using brainstorming method yields effective results (See Annex 1)
Having open communication lines and acting farsighted are the
key points
45
72 Risk Assessment
Risk assessment refers to analysing the factors that may have an impact on the
achievement of administrationrsquos objectives and evaluating the seriousness of the risk in terms
of impact and probability While assessing risks in addition to the potential events the
administration can face aspects which are specific to the administration (for example size of
the administration complexity of activities legislation it is subject to in relation to its activities
its political priorities public interest) should be considered
After risks are identified comes the stage where the risks are measured and prioritised
Prioritisation is listing down the risks in accordance with their priority in line with the scores they
are given Risk assessment helps decide whether to respond to identified risks and if so select
the best response with regards to the costbenefit balance
The following box gives some questions to be considered before starting the risk
assessment process
RM Box 10 Questions to be considered before starting the risk assessment process
Three important principles in risk assessment are
1 Identifying the impact and probability of each risk In assessment probability and impact
are analysed Probability refers to the chance of an event to occur at a particular period
On the other hand impact is the outcome or the effect produced
Three categories are used while assessing risks low risk level (shown in green) medium
risk level (shown in yellow) and high risk level (shown in red) These colours as in the
traffic lights facilitate understanding the degree of importance of the risks These are
shown in the following diagram
Probability and impact of the risks can also be shown using numbers In the following
diagram Point 1 indicates that there is almost no probability for that risk to occur while
point 10 means that it is almost certain that it is going to occur In terms of impact
point 1 is used where the outcome of the realisation of a risk has little importance
whereas point 10 means that this outcome is highly important Risks are scored
between 1 and 10 for their probability and impact (See Annex 5) In assessing impacts
and probabilities of risks one of the methods to be used is voting method (See Annex
2)
Risk maps are made use of to see the severity of the risks better A basic
demonstration of risks on the risk map is given in the following diagram
What are the objectives
What are the present controls
What are the possible results if the risk occurs
Do activities of some other administrationsunits affect my
risk
Who are the stakeholders and what is their level of
experience and expertise
46
RM Figure 3 Risk map
2 Assessing the risks on the basis of inherent risks and residual risks
Inherent risk refers to the amount of risk before it is managed or any action is taken
These inherent risks are transferred to the risk register (see Annex 3 for the Risk Register
form) after assessing their probability and impact In assessment as has been
suggested above the probability and the impact of the risk is scored between 1 and
10 Multiplication of the scores of probability and the impact indicates the risk score
The administration at this stage must decide on the risk appetite It must also be set
out which risks placed between which numbers are low medium or high risks in
accordance with the designated risk strategy of the administration and the risk map
of the administration must be produced in this framework (See Box RM3 Risk Map)
After risk score has been set risks are prioritised starting from the one with the highest
score Responses to be given to risks are determined Controls are identified and
applied considering the methods of responding to risks
The management must identify the level of the remaining risk after the control
activities it carries out to manage the risk Residual risk refers to the remaining risk after
an action has been taken to mitigate the probability and impact of a risk If the level
of the residual risk is still higher than the risk appetite the efficiency and competence
of the present control activities must be questioned and if deemed necessary
responses to be given to the risks must be reviewed The following box gives an
example of inherent and residual risk
RM Box 11 Example of inherent and residual risk
3 Recording the risks
Recording the risks contributes to the prioritisation of the risks and therefore to the
efficiency of the allocation of resources and to production of evidence for the decisions
taken helps people to understand their responsibility within risk management facilitates
the acquisition and communication of information to the right people at the right time
Activity using a car
Inherent risk having an accident because you are inexperienced
Control action getting a licence taking driving courses
Residual risk another inexperienced driver crashing into your car
47
via the reporting mechanism and enables the reviewing and monitoring processes of the
risk
Risk records are reported in two stages Risk Register (see Annex 3) used in the
identification and registry of risks Consolidated Risk Report (see Annex 4)used for the
reporting of risks to the senior managers (see Annex 7 for an example of a completed Risk
Register)
The following box gives some tips for the risk assessment process
RM Box 12 Tips for risk assessment
RM Box 13 Example of the Risk Assessment process
Measure the impacts and probabilities of the risks identified for a
particular period of time
While determining the impact score assess the impact the risk will have
on the objective that is foreseen to be hampered
Utilise proper methods in the assessment
Bear in mind that risk assessment of a job can best be made by the
person who does this job
Note that activities of other administrationunit can have impacts on
your risks and risks are not independent of each other
Utilise such table as risk maps to be able see all the risks together
Prioritise risks in line with the risk scores (Impact X Probability)
48
You are going to deliver training on your subject of expertise
Your Objective Audience understands the subject you explain
You identify your risks
Risk 1 As you arrive late you may not have sufficient time to deliver the training
Risk 2 You may deliver your presentation using an inappropriate approach as you do not know who
the audience is
Risk 3 You may have difficulty in supporting what you explain as you donrsquot have the softcopy of the
presentation
Letrsquos see the likelihood of the Risks 1 2 and 3 and how it would affect your objectives if they occur
RRRiiissskkk 111 Likelihood The traffic would be bad at that hour In addition you have a lot of other things to do that day
Likelihood 7
Impact You can arrive late but you know the subject very well Even if you deliver it in very short time it still
would be understandable for the audience The impact of arriving late on your objective is 3
Risk Score 7x3 = 21
RRRiiissskkk 222
Likelihood In the letter you have been told what the subject is but not who the audience is and you donrsquot have
the chance to ring someone and learn Likelihood 5
Impact If you are to deliver the training to the experts who already know the issue you get into details but if
your audience is made up of people who donrsquot know anything about it you only draw the general framework
If you cannot learn who the audience is and you deliver the training in detail while the audience is unaware of
the subject and they would not understand or you give little information to the people who already know about
it they would not learn anything new The impact of using the wrong approach in the delivery is 9
Risk Score 5x9 = 45
RRRiiissskkk 333
Likelihood You generally carry your computer around You also have habit to carry your pen drive in your
bag after saving your studies in it Likelihood 2
Impact Even if you donrsquot Project the presentation on the screen you know the subject very well You could
still effectively deliver it to the audience The impact of not having the soft copy with you on your objective 3
Risk Score 2x3 = 6
As shown in the risk map
Imp
act
10 10 20 30 40 50 60 70 80 90 100 9 9 18 27 36 45 54 63 72 81 90 8 8 16 24 32 40 48 56 64 72 80
7 7 14 21 28 35 42 49 56 63 70 6 6 12 18 24 30 36 42 48 54 60 5 5 10 15 20 25 30 35 40 45 50
4 4 8 12 16 20 24 28 32 36 40 3 3 6 9 12 15 18 21 24 27 30
2 2 4 6 8 10 12 14 16 18 20 1 1 2 3 4 5 6 7 8 9 10
1 2 3 4 5 6 7 8 9 10
Likelihood
Prioritisation
1 Risk 2 (Risk Score 45)
2 Risk 1 (Risk Score 21)
3 Risk 3 (Risk Score 6)
(Note that risks are not always assessed according to the scores Some strategic risks should be taken into
consideration even if they have a low score Emergency precautionsplans should be available You may not
always foresee what will happen Your plans should be flexible Therefore you will be able to handle the
situation when something unexpected emerges
49
73 Responding to Risks
Responding to risks refers to setting out the responses to the risks identified and assessed within
the risk appetites by the public administration and mitigating the potential threats or taking
the arising opportunities Before deciding on the method to respond to risks a costbenefit
analysis must essentially be carried out The objective desired to be reached by responding
to risks is to mitigate the likelihood of the risk and its impact and achieving the foreseen
objective in the most efficient manner
Box RM 14 Questions to consider in responding to risks
The following figure shows within the framework of risk appetite how inherent risk turns into
residual risk as a result of responses controls actions (also see Box RM3 Risk Appetite)
RM Figure 4 Risk Indication Table
(OGCrsquos Risk Dashboard from HM Treasuryrsquos publication named Thinking about Risk)
Figure RM4 demonstrates the followings Columns 1 and 5 Control activities successfully decrease the inherent risk so that the
remaining risk called the ldquoresidual riskrdquo is reduced to the same level as risk appetite
Such points where the risk appetite and residual risk of an administration overlap are
ideal situations in terms of risk management (cost-effect)
What is the level of risk
What happens if no response is given to the risk
Which risks must be controlled
Which risks can be transferred
What are the consequences of resorting to risk aversion as a public
administration
Is the opportunity good enough to take the risk
50
Columns 2 3 and 4 Control activities decreased the risk However residual risk is still
higher than the risk appetite (tolerable level) This shows that effectiveness and
adequacy of the controls implemented should be questioned and more control
activities should be implemented
In column 6 as the inherent risk is equal to risk appetite risk is tolerable However
these risks should be monitored just as the other risks because of the possibility of
changing
In column 7 on the other hand control activities decreased residual risk below the risk
appetite This shows that more than necessary controls are implemented and
resources are not used efficiently In these over-control cases control activities should
be decreased to a level at which residual risk is equal to risk appetite
There are four methods of responding to risk and these are shown in the following diagram
Figure RM5
RM Figure 5 Methods of responding to risk
Tolerating This is a passive method of response given to the risks which public administrations are
comfortable to undertake In the following cases risks can be accepted
If the inherent risk is within the limits of risk appetite then it is accepted
When it is understood that cost of the actions to be taken (controlling transferring or
avoiding) for an intolerable risk would exceed the potential impact of the risk then the risk
is accepted
Some risks are out of the control of the management Certain risks do not disappear
unless the activity is terminated whereas terminating an activity is not always possible or
desirable
Treating This is a method of response given to a risk by means of control activities carried out
with a view to keeping risks at a tolerable level (risk appetite) in public administrations
This method can be applied using the five following controls
Preventive Controls
Corrective Controls
Directive Controls
Detective Controls
Emergency Plans
Methods of responding to risk
Tolerating
Treating
Transferring
Avoiding
51
For detailed information refer to the Control Activities chapter
Transferring This is the response given to the risks by taking some of them away from the
responsibility of the administration and transferring it to others (Even if the risks are
transferred the responsibility cannot be transferred and they need to be managed under
the control of the administration because it is the administration that will be affected when
the risks are realised)
Risk transfer is carried out using the following methods
Completely and partly transferring the activity to another administration
Transferring its operation to third parties using a procurement method
Transferring it by means of insurance (when appropriate)
Avoiding if the risk we have to take is too big to manage and there are alternatives to the activity
performed it is possible to terminate this activity For example deciding not to build a factory
which is expected to cause too much air pollution or deciding not to purchase the computers
that are planned to be purchased because of budgetary cut
The following box summarises the process of responding to risk
Box RM 15 Process of responding to risk
While managing risks opportunities they bring along should also be taken into consideration
Alongside negative impacts risks can also lead to opportunities In order to be able to take these
opportunities that would make additional contribution to the achievement of administrationrsquos
objectives the administration must have designated strategies Taking the opportunity is not an
alternative method to respond to risks rather it is a method to be applied additionally
Opportunities are taken in the following cases
When the cases of taking the opportunity and reducing the threats coexist For example
making health and scientific researches to find a cure of a disease (Disease threat will
decrease and there will emerge the opportunity at the same time that cost will decrease
with less people going to hospitals)
When opportunities emerge before the negative event occurs For example using a new
technology to be able work better or reaching to a greater number of people via e-state
The following box gives some tips for use when responding to risk
List the Threats and Opportunities according to the analysis results
Define your attitude considering the content of the risk
Tolerate
Control
Transfer
Avoid
Ensure that the benefit that the response will provide is higher than the cost it will bring
52
RM Box 16 Tips for responding to risk
Prioritising risks helps decide on which risk to respond first
As a public administration while determining the responses to be
given to risks recipients of the services and the impacts on them
must be considered
Stay away from over-control measures while responding to risks
Over-control harms the efficiency of the administration as much
as insufficient controls do
The possibility that acting in coordination with other
administrations in responding to risks may be more efficient must
be considered
53
Your organisation has decided to buy a new IT system
You identify your risks
Risk 1 The new system has inadequate response times
Risk 2 Data is not transferred accurately from the old IT system to the new system
Risk 3 You do not have the capability to operate the new IT system
Risk 4 The new IT system does not work
What responses can you give to these risks
RRRiiissskkk 111
Tolerate You have been assured that the new system has a five second response time
which is similar to the current system so you decide that it does not need to be quicker
RRRiiissskkk 222
Treat You need to introduce controls to make sure that data is transferred accurately
Preventive controls Testing done on the new IT system before it is introduced to
ensure that data is not corrupted on transfer
Corrective controls Testing is done comparing data transferred from the old system
to the data on the new system This control activity corrects the errors
Directive controls Requirement that IT staff working on developing the new system
have adequate skills and experience
Detective controls testing is done after one year of operating the new system to see
if standing data transferred from the old system is accurate
Emergency plan You should make sure that you can revert to using the old system in
the event that the new system does not have properly transferred data
RRRiiissskkk 333
Transfer You outsource the running of the new system to another organisation which has the
relevant expertise
RRRiiissskkk 444
Avoid If it is detected during testing that new IT system is not working you quit buying this
system and search for an alternative IT system
Take the opportunity
Your new IT system allows you to operate more efficiently freeing up staff time to do other
activities
The following box gives an example of the process of responding to risk
RM Box 17 Example of the process of responding to risk
54
74 Reviewing Risks
Risks can change in terms of their impact and likelihood due to various changing conditions
or measures taken Furthermore it is also possible that new risks areas are formed due to
changing conditions Therefore all the aspects of risks identified and the risk management
process should at least be reviewed on a regular basis Reviews can be carried out on
frequencies to be set by the administration according to the level of importance of the risks
In the event that extraordinary developments take place and this has a serious impact on the
risks Administrative Risk Coordinator (ARC) upon the spoken or written instruction by the
head of administration organises an emergency meeting for the Internal Control and Risk
Steering Board to assess the risks For example natural disasters economic crises early
election resolutions are extraordinary developments
Reviewing the risks and reviewing the risk management process are two different processes
and the fact that one of them is carried out does not necessarily mean that the other is
carried out as well Whereas each risk is reviewed by its respective owner the risk
management process is reviewed by the Head of Administration and or ARC Reviewing
risks regularly would provide flexibility in adapting to the changing conditions
Risks are reviewed as follows
Whether risks still exist new risks have arisen the likelihood or impact of a risk has
changed or not is reviewed
The priority should be given to key risks (those with the highest probability and impact)
during a review Other risks should be reviewed later
While reviewing strategic risks first and foremost amended policy papers if any
developments in the other counties expectations of the public for that period
Internal Audit Reports Inspection Reports External Audit Reports and other relevant
reports and documents should be considered
Under the light of the developments if there have been any changes to the risk
profile the risk register of the administrationunitsub-unit must be reviewed
The change must be communicated to the risk coordinator at the next senior level
within five working days
By reviewing the prioritisation of the keymain risks the assessment results should be
submitted within five working days by the ARC to the ICRSB in a revised Risk Report
The results of the assessment will be discussed by the ICRSB and the report is then
submitted to the Head of Administration by the ARC
Conclusion and evaluation part of the report must definitely include remarks on
whether the risks management process provides the necessary assurance and
whether new measures are needed or not
o Do we give reasonable assurance on the successful management of
risks
o Do we give reasonable assurance on the effective implementation of
the control activities
The process of reviewing risks is summarised in the box RM18 and questions to consider are
listed in box RM19
55
RM Box 18 Process for reviewing risk
RM Box 19 Questions to consider in the risk review process
75 Communication and Reporting
Communication within the context of risk management refers to accurate and timely
conveyance of the right information to the relevant people through various mechanisms at
the right time Communication is a vital process which needs to be effectively applied in all
phases of risk management
The following are important to communicate
The administrationrsquos objectives policies and procedures
The risk management strategy
The numbering system in the risk assessment stage and measurement mechanisms
Which controls are convenient in responding to risks
How well risks are managed in reviewing risks
It is important to bear in mind that this vertical and horizontal communication is mutual
(communication-feedback)
Set out a review period depending on the characteristic of the activity
Frequently review the first critical risks
During the review assess the probability and impact of the risks for that
period
Decide whether the risk is still a threat
Identify whether new risks have arisen for that period
The condition of the control activities must be reviewed according to the
change in the risk It would be appropriate to eliminate an activity which
became pointless as the risk has disappeared
Record the identified findings on the risk register
Report the risks of every level
Changes regarding the risks are reflected on the risk register however in
emergencies the managers must be informed as soon as possible
What are the changes in the environmental conditions
What are changes that impact on the operation of the activity
How do the changes affect the administration
Are present controls sufficient to address the changing situation
Is there sufficient evidence that the controls are effective
It would be useful to take into consideration the policy papers of
the government and the administration while assessing risks
56
To ensure effective communication the issues in Box RM20 should be considered
RM Box 20 Issues for effective communication
In addition to internal communication efficient communication lines are needed with the
partners where the services provided requires partnerships and with the citizen of NGOs who
are affected directly or indirectly by the services provided by the administration Therefore
while the administration is producing its Risk Strategy and Policy Paper it should prepare an
efficient communication plan which regulates the internal and external communication and
share it with all stakeholders
Reporting has a direct impact on the decision making processes in risk management The
reports should be as short and accurate as possible demonstrate the evidence regarding the
evaluations they should be relevant and submitted to the relevant people where necessary
Reporting must be carried out within the administration both vertically and horizontally It
should be explicitly set out who will report to whom and with what frequency in risk
management process Reporting will be done in the forms to be determined by
administrations and in pre-determined periods by at least using the information contained in
the forms shown in the Annex to this Manual When deemed necessary administrations can
develop different forms other than the forms contained in the Manual
Who will communicate with whom in which format
Who is responsible to whom about what
How the communication should be with high levels
How the communication with the Minister works
Who will communicate what information to which levels
How to ensure the accuracy of information
The expectation of top management from the employees regarding risk
management should be clearly defined and conveyed to all employees
57
Administrationrsquos Mission
Strategic Plan and Performance
Programme Budget
Annual Management Plan Activities Processes Projects
Identify
Measure (impact x
probability)
Prioritise
Tolerate
Control
Transfer
Avoid
Operational Level
Unit Level
Administration Level
Risk Assessment
Assess Manage Monitor
Risk Register
Control Activities
Mo
nito
ring
an
d E
valu
atio
n
Take the opportunities
Within the scope of this chapter of the manual Risk Management can be demonstrated via
the following diagram
RM Figure 6 Risk Management Process
76 Learning
Learning needs to be enriched through systematic training tools and disseminated to the
target groups using the most effective method Depending on the target group such
methods as conferences seminars workshops trainings hands-on trainings internships
exchanging information via various communication channels sharing best practices failures
or mistakes would facilitate learning the risk management processes and establish a basis for
the risk management practices in corporate sense
58
Addressing risks largely depends on experiences Previous experiences and making everyone
aware of the successful and unsuccessful practices via a strong communication network
would facilitate more effective and faster addressing of risks In particular conveying the
positive and negative experiences about the emerging risks and the methods to handle
these to the stakeholders and learning what could go wrong can only be ensured if a
method that focuses on learning from mistakes is adopted and learning experiences are
shared Therefore it will be useful to use the peer review method within the administration In
this method units learn how the others at the same hierarchical levels manage risks and they
can adopt good practice examples in their own units
Sharing risk management experiences with external stakeholders especially organisations
experienced in this field could not only help the administrations develop new methods but
also ensure a more efficient use of risk management resources
59
RISK MANAGEMENT ANNEXES
ANNEX 1 Using the brainstorming method to identify assess and record risks
Step 1
Collect together in the same room all members of the Unit of Sub Unit or all staff who work on
a project or on a business process Identify an appropriate facilitator (see box RM 21) to
guide brainstorming workshop The brainstorming would be most effective if it is facilitated by
an independent person who has experience at facilitating brainstorming
(Note this can also be done by collecting all senior managers in an Administration to
brainstorm strategic risks)
Requirement for step 1 all attendees of the brainstorming should be fully familiar with the Sub
Unit Unit projectbusiness processAdministration respectively
RM Box 21 Role of the facilitator
Step 2
Once all brainstorming attendees are assembled as per step 1 firstly clarify what the
objectives of the Sub UnitUnit projectbusiness processAdministration respectively are
These may be included in the strategic plan or for sub units may not previously have been
identified Think widely ndash are there other objectives that are not included All attendees
should agree that these are the objectives before proceeding to Step 3
Step 3
All attendees at the brainstorming should brainstorm ndash what are the risks to the achievement
of each of the objectives identified in step 2 This can be done as one group or for larger
brainstorming sessions in pairs or sub-groups Risks identified by the brainstorming should be
recorded in the risk voting form in Annex 2 (columns 3 4 and 5) clarifying which objective(s)
might not be achieved if the risk happens
Step 4
Once all risks are identified all brainstorming participants should vote on what they think the
likelihood and impact of the risk are using the guidance for scoring in the risk management
chapter of this manual These votes should be recorded on the risk voting form In line with
the number of participants number of the related columns can be increased (Columns 678
and 101112) (For scoring impacts and probabilities see Annex 5 Risk Assessment Criteria
Table)
Encourage the workshop attendees to all participate in identifying risks
Watch out for duplication of similar risks (if 2 risks are very similar considering
amalgamating them)
Ensure that all attendees vote on impact and likelihood of the identified risks
Encourage attendees to challenge each otherrsquos scores defend their own or
change them if they think appropriate
Ensure that the risk scores are accurately entered in the spreadsheet and
prioritised
Action plan the response to risks starting with the highest priority
For each response ensure responsibility is allocated to a named individual
Ensure for each response that a review and reporting date is identified (exact
date)
60
Step 5
Once initial votes are recorded on the risk voting form where there are large variations
between the highest and lowest score for likelihood andor impact for a particular risk the
individual(s) who gave the highest score should first of all justify why they gave the high score
and try to convince the others why they should increase their score The individual(s) who
gave the lowest score should then justify why they gave the low score and try to convince
the others why they should decrease their score After these justifications have been given
an opportunity should be given to all who were convinced by any of the justifications to
change their score
Step 6
The risks identified should be listed in decreasing order of the multiple (Column 14) between
the average impact (Column 9) and average probability score (Column 13) from the
brainstorming The participants should be asked if the result is what they expected Does
what they considered to be their most significant risk have the highest score If not look at
the voting again and consider if it needs to be changed
Step 7
Once brainstorming participants are satisfied with the prioritisation of the risks complete the
other columns of the risk register (Annex 3) starting with the highest priority risk
Step 8
If the risk which is written in column 5 in the Risk Register arises from an event which will occur
at a particular date (eg elections) column 6 in the Risk Register namely time frame column
can be completed by writing how much time before the date risk is expected to materialize
(eg a month three months etc) Column can be left blank if timing is not important
Step 9
When identifying control activities consider whether the risk level is within the risk appetite for
that particular risk or not what control(s) would be most cost-effective and would mitigate
the risk best by reducing the impact andor the likelihood of the risk materialising Also
consider what the existing controls are whether these are currently effective and whether
they can be improved or it would be more cost-effective to introduce new additional
control(s) in addition to or instead of the existing control(s) Complete the related columns in
line with explanations in the table (Columns 1112 in the Risk Register)
Step 10
Form will have been fully completed when the other columns are completed taking into
consideration the instructions in Risk register Form
The following Box gives some suggestions for ground rules for brainstorming
RM Box 22 Suggested ground rules for brainstorming
There is no such thing as a bad idea
One person speaking at a time
Active participation
Keep to the timetable
The facilitator is in charge (if there is one)
Open discussion but no personal criticism
61
ANNEX 2 Risk Voting Form This form is used to calculate the risk score after risks are identified
62
ANNEX 3 Risk Register This is a form used to report the status after risks identified at administrationunitsub-unit level are recorded
RISK REGISTER
AdministrationUnitSub-unit
Date 20
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Se
ria
l n
o
Re
fere
nc
e N
o
Str
ate
gic
Ob
jec
tiv
e
Un
its
Ob
jec
tiv
e
Risk Identified
Tim
e fra
me
Pro
ba
bility
Imp
ac
t
Ris
k s
co
re(R
)
Ch
an
ge
(Dir
ec
tio
n o
f ri
sk)
CurrentNewAdditional
control activities
Sta
rtin
g d
ate
Risk
owner
Monitoring
and
Reporting
Risk
45
-100
9-4
4
Reason 1-8
Columns
1 Serial no shows the sequencing in the risk register
2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to This
code does not change as long as risk continues to exist The same code is not given to another risk
3 Strategic Objective This is the column in which code of strategic objective related to risk which is demonstrated in strategic plan is
written
4 Units objective If risk register is completed at unitsub-unit level objective of unit which is directly or indirectly related to strategic
objectives of the administration and can be affected by the risk is written in this column if risk register is completed at administration level
63
then this column is left blank
5 Risk Identified Description of the risk Reason Reasons which cause the risk to occur
6
Time frame If the risk arises from an event which will occur at a particular date (eg elections) this column can be completed by writing
how much time before the date risk is expected to materialize (eg a month three months etc) Column can be left blank if timing is not
important
7
Probability Probability value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be
useful to list related control activities actions taken and related regulations In this way probability that risk will materialize
notwithstanding the actions taken can be determined
8
Impact Impact value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be useful
to list related control activities actions taken and related regulations In this way what the impact of the risk will be if it happens
notwithstanding the actions taken can be determined
9 Risk Score (R=IxP) risk score determined by multiplying probability and impact scores in the Risk Voting Form (Annex 2) (between 1-100 )
See below for an explanation of the colours to use
10
Change (Direction of risk) This is the column in which the change in the status of the risk is shown in light of the previous risk register It can
be shown according to the administrations preference in writing such as updownstable or by means of direction signs If there is no
previous risk register then it is stated as New
11
CurrentNewAdditional control activities Current control activities are written in this column It is assessed whether these activities are still
needed or not If not they are removed It is also assessed whether current control activities are appropriate or sufficient If calculated risk
score is above the desired level taking into consideration the current control activities then new or additional control activities which are
planned are written in this column
12 Starting date The exact date that newadditional control activities will start to be implemented
13
Risk owner is the person responsible for managing the risk and implementing the foreseen control activities It is the risk owner who
collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures that
evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement control
activities The risk owner also reports risks and updated risk registers to the next senior level
14 Monitoring and Reporting When to review and to whom to report risks are written in this column
Colours
High risk
Medium risk
Low risk
No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient information
64
Note In the event that a new risk is identified during the year the employee identifying this risk reports it to senior manager If manager decides
this is a risk which needs to be managed then this risk is registered in the risk register form and approved by the relevant manager
ANNEX 4 Consolidated Risk Report
This is the form which enables corporate risks of an administration to be submitted to senior manager as a report composed of a few pages
CONSOLIDATED REPORT
(Corporate Risks)
AdministrationUnitSub-unit Date 20
1 2 3 4 5 6 7 8
Se
ria
l N
o
Re
fere
nc
e N
o
Str
ate
gic
Ob
jec
tiv
e
Risk Identified
Status
Risk Owner Explanation
Previous risk
score and colour
Current risk score
and colour
45-100 45-100
9-44 9-44
1-8 1-8
Columns
1 Serial no shows the sequencing in the risk register
2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to
This code does not change as long as risk continues to exist The same code is not given to another risk
65
3 Strategic Objective This is the column in which code of strategic objective related to risk which is demonstrated in strategic plan is
written
4 Risk Identified Description of risk
5 Previous risk score and colour shows the status of risk in the previous Consolidated Risk Report
6 Current risk score and colour shows the status at the date of the report
7
Risk owner is the person responsible for managing the risk and implementing the foreseen control activities It is the risk owner who
collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures
that evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement
control activities The risk owner also reports risks and updated risk registers to the next senior level
8 Explanation Information about the effectiveness of control activities and foresight for the future are given in the explanation section
Colours
High risk
Medium risk
Low risk
No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient
information
66
ANNEX 5 Risk Assessment Criteria Table
Va
lue
Ra
ng
e
Probability
Impact
Strategy Activities Financial Compliance with
Legislation
10
High
Risks which are almost
certain to occur within
5 years Taking into
consideration the
structure of the
administration they
generally arise form
policies and
procedures The wider
the activity area of the
administration the
more likely it is that the
risky event occurs
Risks which
can have a
major impact
on attaining
strategic
objectives
These are risks
which are
generally
faced in the
long term but
can cause
the
administration
to divert form
its objectives
in case of
occurrence
Risks which cause the
administrationunitsub-
unit not to provide the
service it has to provide
in an effective and
efficient way belong in
this category
Risks which will cause
heavy financial loss for
the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
which are above the
acceptable level
should be accepted as
a high risk
Risks which will cause a
big obligation upon the
administrationunitsub-
unit in case of
intentional or
unintentional non-
compliance with the
legislation Such risks
can be seen in areas
where the legislation is
too complicated and
unclear
9
8
7
6
Medium
Risks which are likely to
occur within 5 years
These are generally
such risks that the
administrationunitsub-
unit or administrations
with similar structures
Risks which
can have a
certain level
of impact on
attaining
strategic
objectives
Risks with a certain
level of impact on the
competence of the
administrationunitsub-
unit to provide the
service it has to provide
in an effective and
Risks which will cause a
certain level of
financial loss for the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
Risks which will create
a certain level of
obligation upon the
administrationunitsub-
unit in case of
intentional or
unintentional non-
5
67
4
have faced formerly efficient way belong in
this category
which are within the
acceptable level
should be accepted as
a medium risk
compliance with the
legislation
3
Low
Risks with low
probability of
occurrence within 5
years These are
generally such risks that
the administration
unitdepartment faces
very rarely These are
risks with almost no
likelihood of
occurrence
Risks which
can have the
least impact
on attaining
strategic
objectives
Their impacts
are generally
little and
cover a
limited area
Risks with little impact
on the competence of
the
administrationunitsub-
unit to provide the
service it has to provide
in an effective and
efficient way belong in
this category
Risks which will cause
little financial loss for
the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
which are below the
acceptable level
should be accepted as
a low risk
Risks which will cause a
little obligation upon
the
administrationunitsub-
unit in case of
intentional or
unintentional non-
compliance with the
legislation
2
1
Unknown
In case that there is no
idea about the
likelihood of the risk
occurring within 5
years the risk is shown
in blue until it can be
clearly identified with
larger data
The impact of
a risk likely to
occur on
strategic
objectives of
the
administration
could not be
determined
The impact of a risk
likely to occur on the
activities could not be
determined
The financial impact of
a risk likely to occur
could not be
determined
The impact of a risk
likely to occur in case
of non-compliance
with the legislation
could not be
determined
Risk has recently emerged no data was obtained regarding its status and there is no sufficient data for analysing the new risk or it is a risk which
previously occurred but there is no sufficient data for the analysis Information should be gained as soon as possible so that an analysis can be
made and an opinion formed
68
ANNEX 6 Case Study Example of Inherent and Residual Risk
Case study example to illustrate the concepts of inherent and residual risk and also to
illustrate how a risk owner can obtain information from several different control owners to
monitor the extent to which the risk they are responsible for is successfully mitigated by the
existing controls
The scenario concerns a storage warehouse for gold bars a risk owner who was the Store
manager a risk that gold bars are stolen and 4 controls
a) An IT system control giving bars in and out and a balance held for each working day ndash
daily printouts sent by the IT manager to the risk owner
b) An independent company comes in once a month to perform a stocktake count of gold
bars in the warehouse which they reconcile with the relevant printout of stock from the IT
manager ndash any variances in stock held was investigated and explanations provided where
possible ndash the independent company provides a monthly report to the risk owner on results of
the work they have done detailing any unexplained variances (which could potentially be
incidences of theft)
c) Security guards ndash professionals guarding access to the warehouse 24 hours a day and 7
days a week ensuring that only authorised staff have access to the warehouse and that all
bags are put through a metal detector on leaving to ensure gold bars are not being
smuggled out (gold bars are too heavy to be easily hidden on the person) On recruitment a
criminal record check is made on the security guards to ensure that they do not have prior
convictions for theft Security guards report weekly to the risk owner on their work and
d) An alarm system ndash any incidences of it being set off are sent in a report by the security
guards to the risk owner Regular (weekly) checks on the alarm systemrsquos functioning are
carried out by the security guards with success of the check included in their reports to the
risk owner
The inherent risk in the absence of the above 4 controls would be considered high (a high
probability that bars would be stolen and a high impact as gold bars are expensive) This
would be above the risk appetite and consequently the above 4 controls would be
designed to mitigate the risk of the gold bars being stolen with the foreseen effect of the four
controls being that the residual risk would be reduced (Note all four control measures
combined would mitigate only the probability of the gold bars being stolen not the impact)
The risk owner would gather evidence as to their effectiveness of the four controls If they
were found to be effective he would consider whether the risk had been successfully
mitigated to within the risk appetite (likely answer Yes unless a further new control or a
strengthening of the existing controls was considered necessary if the risk appetite was very
low due to the high impactthe organisation is very risk averse)
If one or more of the 4 controls is found by the risk owner to be ineffective it is likely that the
risk would still be at a level above the risk appetite and so the risk owner would need to
escalate the issue to his line manager suggesting methods for further mitigating the risk
(either by introducing an additional control or by strengthening the control(s) that had been
found to be ineffective)
69
ANNEX 7 Case Study Example of completed Risk Voting Form Risk Register and Consolidated Risk Report
70
71
72
CONTROL ACTIVITIES
1 Introduction Control activities (also referred to as controls) are actions aimed at reducing
the impact andor the likelihood of a risk occurring and thus increase the probability
of attaining the goals and objectives of the organisation or part of the organisation
For an effective control the introduction of the control activities depends on the
completed risk assessment The management must plan organise and direct
sufficient control activities to obtain reasonable assurance that the tasks and goals
will be achieved Control activities cover both financial and non-financial controls
and they should be designed and implemented as a whole for all the activities of the
administration
This section of the manual within the framework of internal control standards
looks at how procedures should be developed as control activities to ensure that risks
to achieving administrative objectives are managed effectively
2 Control Activities Standards Administrations while identifying and implementing their control activities
take into account the following standards
CA Box 1 Internal Control Standards
Standard 7 Control strategies and methods
The administrations shall determine and implement control strategies and methods
which aim to achieve the objectives and are suitable for risk response
Standard 8 Determination and documentation of procedure
The administrations shall prepare and update written procedures which are required
for administration activities as well as financial decisions and transactions and
arrangements relevant to these areas and also give the relevant personnel access to
these documents
Standard 9 Segregation of duties
With a view to reducing fault flaw error irregularity and corruption risks the duties of
approval implementation recording and control of financial decisions and
transactions shall be allocated among personnel
Standard 10 Hierarchical controls
The administrators shall systematically control the compliance of the works and
transactions with the procedures
Standard 11 Continuity of activities
The administrations shall take necessary measures for continuity of the activities
Standard 12 Information system controls
The administrations shall develop control mechanisms in order to ensure the continuity
and security of information systems
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Environment
73
3 Planning Process of Control Activities Control activities can be regarded as the ability of administrations to get
through the challenges they experience in carrying out their activities Control
activities should be designed within the framework of cost-effectiveness analysis in a
way to directly facilitate attainment of objectives Ideally when introducing control
activities the heads of organisations must take into account the expected benefit
from them as well as the costs of their introduction and implementation Control
activities should ideally be introduced in the processes and systems at the time of
setting up these processes and systems because the introduction of control activities
at a later stage is more expensive and less efficient
It is important for effectiveness of controls that control activities be
understandable applicable and consistent A good control strategy should take into
account how to implement the controls as well as identifying them At this juncture
administrative financial and physical capacity of an administration should be taken
into consideration
Another important point to pay attention to in planning control activities is the
evaluation of effectiveness of controls implemented Such issues as whether the aim
of implementing the control is commensurate with the targeted results and whether
the expected cost is in parallel with the actual cost should be evaluated
Furthermore regular review of control activities in the light of changing circumstances
is also an important factor in terms of effectiveness-evaluation
Administrations should take into consideration the following basic
requirements in identifying control activities
CA Box 2 Basic Requirements Planning of control activities
In order to be effective control activities must be
adequate (the right control in the right place at the right level and
commensurate to the risk involved)
cost-effective (the costs of implementing a control should not exceed its
benefits)
comprehensive understandable and directly related to the control objectives
documented clearly
evaluated as a whole so that they are consistent in their operation
carried on until effectiveness is evaluated
4 Classification of control activities The control activities are generally classified as follows Administrations should
implement the following basic requirements as minimum standard however they
can implement additional control activities depending on the nature of the risk
4 1 Preventive controls
These are the controls to be carried out to mitigate the likelihood and prevent
as much as possible the undesirable outcomes that may emerge when risks occur
For example ex-ante financial control operations applying the principle of
segregation of duties to prevent fraud or irregularities
74
CA Box 3 Basic requirements Preventive Controls
The security of physical and intangible rights (intellectual assets etc) and records
physical safeguarding of assets
recording financialmanagement information
access controls such as passwords identity cards guards and
segregation of duties in order to avoid conflicts of interest
42 Corrective Controls
These are the controls aiming at reducing the impact of the undesirable
outcomes that stem from the threats the risks pose For example placing provisions
regarding the reimbursement of unduly payments in the agreements setting the
period of guarantee in advance
CA Box 4 Basic requirements Corrective Controls
identifying methods for the purpose of recovery from loss or damage which
would effect the activities negatively
appropriate actions are taken for the correction or elimination of the identified
differences
43 Directive Controls
These are the controls applied to reach a certain end For example provision
of trainings on protection against possible threats using protective materials (masks
special clothes etc) preventive medical practices (giving messages for washing
hands in periods of epidemics publishing private leaflets)
CA Box 5 Basic requirements Directive Controls
an approved organisation chart that is constantly up-dated to reflect
organisational changes
manuals or written procedures brochures booklets posters and other similar
documents on implementation
established clear and documented definitions of the responsibilities and tasks for
resources activities program projects objectives and targets
assigning tasks and responsibilities by taking into account their relevant skills and
experiences
delegating authority based on the organisational structure and responsibilities to
do the jobs effectively and it should be documented
establishing effective means of communication throughout the organisation
and
establishing clear reporting methods
44 Detective Controls
These are the controls applied to identify the damages and losses
experienced once the risks are realised For example conformity controls carried out
after spending has been made to identify the responsibility controls performed to
detect negligence by experts or authorities
75
CA Box 6 Basic requirements Detective Controls
periodic countsphysical inventories
comparison of the countinventories with the records
methods for the identification and analysis of differences
5 Methods of control activities The main methods of controls are mentioned below Administrations may also
implement different ex-ante and ex-post control methods based on the requirements
of their organisational structure and field of activity
Ex-ante controls are the controls put into practice in the light of the
appropriate procedures before the activity takes place whereas Ex-post controls refer
to the controls performed by the management through the use of pre-identified
methods after the activities take place
CA Box 7 Tips for control activities
The following box gives some issues to be considered when control activities are
identified
While determining the control activities and allocating resources for them
it may be necessary to give priority also those risks with high probability and
low impact and rating low in the prioritization list which is formulated
according to the risk scores
Preparing emergency plans as well as control activities for those risks with a
very high probability and impact assumes great importance
Reducing both the realization probability and impact of internal risks is
possible with control activities
Reducing the realization probability of external risks on the other hand
may not be under the control of the administration However mitigating
the impacts of risks is possible with a proper risk management
While responding to risks over-controlling should be avoided Both over-
control and under-control can undermine the effectiveness of the controls
According to the content of the risk several control methods can be used
at once if deemed necessary
Have the costs and benefits of implementing the control activities been
analysed
Have the new control activities been piloted to see if they are having the
desired effects
Are the control activities effectively operating as planned Is the required
evidence on controls collected and analysed periodically
After a reasonable period of time are the new control activities and
existing controls that are being continued functioning as expected And
do you report this to the manager risk coordinator
76
CA Box 8 Factors to be determined when identifying control activities
51 Authorisation and approval
Managers should introduce appropriate rules and procedures for decision-
making authorisation and approval taking into account the following Decision-
making and approval shall be carried out only by authorised persons Authority
means that the operations are initiated only by persons acting within their powers
Observance of the order of authorisation requires employees to act in accordance
with directions and within the limits set by the manager of the organisation or the
legislation The procedures for authorisation should include specific conditions and
delegation of powers by managers to employees for performance of particular
activities The approval is endorsement (certification) of transactions data or
documents whereby processes actions proposals andor consequences thereof are
completed or validated
52 Segregation of duties
To minimise the risk of errors irregularities and violations and their non-
detection managers should introduce rules stipulating that different employees be
responsible for the implementation of two or more key stages of an operation
process or activity To ensure effective checks and to strike a balance in the
implementation of an operation the responsibilities shall be segregated in a manner
which precludes an employee from being responsible simultaneously for the approval
(decision-making) implementation accounting and control
In organisations with fewer staff this segregation is more difficult to implement
In such cases the manager may consider the possibility of combining two of the
specified activities and compensate the non-application of this control mechanism
by another eg rotation of employees rotation of duties or additional management
checks Thus the risk of a single person dealing with more than one key aspect of an
operation process or activity for an unjustifiably long period of time could be
reduced
53 Double signature system
The double signature system is a procedure to ensure the accuracy of the
data included in the document The method is applied in non-financial processes
such as provision of information to the top management (reports information notes
statistics etc) and appointment orders and before financial obligations such as
signing of contracts and making payments (payment order etc) This makes it
Which unitWho will conduct the activities
Deadlines of the activities
Necessary resources for the activities to be conducted
Critical achievement factors
How to document the activities
Monitoring processes for the activities
77
possible that especially in financial transactions the person responsible for the
accounting entries knows about pending obligations or payments and performs due
accounting procedures The double signature system gives assurance that the
procedures are carried out by authorised staff
54 Reconciliation of data
Procedures should also guarantee that data from different documents and
sources are matched for ascertainment of consistency For example accounting
entries relating to bank accounts are reconciled with corresponding bank
statements invoice data are matched with those in the warehouse receipt etc
55 Supervision procedures
Supervision procedures should be carried out on a daily basis by line
managers on assignment of work and its performance Assignment of work by the line
managers does not reduce their own responsibility for the performance of the work
Line managers should give staff the necessary directions and instructions in order to
ensure understanding and avoid errors and frauds in the discharge of their duties
Line managers should also apply these procedures to assure themselves that the tasks
assigned are carried out correctly
56 Ex-ante financial controls
Ex-ante financial control is a control performed to check the compliance of
the financial decisions and operations of administrations regarding their incomes
expenditures assets and liabilities with the budget of the administration Further
checks are carried out with the available appropriation amount expenditures
programme financing programme and the provisions of central government budget
law and other financial legislation It is also checked whether resources are used
effectively economically and efficiently The purpose of ex-ante control is for the
managers to obtain reasonable assurance of the compliance of such
decisionsactions with the legislation and the performance programme2
57 Procedures for accounting operations
Procedures should ensure that accounting for all financial transactions on a
given date is complete true accurate and timely Their purpose is to support the
taking of correct decisions from which financial consequences arise These
procedures should be developed in accordance with the relevant legislation and
public accounting standards
2 Please see regulation on procedures and principles on internal control and ex-ante financial control for
further details
78
58 Anti-corruption
There should be rules and procedures for warning examination detection
and reporting of administrative weakness discrepancies and violations which create
conditions for corruption frauds and irregularities
Anti-corruption procedures include
preventive controls
a system for checking detecting and reporting early indications of corruption
frauds and irregularities
whistleblowing procedures (for more information please refer to Information
and communication section) and
a set of procedures for reporting irregular activities to the external competent
authorities such as the Prosecutorrsquos Office
59 Access to assets and information
Managers must ensure that only authorised persons responsible for the
safeguarding andor use of assets and information have access to them The
restriction of the access to assets reduces the risk of their misuse or their wrongful
utilisation and protects the organisation from losses The degree of the restriction
depends on the vulnerability of the assets and information and the risks of loss or
misuse When determining the vulnerability of assets the manager shall consider their
value transportability and the possibility for them to be exchanged for cash
510 Documentation archiving and storing of information
Procedures for documentation archiving and storing of information shall be
introduced to support the performance of operations taking of correct managerial
decisions and control of the processes in an organisation Documentation involves
developing written evidence of decisions made events occurred actions and
transactions performed etc The documentation must be complete accurate and
timely
The documentation procedures include those for document circulation
describing the order for circulation and use of documents produced and received
The documentation procedures must allow tracing of every document action
process in the organisation stating precisely who performed what how and when
the purpose and type of actdocument issued as a result thereof
According to the terminology adopted by the European Commission this
comprises an audit trail Its establishment helps achieve
transparency
tracing of the processes in the organisation from their initiation till completion
and
tracing the segregation of functions by decision-making performance
accounting and control
The audit trail shall state what procedures and transactions exist who the
responsible persons are what documents are drawn up what systems for
management and control of data flows exist and what the form of presentation of
the results is
Archiving procedures must ensure chronological and systematic filing of
documents about past events decisions and actions concerning the organisation
There should be specific guidelines describing in detail the procedures for archive
establishment completion use and destruction
79
The procedures for storage of information shall ensure physical preservation of
the information media (paper andor electronic) as well as preservation of the
content without change so that the information provides a true and fair view of the
facts decisions and actions relating to the organisation
511 Business continuity (or emergency plans)
Adequate measures are in place to ensure continuity of service in case of
business-as-usual interruption Business Continuity Plans are in place to ensure that
the entity is able to continue operating to the extent possible whatever the nature of
a major disruption
512 Control activities related to Information Technology (IT)
IT systems entail specific types of control activities which should be introduced
in organisations by their managers These mechanisms for information systems control
consist of two major groups general control mechanisms and applications control
mechanisms (applications controls)
General control mechanisms are applicable to all operations and contribute
to their proper implementation The applications control mechanisms include both
procedures programmed in the software product itself and procedures that must be
carried out manually in order to exercise control over the processing of different
operations The general control mechanisms are needed for the functioning of the
applications control mechanisms Absence of sufficient general controls cannot be
offset by applications controls
Usually general control mechanisms are used in information analysis and
processing centres for installation and maintenance of software products for
definition of access to information
controls for information analysis and processing centres ndash they include the
organisation and planning of worksthe intervention of the respective
administratorsoperators procedures for saving and subsequent use of
information back-up and contingency plans
software controls ndash these refer to the acquisition installation and maintenance
of software products necessary for the maintenance of the entire system and
for processing of software applications
access definition controls ndash these ensure protection against unauthorised
access Access definition restricts users by allowing them to use and perform
operations only with particular software products thus ensuring segregation of
responsibilities
General software controls built during the development of the system entail
detailed application tests and allow checking of the appropriateness of the rationale
of the program and whether all errors will be detected After the system is built the
controls for access and maintenance of the system give assurance that nobody can
use or make changes in the applications without the appropriate authorisation and
that all the necessary changes are made in accordance with the established
procedure for authorisation and approval
The applications control mechanisms support internal control preventing entry
of wrong data in the system detecting and correcting errors based on automated
procedures for control over data form and content The prevention and detection of
these errors is programmed in the respective application The applications control
mechanisms analyse the data on-line (simultaneously with their entry in the system)
80
provide ongoing information in case of detected error and ensure immediate
correction
The use of both types of controls provides assurance that the information is
analysed and processed completely correctly and accurately
513 Assessing costs and benefits of control activities
After initial selection of control activities to reduce the impact of risks risk
owners should evaluate the costs and expected benefits of the control activity If the
costs of the control activity exceed the expected benefits the control activity should
not be selected
81
6 Practical Stages For Control Activities Practical steps for control activities are briefly indicated in the following table Since control activities are linked to r isks points on risk
management are provided in stages 1 2 and 3 whereas points on control activities are provided in stages 4 and 5 For further details on stages 1 2
and 3 please refer to the risk management chapter
CA Table 1 ndash Stages for control activities
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
Identify objectives
Identify risks to
achieving objectives
Select method of
responding to risks
Accepting
Controlling
Transferring
Avoiding
Taking the
opportunity
Select control
method(s)
Preventative
Detective
Corrective
Directive
Select type of control activities
authorisation and approval
segregation of duties
double signature system
reconciliation of data
supervision
ex-ante controls Checking
compliance with the law
accounting covering all financial
processes
anti-corruption
access to assets and information
documentation archiving and
information storage
business continuity and
information technology
Or
Refer to CA Annex 2 List of common
control activities
82
83
7 Steps to identify and implement control activities
Step 1 Administrations when assessing their risks review their systems and processes to determine
whether they have existing controls to mitigate their risks
(Administrations where risk management will be implemented in the framework of the principles
mentioned in this manual for the first time should list and evaluate all the existing control activities
Those control activities that donrsquot match the objectives and the risks of the administration should be
terminated)
Step 2 Administrations assess whether these existing controls are effectivesufficient in terms of
mitigating risks
Step 3 If there are no existing controls or the existing controls are not effective sufficient new
andor additional control activities are determined (To help you decide which control activities to
select you may refer to the list of control activities at Annex 2) In this steps it will be useful to
consider the following
It may be appropriate to select more than one control activity
Any new control activities you select must be evaluated for cost-effectiveness and
Appropriate control activities should be tested beforehand
Step 4 New control activities are not foreseen for those high risks that are managed
effectivelysufficiently with the existing controls and the existing control activities should continue
Step 5 Risk owners once the risk register has been approved have to put in place the new control
activities and also ensure that monitoring of both new controls and existing controls that are being
continued at the predetermined starting date
Step 6 Stakeholders are notified in writing about the control activities and whether they are
working effectively
Step 7 Risk owner while reporting the risks in the of the Consolidated Risk Report (Risk
Management Annex 4) will notify the manager risk coordinator how well the new control
activities and existing controls that are being continued are working This reporting involves writing
a summary of what has happened identifying the impact of the new control activities and existing
controls that are being continued and attaching any evidence to the report as an annex
84
Control Activities Annexes
Annex 1 ndash Examples of some common risks and controls
Common Risks Possible Control Activities
Risk management
Risks are not being managed effectively
and so the organisationrsquos objectives may
not be achieved
Risk workshops are organised to
determine risks allocate owners
determine controls and how their
operation is monitored - corrective
Cash management
Cash holdings could be stolen Cash is kept locked away and access
to it is strictly controlled - preventive
There is segregation of duties for staff
who have access to cash -
preventive
Cheques and other payment forms
are serially numbered ndash preventive
Asset management
Assets could be stolen Physical controls - for example using a
safe - preventive
separation of duties authorisation
levels passwords - preventive and
tagging of goods reconciliations
stock counts - detective
Document control
Documents received could be lost Keeping a register that shows where
all the received documents are filed -
preventive
Due to document control procedures not
being clear and specific decisions not
being taken on time
The document control procedure defines the
controls needed to
approve documents for adequacy
prior to issue
ensure that changes and the current
revision status of key documents
(strategic plan performance
programmes etc) are identified
ensure that previous versions of
applicable documents are available
at points of use
ensure that distribution of sensitive
and classified documents is
controlled and
identify documents that should be
archived - All preventive
Planning and budgeting
Budget resources may be spent
inappropriately
Effective planningbudgeting process ndash
preventive
85
Common Risks Possible Control Activities
Staff have received training in budget
preparation ndash preventive
Comparison of interim and final
accounts and activity reports with the
strategic plan performance
programme and the budget ndash
detective
Financial information may not be
accurate and complete
Financial information being stored or
reported on the computer -
preventive
Procurement
Error and fraud could occur in the
procurement process
Separation of duties between staff
making decisions staff selected for
the tender commission and staff
involved in payments - preventive
Applying ex-ante controls to the
award decision before the signing of
the contract ndash preventive
Random checks on transactions by
authorised staff ndash detective
Identifying purchasing thresholds -
preventive
Requirement to seek the ex-ante
approval of a senior manager or the
Minister for some high-value
procurements (Double signature
system) - preventive and
Regular rotation of staff who have
critical responsibilities in the
procurement process - preventive
Stores
Unauthorised removal of goods from
store
Physical stock checks to inventory
records ndash detective
Goods ordered but not delivered on time
or partially delivered
Including penal provisions in the
contract regarding any failure to
deliver goods on time ndash corrective
Comparison between invoices goods
delivery notes and the contract ndash
detective
Revenue management
Delays in submitting tax statements on
time and the failure to collect revenues
on a timely basis
Incentives for timely submission of tax
statements (advance warning
posters etc) - directive
Incentives for on-line submission of tax
statements - preventative
Penalties for late submission ndash
preventative
Contingency planning
Major lsquoincidentrsquo destroys important data A Business Contingency Plan exists
86
Common Risks Possible Control Activities
has been tested and kept up to date
- preventive
IT security
Unauthorised staff may obtain access to
computerised data
Personal identifiers and passwords ndash
preventative
Review of on-line access and
transaction logs ndash detective
Master files may be changed
inappropriately
Supervisor authorisation required on
forms indicating data to be changed
- preventive
Supervisor does not have change
access rights - preventive and
Supervisor verifies changes against a
printout of changes - detective
87
Annex 2 List of common control activities
Category Control Activity
Risk management
Appropriate risk
management policies
procedures techniques
and mechanisms exist for
each of the organisationrsquos
activities
Management has ensured that all relevant objectives
and associated risks for each significant activity have
been identified in conjunction with conducting the
risk assessment and analysis function
Management has identified the actions and control
activities needed to address the risks and directed
their implementation
Implementing control activities
The control activities
identified as necessary are
in place and being
applied
Management has ensured that
Control activities described in policy and procedures
manuals are actually applied and applied properly
Managers and employees understand the purpose of
internal control activities
Nominated staff review the functioning of established
control activities and remain alert for instances in
which excessive control activities should be
minimised
For existing control activities look out for
Guidance ndash it is likely that there will be official
guidance about how to carry out your work
Documentation ndash there may be standard document
control procedures to ensure that new documents
are registered and filed changes to documents are
recorded and documents no longer in use are
archived
Checking the work of others ndash this is a basic control
activity that can involve a supervisor or manager
checking the work of staff staff in one section
checking the work of staff in another section or
computer checks There may also be a requirement
for transactions to be checked by the SDU under the
ex ante control regulation
Security ndash protecting documents cash and assets
and
Contingency arrangements - ensuring the
continuation of essential services in the event of a
service failure
Performance monitoring
Senior management track
outturn in relation to its
operational and
performance plans
Top management are involved in developing annual
performance plans and targets and measuring and
reporting results against those plans and targets
Top management regularly review actual
performance against budgets forecasts and prior
period results
Top management take appropriate corrective action
88
Category Control Activity
when progress reports indicate that performance is
significantly out of line with plans
Operational managers
review actual
performance against
targets
Managers at all activity levels review performance
reports analyse trends and measure results against
targets
Managers review and compare financial budgetary
and operational performance to planned or
expected results
Appropriate control activities are employed such as
reconciliations of summary information to supporting
detail checking the accuracy of summarisations of
operations and checking the reliability of data
sources and data systems
Comparisons are made relating different sets of data
to one another so that analyses of the relationships
can be made and corrective actions can be taken if
necessary
Investigation of unexpected results or unusual trends
leads to identification of circumstances in which the
achievement of goals and objectives may be
threatened and corrective action is taken
Analysis and review of performance indicators and
results are used for both operational and financial
reporting control purposes
Quality of performance measures and indicators
The organisation monitors
the quality of
performance measures
and indicators
The organisation periodically reviews and validates
the propriety and integrity of performance measures
and indicators
Performance measurement assessment factors are
evaluated to ensure they are linked to mission goals
and objectives and are balanced and set
appropriate incentives for achieving goals while
complying with law regulations and ethical
standards
Actual performance data is continually compared
against planned goals and differences are analysed
to establish whether the right things are being
measured in the right way
Human resource management
The organisation
effectively manages its
workforce to achieve
results
A clear and coherent shared vision of organisationrsquos
mission goals values and strategies is explicitly
identified in the strategic plan annual performance
plan and other guiding documents and that view
has been clearly and consistently communicated to
all employees
The organisation has a coherent overall manpower
planning strategy as evidenced in its strategic plan
performance plan or separate manpower planning
document and that strategy encompasses
manpower planning policies programs and
practices to guide the organisation
The organisation has a specific and explicit workforce
89
Category Control Activity
planning strategy linked to the overall strategic plan
and that allows for identification of current and future
manpower planning needs
Senior leaders and managers support teamwork
reinforce the shared vision of the organisation and
encourage feedback from employees as evidenced
by actions taken to communicate this to all
employees and the existence of opportunities for
management to obtain feedback
The organisationrsquos performance management system
is given a high priority by top-level officials and it is
designed to guide the workforce to achieve the
organisationrsquos shared visionmission
Procedures are in place to ensure that staff with
appropriate competencies are recruited and
retained for the work of the organisation including a
formal recruiting and hiring plan with explicit links to
skill needs the organisation has identified
Employees are provided with information training
and tools to perform their duties and responsibilities
improve performance enhance their capabilities
and meet the demands of changing organisational
needs
Qualified and continuous training is provided to
ensure that internal control objectives are being met
Meaningful honest constructive performance
evaluation and feedback are provided to help
employees understand the connection between their
performance and the achievement of the
organisationrsquos goals
Information processing
The organisation uses a
variety of control activities
suited to information
processing systems to
ensure accuracy and
completeness
Edit checks are used in controlling data entry
Accounting for transactions is performed in numerical
sequences
File totals are compared with control accounts
Exceptions or violations indicated by other control
activities are examined and acted upon
Access to data files and programs is appropriately
controlled
Physical Control Over Vulnerable Assets
The organisation uses
physical controls to secure
and safeguard vulnerable
assets
Physical safeguarding policies and procedures have
been developed implemented and communicated
to all staff
The organisation has developed a disaster recovery
plan which is regularly tested updated and
communicated to staff
The organisation has developed a plan for the
identification and protection of any critical
infrastructure assets
Assets that are particularly vulnerable to loss theft
90
Category Control Activity
damage or unauthorised use such as cash
securities supplies inventories and equipment are
physically secured and access to them controlled
Assets such as cash securities supplies inventories
and equipment are periodically counted and
compared to control records and exceptions
examined
Cash and negotiable securities are maintained under
lock and key and access to them strictly controlled
Forms such as blank checks and purchase orders are
sequentially pre-numbered and physically secured
and access to them strictly controlled
Mechanical check signers and signature plates are
physically protected and access to them strictly
controlled
Equipment vulnerable to theft is securely fastened or
protected in some other manner
Identification plates and numbers are attached to
office furniture and fixtures equipment and other
portable assets
Inventories supplies and finished itemsgoods are
stored in physically secured areas and protected from
damage
Facilities are protected from fire by fire alarms and
sprinkler systems
Access to premises and facilities is controlled by
fences guards andor other physical controls
Access to facilities is restricted and controlled during
nonworking hours (alarms CCTV etc)
Separation of duties
Key high risk and sensitive
duties and responsibilities
are divided or segregated
among different people
to reduce the risk of error
waste or fraud
No one individual is allowed to control all key aspects
of a transaction or event
Responsibilities and duties involving transactions and
events are separated among different employees
with respect to authorisation approval processing
and recording making payments or collection of
income review and auditing and the custodial
functions and handling of related assets
Duties are assigned systematically to a number of
individuals to ensure that effective checks and
balances exist
Where feasible no one individual is allowed to work
alone with cash securities or other assets
The responsibility for opening mail which contains
cash is assigned to individuals who have no
responsibilities for or access to files or documents
pertaining to accounts receivable or cash accounts
Bank accounts are reconciled by staff who have no
responsibilities for cash receipts disbursements or
custody
91
Category Control Activity
Authorisation for transactions or events
Appropriate staff is
authorised for transactions
and other significant
events
Controls ensure that only valid transactions and other
events are initiated or entered into in accordance
with management decisions and directives
Controls exist to ensure that all transactions and other
significant events are authorised and executed only
by employees acting within the scope of their
authority
Authorisations are clearly communicated to
managers and employees and include the specific
conditions and terms under which authorisations are
to be made
The terms of authorisations are in accordance with
directives and within limitations established by law
regulation and management
Recording transactions and events
Transactions and other
significant events are
properly classified and
promptly recorded
Transactions and events are appropriately classified
and promptly recorded so that they maintain their
relevance value and usefulness to management in
controlling operations and making decisions
Proper classification and recording take place for
each transaction or event
Accountability for and access restrictions to resources and records
Access to resources and
records is limited and
accountability for their
custody is clearly
allocated
The risk of unauthorised use or loss is controlled by
restricting access to resources and records only to
authorised staff
Accountability for resources and records custody and
use is assigned to specific individuals
Access restrictions and accountability assignments for
custody are recorded and periodically reviewed
Periodic comparison of resources with the recorded
accountability is made to determine if the two agree
and differences are examined
How frequently actual resources are compared to
records and the degree of access restrictions are
functions of the vulnerability of the resource to the risk
of errors fraud waste misuse theft or unauthorised
alteration
Management considers such factors as asset value
portability and exchangeability when determining
the appropriate degree of access restrictions
As a part of assigning and maintaining accountability
for resources and records management inform and
communicate those responsibilities to specific
individuals within the organisation and ensure that
those people are aware of their duties for appropriate
custody and use of those resources
Documentation
Internal control Written documentation exists covering the
92
Category Control Activity
transactions and other
significant events are
clearly documented
organisationrsquos internal control structure and for all
significant transactions and events
The documentation is readily available for
examination
The documentation for internal control includes
identification of the organisationrsquos activity-level
functions and related objectives and control activities
and appears in management directives
administrative policies manuals and other guidance
Documentation for internal control includes
documentation describing and covering
management information systems data collection
and handling and the specifics of general and
application control related to such systems
Documentation of transactions and other significant
events is complete and accurate and facilitates
tracing the transaction or event and related
information from authorisation and initiation through
its processing to after it is completed
Documentation whether in paper or electronic form
is useful to those involved in controlling evaluating or
analysing operations
All documentation and records are properly
managed maintained and periodically updated
General computer controls
The organisation
periodically performs a
comprehensive high-level
assessment of risks to its
information systems
Risk assessments are performed and documented
regularly and whenever systems facilities or other
conditions change
Risk assessments consider data sensitivity and
consistency
Effective computer
security controls are in
operation and are
monitored
The organisation has developed a plan that clearly
describes the organisation-wide security plan and
policies and procedures that support it
Senior management have established a structure to
implement and manage the IT security program
throughout the agency and security responsibilities
are clearly defined
The organisation monitors the security planrsquos
effectiveness and makes changes as needed
- Corrective actions are promptly and effectively
implemented and tested and they are continually
monitored
Effective computer
access controls are in
place and are monitored
Information resources are classified according to their
criticality and sensitivity
Resource classifications and related criteria have
been established and communicated to resource
owners
Resource owners have classified their information
resources based on approved criteria and with
regard to risk determinations and assessments and
have documented those classifications
93
Category Control Activity
Resource owners have identified authorised users
and their access to the information has been formally
authorised
The organisation monitors information systems access
investigates apparent violations and takes
appropriate remedial action
The organisation has established physical and logical
controls to prevent or detect unauthorised access
Application software
development and
change controls are in
place and are monitored
Application software modifications are properly
authorised
All new or revised software is thoroughly tested and
approved
The organisation has established procedures to ensure
control of its software libraries including labelling
access restrictions and use of inventories and
separate libraries
All key activities are monitored
Effective system software
controls are in place and
are monitored
The organisation limits access to system software
based on job responsibilities and access authorisation
is documented
Access to and use of system software are controlled
and monitored
The organisation controls changes made to system
software
There is effective
separation of duties for IT
operations
Incompatible duties have been identified and policies
implemented to segregate those duties
Access controls have been established to enforce
segregation of duties
Controls ensure the
continuity of IT services
The criticality and sensitivity of computerised
operations have been assessed and prioritised and
supporting resources have been identified
The organisation has taken steps to prevent and
minimise potential damage and interruption through
the use of data and program backup procedures
including offsite storage of backup data as well as
environmental controls staff training and hardware
maintenance and management
Management have developed and documented a
comprehensive IT service contingency plan
The organisation periodically tests the contingency
plan and adjusts it as appropriate
Computer application controls
Source documents are
controlled and require
authorisation
Access to blank source documents is restricted
Source documents are pre-numbered sequentially
Key source documents require authorising signatures
For batch application systems batch control sheets
are used providing information such as date control
number number of documents and control totals for
key fields
94
Category Control Activity
Senior management or independent review of data
occurs before it is entered into the application system
Data entry terminals have restricted access
Master files and exception reporting are used to
ensure that all data processed are authorised
Completeness controls All authorised transactions are entered into and
processed by the computer
Reconciliations are performed to verify data
completeness
Accuracy controls The organisationrsquos data entry design features
contribute to data accuracy
Data validation and editing are performed to identify
erroneous data
Erroneous data is captured reported investigated
and promptly corrected
Output reports are reviewed to help maintain data
accuracy and validity
Control Over Integrity of
Processing and Data Files
Procedures ensure that the current version of
programs and data files are used during processing
Programs include routines to verify that the proper
version of the computer file is used during processing
Programs include routines for checking internal file
header labels before processing
The application protects against concurrent file
updates
95
Annex 3 - Illustrations for cost benefit analysis
Example 1
You are considering hiring a junior clerk to carry out a 100 per cent check on all payments
your spending unit makes (checking each agrees to the supporting documents) to ensure the
correct amount is paid This is an ex-ante control as the check is made prior to the payment
You estimate that this task will occupy the junior clerk for 100 per cent of their working time
Cost of the junior clerk 2500 YTL a month (1200 salary plus 1300 contribution to overheads
eg heating the building)
Scenario A
Benefit your experience of such a checking control is that it will find on average errors of
overpayment of 3000 YTL a month
Decision ndash this control activity is cost effective and the junior clerk should be employed to
do this checking
Scenario B
Cost same as above
Benefit your experience of such a checking control is that it will find on average errors of
overpayment of 2000 YTL a month
Decision ndash this control activity is not cost effective and the junior clerk should not be
employed on a full time basis to do this checking You can rely on other controls instead
Possibilities
Focus checking on only the highest value or riskiest payments ndash this will only employ the clerk
for 50 per cent of their time If you estimate that it will find on average errors of
overpayment of 1600 YTL a month (ie over 50 per cent of the clerkrsquos cost) this is a better
alternative control or
Donrsquot do any checking ndash rely on separation of duties control (different clerk raises payment
to the one that enacts the payment) to prevent fraudulent overpayments
Example 2
You do not currently employ any public relations expert
In the absence of any control on dealings with the press you assess the risk of reputational
damage as being high likelihood and high impact
Cost of the expert in public relations 4500 YTL a month (2500 salary plus 2000 contribution
to overheads eg heating the building)
Scenario 1
96
You have a low risk appetite in terms of reputational damage and consider that the benefit
of all dealings with the press going through the expert in public relations will successfully mitigate
the risk to within your risk appetite (by considerably reducing the likelihood of reputational damage
through ill-advised comments being given to the press) You consider that this risk mitigation is so
important to your administration that it justifies the employment of the expert in public relations
Decision you employ the expert in public relations
Scenario 2
You have a high risk appetite in terms of reputational damage and consider that the risk of
reputational damage through ill-advised comments being given to the press without employing the
expert in public relations is equal to or less than your risk appetite for this risk You thus consider that
the benefit of employing the expert is outweighed by the cost You therefore consider that it is not
cost-effective to employ the expert in public relations
Decision you do not employ the expert in public relations
Action as you are equal to or less than your risk appetite for the reputational risk you need
not select an alternative control activity but you should continue to review in the future as the
decision may be changed if your risk appetite reduces or your assessment of the likelihood andor
impact of the risk increases
97
INFORMATION AND COMMUNICATION
1 INTRODUCTION Information and communication as the fourth component of the five components of COSO
internal control model ensures the relation between control environment risk assessment and
control activities through sharing information and communication and has an important role in
increasing the functionality and operational competence of internal control system which is
regarded as a tool for attaining organisational objectives and aims as it regulates information flow
within the administration
Aim of this chapter of the manual is to give information within the framework of internal
control standards about structures and practices related to use of information and communication
mechanisms and to provide guidance for users about reporting registry and filing systems and
methods to be used in notifying faults irregularities and corruptions with a view to ensuring that
administrations carry out their activities in line with their objectives as well as accounting for their
activities
Communication refers to transformation and conveyance of information within the organisation
vertically and horizontally and externally via proper mechanisms to relevant people
administrations and bodies Administrations must aim to establish an effectively managed and well
coordinated communication system for the information that meets the information needs of
managers staff and the public
In the event that information and communication systems do not function as expected
managers and staff may came up against the risk of not being able make timely and right
decisions not being able to implement those decisions and ultimately not being able to achieve
the objectives In this regard information should be accessible useful timely accurate complete
and up-to-date
2 Information and Communication Standards Information and communication includes the information communication record system which will
ensure transfer of required information to the person personnel and the administrator who need
the information in determined format and in a time period which enable the concerned to fulfil
internal control and their other responsibilities
IC Box 1 Information and Communication Standards
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Environment
Standard 13 Information and communication
The administrations shall have a suitable information and communication system with a view to ensuring that the
performance of the units and the personnel is monitored decision making processes operate soundly and
efficiency and satisfaction in providing service
Standard 14 Reporting
Goals objectives indicators and activities of the administration and the results of them shall be reported in
accordance with the principles of transparency and accountability
Standard 15 Record and filing system
The administrations shall have a comprehensive and up-to-date system where the works and transactions
including incoming and outgoing documents are recorded classified and filed
Standard 16 Notification of faults irregularities and corruptions
The administrations shall develop methods which will ensure that the faults irregularities and corruptions are
notified in a specific order
98
3 ROLES AND RESPONSIBILITIES IN INFORMATION AND COMMUNICATION
Minister
Ensures coordination and cooperation with other ministries and informs the public opinion and
the TGNA about the annual performance programme and activity report submitted to him by the
administration
Head of Administration
The Head of Administration (Head of Administration) must publish an announcement via the
internal communication network or an official letter on what to do before the preparation of such
documents as strategic plan performance program activity report Risk Strategy and Policy Paper
which need to be prepared in way which will ensure attainment of pre-identified objectives in the
fields the administration is responsible for
Another duty of the Head of Administration is to sign the internal control assurance declaration
and inform the public opinion and the Minister
As the quality of the information exchange and communication between the Head of
Administration and the other actors has a direct effect on the accountability of the Head of
Administration the Head of Administration must guide the relevant units about the frequency and
methods of feedback he prefers
The Head of Administration must take notice whether the current information system meets the
needs during the set up and integration of new information systems If a new system is to be set up
it must be designed by taking integration with the other information systems into consideration
Internal Auditor
As prescribed by the Law no 5018 the internal auditors work to assess the internal control system
under the head of administration In this regard internal auditors report whether internal control
system functions properly or not to the Head of Administration Therefore to be able carry out their
duties internal auditors should be given unlimited access to every kind of information they need
Setting up of such a mechanism is up to the robust communication and flow of information
between the internal auditors and Head of Administrations
The Head of Administration is entitled to take preventive or corrective actions and develop new
control activities based on the report submitted by the internal auditor or request additional reports
Authorising Officer
Authorising Officers must ensure that tasks powers and responsibilities of staff are defined
clearly and in writing and communicated to all staff In this framework a chart of duties which
demonstrate the functional reporting network must be produced and communicated to the staff
A communication network that ensures quick and timely access by the staff and managers to the
activities and the results must be used In this regard the organisational chart of the administration
can also include a diagram which shows the tasks of the sub-units and the responsible and
authorised staff on the intranet and internet Authorising Officer must ensure that sub-units are
informed about the activities of each other
Authorising officers
must ensure that an electronic communication and archiving system is used effectively for
the accurate and reliable acquisition storage and communication of the information
needed regarding the objectives activities and indicators that are relevant to their
respective units from among those included in the strategic plan and performance
program of the administration
must provide for the regular announcement of the status of realisation regarding the
performance objectives and indicators related to their respective units and the grounds for
the data on the webpage of the unit and
must provide information for periodical reporting to the SDUs that will be carried out by
authorising officers (information about objectives and risks of the unit status of realisation
etc)
99
should transfer timely complete and accurate information and documents regarding
financial transaction processes to the Accounting Officer and set up mechanisms to store
records and statistics
Realisation Officer
Realisation officers who are responsible for issuing spending orders must periodically brief the
authorising officer of the spending process In this regard information on the spending order being
complete accurate understandable and reliable plays a significant role in realisation officers
fulfilling their tasks as requested from them
Accounting Officer
The Accounting Officer is responsible for performing accounting services and keeping accounting
records in a regular transparent and accessible way Accounting Officers must regularly report to
the authorising officer on the accounting records
Strategy Development Units
SDU managers must review the information included in the activity reports performance
programmes and strategic plans by holding periodic meetings with the authorising officers of other
units Personnel of SDUs must obtain the information that is needed in the field of financial
management and control through these persons
Necessary coordination for the formation of the team to carry out the studies on the
establishment and development of Information Management Systems within the administration is
provided by the SDU
In fulfilment of the coordination duties of SDUs which are defined by laws Principles and
Procedures of Internal Control and Ex-ante Financial Control Strategy Planning Guideline
Legislation and Manual on Performance Programs to be Prepared in Public Administrations and
secondary and tertiary regulations such as Budget Preparation Manual must be taken into
consideration
SDUs must have webpage where they have forums good practice examples frequently asked
questions to ensure communication with internal and external stakeholders in order to carry out
their tasks more effectively
Central Harmonisation Unit
While carrying out its tasks in the filed of information and communication
CHU sets up a common (web-based) network where information can be shared
They organise trainings panels and conferences for the actors that take part in the field of
internal control
CHU members are assigned to be responsible for particular administrations to enhance
information and communication with SDUs of administrations They communicate SDUs and
provide them with information and guidance via official letters call centres telephone
forums etc
Please refer to the CHU Handbook for further details on the roles and responsibilities of CHU
Besides practices and methods in the area of information and communication given this
manual public administrations must also take into consideration those regulations in the legislation
which are directly related to the area of information and communication These basic regulations
are contained in IC Annex I
4 INFORMATION The prerequisite for reliable and proper information is immediate recording and suitable
classification of all operations and transactions Internal control includes obtaining classifying
recording utilising and reporting both financial and non-financial information
41 Characteristics of Information
Characteristics that the information which is used in public administrations must have are given
below
100
Timely Information should be obtained and transferred in the right time by the right
personnel
Related Information should be related to every activity work or action
Available Information holdings should be available to those who require them the moment
they need it and also later Technology should be available to users in order to facilitate
obtaining storing transferring and using information
Comprehensible The description of information holdings must have the same meaning for
users at all levels of the administration In addition information that is shared with external
stakeholders must be clear and meaningful for the users
Usable Information must meet the needs of its users in relation to the purposes for which it
was received
Complete Both the content and form of information should be complete in order to
provide for efficient and effective use of information holdings
Accurate Information must be able to reflect the points regarding the aims objectives and
activities it is related to accurately and correctly
Up-to-date Information must be up dated and related to the needs A lack of up-to-date
information can impair decision making and program delivery Managers and personnel
should take necessary actions to keep information up-to-date
42 Information Management
Information management is a process where information is planned and obtained from any
kind of source internally or externally classified stored communicated to relevant bodies in a
timely manner for interpretation reviewed for updating and destroyed The stages of this process
are complementary to each other In any stage there may occur a need to take into consideration
the phases of the previous or next stage
101
IC Figure Information Management Process
421 Planning Information Need
Planning stage starts with identifying strategic aims and objectives and performance
objectives as well as identifying information needs to achieve these objectives This stage includes
the assessment on who needs what information when and why how they can acquire it at all level
from the operational to the strategic activity level in order for the administration to maintain its
operations effectively
In the planning stage the following factors must be taken into consideration
Internal and external information users must be defined and classified Information
needs of users must be determined Information holdings must be examined to see
whether the current information need of the users can be met using them
While novel databases and information systems are designed the risk for the information
to be disseminated to the public must be considered
The benefit and cost of information in terms of the users must be analysed
The information need for new legislative strategic and operational aims must be
defined along with the relevant information system requirements furthermore the
person and the time to do this work must be set out
Emerging information needs must be compared to the present information and
information systems within and outside the administration
For increasing the value or productivity or decreasing the cost of the systems in use
such methods as combining information systems using novel technologies and standard
practices can be referred to
Value of information is not only about how it is used and kept but also about how and when
it is going to be destroyed Many factors such as legislation information policies and needs may
Planning
information need
Organising
information
Creating and
collecting
information
Reviewing and
keeping
information
Utilising and sharing
information
INFORMATION
MANAGEMENT PROCESS
102
have an impact on how long to keep that information Information which is being kept should be
destroyed in accordance with the relevant legislation after necessary approvals have been
received
422 Creating and Collecting Information
While producing and collecting information first of all the value of the information for the
administration must be set out and it should be made sure that the people in need of information
do have access to it on time
Information collection and creation process should focus on the followings and information
collected or created must have the capacity to meet the needs of the administration To this end
The holdings must be periodically reviewed in order to determine if the information that is
created or collected continues to meet the identified needs and it must be followed up
whether users really use the information Great deal of information can still be
unnecessarily collected for a reason that was identified in previous periods If the
administration decides to stop collecting that information firstly it must set out whether
any individual or program would be affected
Quality and scope of information as well as its relation to the defined needs and whether
it meets the needs or not should be understood in regular reviews In addition implicit
information of the staff must be turned into explicit information and incorporated into the
information inventory The information produced as a result of the process studies must be
classified starting from the most frequently used to the least
Information must be compiled in information pools to be created This information must be
clear and understandable The information in the pool must be open to access upon
being classified in accordance with the information hierarchy such as strategic and
operational Management of the information pool must be carried out by a team who
are competent in the processes to be formed within the administration
Legislation or policies may demand that certain information be collected by an
administration Therefore information that is collected must meet legislative and
institution-specific policy requirements
Information collection must be coordinated To this end
all information collection activities must be accounted for including all regions and
organisational units and information collected must be accessible
the administration must ensure that information collection conforms to the applicable
standards
information must be periodically reviewed in order to ensure that the requirements of the
relevant legislation are respected This might be done during the annual update of
personal information and
before information is created or collected existing information holdings must be reviewed
to determine if the information needs can be satisfied by existing holdings or readily
accessible external information sources
The following are the leading sources of information
instructions approvals invoices transaction orders petitions
interactions between clients vendors or other the ministries and agencies
planning documents-budgets forecasts work plans blueprints (technical or
engineering designs)
drafts schemes of information architecture
reports policy briefing notes other documents supporting the activities and
justifications
meeting documents-agendas records of decision
commission documents job descriptions member lists
requests for information and the responses emails forms used to collect responses
templates related instructions responses in every format
103
client records applications evaluations emails phone calls
every kind of data in electronic medium and
information resources which could provide additional information
Collecting Information from PublicPrivate Sector
The response burden should be minimised to the lowest level possible in this process To this end
the administration should determine from whom it will receive information at what
frequency and in what detail as well as what burden this process will create upon
respondents and
there should be cooperation with other administrations in such issues as undertaking joint
collection or information sharing
The forms should meet all statutory and policy requirements To this end
all the forms in both paper and electronic media must be reviewed before they are put
into use to ensure that applicable requirements are met Furthermore the responsible
person must be assigned
423 Organising Information
The aim of organising information is to establish a link between the operations of the
administration and usage sharing retrieving archiving and destroying of information and facilitate
the process for administrations and the other stakeholders
The following steps must be taken for an efficient information organisation
it must be ensured that users both internal and external to the administration are satisfied
with their access to information Methods should be established to measure user satisfaction
(such as user surveys and questionnaires applied after completion of certain services as well
as periodically applied questionnaires)
the custodians of information holdings (eg Data Processing Departments Library Services
etc) must identify the information needs of users and improve their services to better meet
the needs of users for quick and easy access eg shortening response time using efficient
and effective technology for transmission designing a user-friendly system
information must be available for public dissemination and communicated to the public
where and when appropriate For instance establishing such structures as e-libraries to
facilitate public access
information available for use by the other administrations must be checked to see whether
they are subject to any legal or policy constraints
administrations must have an up-to-date publications catalogue which must be deposited
in the administrationrsquos library Published material must be catalogued according to
established standards and
all the documents published by the administration must be accessible on webpage of the
administration
Registering Filing and Archiving of Information
Registry and Filing
To ensure an effective management any kind of document including electronic ones internal
communications operations and transactions must be recorded classified filed and archived
there must be a comprehensive and up-to-date system for this
If meaningful and valuable information for the control of activities and decision making is
desired all the operations and transaction must be instantly recorded
In order to ensure the quality of information and reporting fulfilment of internal control activities
and responsibilities and effective and efficient monitoring activities all transactions need to be
completely and clearly documented
These documents should be easily accessible where needed
104
The documents of the internal control system should include structure and policies of the
administration types of activities related objectives and control procedures
The process of registry should be applied in a way that it will cover all the stages of a
transaction including the start and approval stages until their final classification This is also the case
for the regular updating of documents
Regardless of the media they are received in (such as paper fax e-mail or electronic)
documents should be recorded and kept within the framework of a registry plan which is suitable
at least to one official file
Registry procedures must be communicated to staff in writing
In this context Standard Filing Plan no 20057 issued on the Official Gazette no 25766 dated 24
March 2005 prepared under the coordination by the Prime Ministry General Directorate of State
Archives must be taken as the basis to establish a common method for all public administrations to
file all the documents including electronic ones and ensure fast and easy access to them where
necessary
Ensuring standardisation in the filing system would help achieve harmony within the institution
and if it can be disseminated among all organisations it would form a basis for an efficient and
effective communication system across the country
Standardisation of Filing services would
ensure that documents about same issues are codified using same numbers in all
organisations
facilitate easy and fast access to the right information and documents requested and
make sorting classifying keeping the documents and putting them into service easier as
standard file numbers will refer to the same issues in all organisations
ensure integrity and easiness in the establishment of a tidy fast effective and efficient
system of document and file and communication
provide infrastructure for the automation of documents and correspondences and
establishment of information networks among organisations and
facilitate internal and inter-organisational file and operation tracking The document or
information looked for would be easily found in a short period of time
The task of carrying out studies on the registry usage and archiving of electronic documents
has been assigned to the General directorate of State Archives upon Decision no 7 dated 9
September 2004 of the e-Transformation Executive board in accordance with the Prime Ministry
Circular number 200816 on Electronic Document Standards published in the Official Gazette
number 26938 and dated 16 July 2008 and TSE Standard number 13298 has been published This
Standard is a main source for electronic document management systems to be used by all public
organisations
Electronic document management systems to be established by the administrations will comply
with the TSE Standard no 13298 and furthermore inter-organisational sharing of electronic
documents produced will be carried out by the criteria on electronic document sharing services as
set out on the web address wwwdevletarsivlerigovtr
Archiving Services
Archiving services include identification of the materials the administrations and the staff have
that will become archive materials in the future their protection against any losses preservation
under proper conditions utilisation in accordance with national interests cropping and disposal if
not deemed necessary to maintain Principles and procedures on archiving services have been set
out in the Regulation on State Archiving Services published in the Official Gazette number 19816
and dated 16 May 1988 and amended by the Official Gazette number 25735 and dated 22
February 2005
As per this regulation administrations have to take necessary precautions to protect
information and documents against disasters theft fire etc set out the procedures for the
preservation of confidential documents take the measures to ensure that the documents remain
legible in the future inform the managers and the staff about the proper periods of preservation for
the documents
105
424 Using and Sharing Information
Using and sharing information is crucial in terms of accountability and transparency for those
who take part in the activities of the administration and other stakeholders
Information is an asset which renews itself turns into a new form and becomes more valuable
as it is communicated and shared Therefore regular communication and circulation of
information within an administration is a principle of information management Sharing
administrative information reflects a cycle in which the information is communicated to the
relevant persons administrative works are notified reactions of the personnel is received reactions
are assessed evaluated and communicated back to the relevant persons
The following must be considered while using and sharing information
Comply with privacy security and legal restrictions
Whenever possible use electronic media to share information resources (email repositories
websites and so on)
Ensure that information remains complete accurate up-to-date relevant and
understandable
Verify the accuracy and reliability of information (especially when conducting web-related
research)
Take advantage of administrative investments in information resources (magazine and
journal subscriptions databases online library services and so on) while respecting
copyright licensing and intellectual property rights
When retaining information that has been lsquocopiedrsquo indicate the source whether it is from
an information resource already saved in organisation repository from a publication or
from a website
Furthermore transferring information from those who leave their jobs to those starting a new job
is crucial to the continuity of the activity in an administration In this context the following should be
taken into consideration
106
IC Table 1 what to do when leaving and starting a job
When leaving a job When starting a new job
Discussing your responsibilities with your manager
when leaving the job and determining and
monitoring the internal policies for the administrative
closure of your business processes
Providing pertinent information about everything
you leave for your successor explaining why it will
be needed
Backing up all the information in the electronic
medium related to job and transferring it to
information pool
Transferring the documents under your responsibility
to the relevant successor
Creating a list of job-related website addresses a
summary of ongoing projects and related contact
information and an inventory of information
resources (including file numbers) that will help your
successor get used to his or her new job
Returning or extending the deadline of the material
that was borrowed from the library
Removing former employeersquos name from distribution
lists
See if any electronic and
paper information resources
of business value have been
transferred to your custody
Take note of any instructions
or messages you receive
regarding access to
electronic tools such as a
shared drive business system
or repositories
Familiarise yourself with your
information management
responsibilities and practices
Take part in training sessions
on information management
and recording
Add new employeersquos name
on the distribution list
425 Reviewing and Protecting Information
Organisations must periodically review such main processes of information management as
planning producing collecting defining accessing and using information and share the results
with managers
Therefore attention must be paid to the following
Store the information in a manner that preserves its form and status keeping its structure
context and content intact
Mark each information resource according to its proper security classification either on the
paper or electronic document
Protect classified and protected information by ensuring it isnt left in waste or recycle
containers and by storing it in locked desks or cabinets after work hours and during
extended periods of absence
Implement effective access control procedures ensuring that classified and protected
information is only made available on a need-to-know basis to those who are authorised to
access it
The level of protection must be consistent with the level of risk
Take the requests for access and usage from other users into consideration and assess their
compliance with the legislation
Periodically back up the information for protection purposes
43 Information Security
Information can be stored on paper it can be kept in the electronic format or transferred
verbally as well Regardless of its form information must be properly recorded and protected
Information security means safeguarding valuable assets in an administration against loss misuse or
damage
The aim of information security is to ensure the following
Safeguarding data integrity
Preventing unauthorised access
Respecting privacy and secrecy
107
Continuity of the system
431 Information Security Management System
Information security management system is a systematic approach adopted for the organisationrsquos
sensitive information that needs protection to be managed properly and the main objective of this
system is the safeguarding storing and making the sensitive and critical information available
where necessary
Setting Up an Information Security Management System
In order to establish an information security management system
Primarily the decision must be taken on whether the system will cover the entire
organisation or a part of it
Secondly a policy that sets out the objectives must be introduced
Finally a systematic risk assessment approach must be adopted and potential risks
must be identified mitigated as appropriate
Requirements of an Information Security Management System
The following are the requirements for an efficiently operating Information Security
Management System
Support and ownership by top management and managers of the administration must be
ensured
Information management should not be regarded as merely a technical issue and a job
only for the Data Processing Department The system must have the potential to reach its
objectives with active participation by all staff of the administration
Establishment of an information security management system must not be regarded as en
extra burden and waste of time
ElementsPrinciples of Security
The risks of compromise to information security for example hacking need to be defined and
controls to mitigate those risks should be introduced If these controls are absent or ineffective that
will considerably decrease the efficiency of the information security system
The main principles of security are confidentiality integrity availability authentication non-
repudiation responsibility and Access control For more detailed information see Turkish Standards
Institute TSE-17799 ldquoInformation Security Management Standardrdquo document Furthermore there are
other international models aiming to ensure the security of electronically produced information
such as COBIT e-SAC (Electronic System Audit and Control) and System Trust while you can also
explore the standards ISOIEC 27001 and ISOIEC 27002 (International Organisation for
Standardisation)
Also please refer to ldquoRegulation on the Principles and Procedures Regarding the Implementation
of the Law on Electronic Signaturerdquo based on the Law on Electronic Signature number 5070 and e-
Transformation Turkey 2005 Action Plan ( Action 5 Current systems at public institutions particularly
central institutions using critical information will be analysed and information security policies and
measures will be developed accordingly and (Action 33 The needs of disaster management of
public information system will be identified and recommendations will be developed )
For preserving and storing documents that are kept in written environment please refer to the
section lsquo423 on organisation of Information Registry Filing and Archiving System
432 Information Security Control Activities
In order to set the level of importance of an item of information the degree of the effect on
the administration that stems from the risk of harm made on the ldquoconfidentiality integrity and
availabilityrdquo of the item of information must be defined in the first place The harm that can be
made on these three security features of information systems may have different degrees of effect
For instance disclosure of top secret information can cause serious harm on an administration while
it may not be that harmful if that information becomes unavailable
108
The risks to information security identified must be analysed and ranked and the cost of the
control activities to be established and operated to mitigate those risks must be in proportion to the
value of the information protected and the risk identified after examining potential threats For
some ideas of suitable control activities see the Control Activities chapter
IC Figure 1 Process of Control Activities for Information Security
The image above is an example of security related control activities It demonstrates 4 different
attacks As can be told from the image attack [1] is immediately prevented at the stage of
prevention while attacks [2] [3] and [4] are not Of the attacks that manage to survive the
prevention process attack [2] is identified at the stage of detection and eliminated Attacks [3]
and [4] manage to pass the detection stage At the stage of response which is the final stage that
has been designed in accordance with the level of tolerance decided attack [3] is eliminated
while attack [4] which survives all stages damages the system passing through all security
processes
5 MANAGEMENT INFORMATION SYSTEMS (MIS) Management information systems are computer-assisted systems (consisting of
computer hardware and software) which should ideally provide timely strategic information
needed by managers in the form they demand it so they can make the right decisions on an
informed basis
The aim is the transmission of the right and complete information to the right people in the
proper format (form report table graphics etc) A labour force is needed to run update and
maintain the systems MIS give information on how the administration is performing in terms of
financial information information regarding the staff information of the movableimmovable
assets performance information information from the organisationrsquos document archive etc
against key performance indicators MIS may also give information on risk management
Information should be registered classified calculated summarised reported stored Back up
copies of the system should be kept in case the system crashes If these processes are not done
systematically managers may have incorrect information and thus make the wrong decisions While designing MIS first the civil servants must understand the importance of acquiring and
recording reliable and accurate information and be aware of their responsibilities in this regard
then business processes related to the production of information must be defined completely and
clearly and finally support from IT must be obtained
Some organisations have dispersed information systems however the existence of such structure
does not necessarily mean they have MIS In some cases information is not related and integrated
with all the actions and units of an administration Data recorded by different units in different
Response Identification Prevention
109
systems is stored independently of the other units Duplication of information in different units of the
administration is an inefficient use of resources Data being entered into a central computerised
system ensures that managers should have access to information which covers all the
administration
The resistance to information sharing in administrations is a significant problem It is not possible to
transmit the accurate and timely information which management needs in the administrations
where information is not shared which is an obstacle for MIS Hence a culture of information
sharing should be encouraged
51 Stages of Establishing MIS
In the development of management information systems SDUs undertake the task of
coordination and provide technical assistance to the spending units The following process can be
followed by the SDUs and the spending units in establishing MIS
511 Establishment of the MIS Working Group
A participative method should be adopted in the establishment of MIS in administrations and the
work programme should be produced for a working group to be formed with the participation of
representatives from all the spending units under the coordination of the SDU and tasks should be
distributed
512 Preparation of the MIS Working Plan
In the working plan
To begin with a comprehensive need analysis should be carried out to identify which type
of information the management may need
Upon the completion of the need analysis data provider units for the MIS should be
identified This will provide a significant infrastructure for the information map to be
produced
The properties the current information system of the administration and related problems
and solution recommendations should be disclosed what needs to be done to solve the
problems and what is aimed should be determined and structures should be set up in the
administrations to support production and sharing of information
Cost and benefit aspects of the system planned to be established should be considered
The potential risks relating to MIS should be identified and a risk management process
should be carried out The control activities to be applied for the risks with high significance
and likelihood should be determined
A good MIS must be flexible enough to keep up with the changes occurring inside and
outside the administration Besides success criteria of the system such as inclusion of early
warning mechanisms should be determined
In the medium term a corporate information map must be prepared that will cover the
entire organisation Preparation of a corporate information map would ensure quick access
to the information and expertise needed Information map must be produced primarily at
unit level and then at individual level considering their level of expertise and experience
While forming such a structure organisational charts or documents for distribution of tasks
within the units at a more special level can be made use of Production of the corporate
information map and its proper operation would ensure that the following question is
responded easily
ldquoWho knows whatrdquo
For instance quick identification of who (which department which employee etc) has
information about staff budget or archives and of the relation among this information will
be ensured
Establishment of MIS can be initiated by pilot implementations in the units Using pilot
implementations as a starting point and ascertaining how the system works will ensure
economy both in terms of time and cost and labour force Potential mistakes to be made in
110
the further stages of the process can be prevented by eliminating the shortcomings and
correcting the mistakes observed during the pilot implementations
513 MonitoringAssessment
Periodic reports must be produced and presented to the top management during the
establishment of MIS to show the progress in the development of the system Action must be
taken against the problems identified at this stage to ensure performance of the activities as
planned
Studies about the fulfilment of MIS services in administrations must be carried out upon the
approval and under the supervision of head of administration Furthermore the head of
administration must inform the related units on the working method adopted
An MIS needs to be dynamic to keep pace with changes in technology or in the demands
for information by management
514 Related Legislation
Law no 5436 which amends Law no 5018 prescribes the establishment of SDUs and assigns them
with the task of providing the services related to MIS
In the Regulation on the Working Principles and Procedures of SDUs providing the services
regarding MIS and carrying out studies for the establishment of the system are listed among the
tasks of the SDUs
6 COMMUNICATION Communication is the exchange of information among individuals andor organisations to support
service delivery decision making and sharing carrying out and coordinating activities It plays a
central role in the development of a robust internal control system and helps management to
make decisions by providing feedback on how all the components of internal control are working
An administration needs information at all levels to achieve its objectives and manage risks
In this context information flows can take place both horizontally and vertically as well as from
outside the organisation
Information must be properly communicated within an administration to the managers
andor staff in need of it on a timely basis in order for them to fulfil their responsibilities and ensure
coordination with other units External communication with the beneficiaries suppliers and
stakeholders such as other public administrations is also essential for effective internal control
Communication can be verbal written or electronic or a combination of the three Where
verbal communication is deemed sufficient documenting only the important verbally
communicated information would be useful so records of key information are kept and can be
subsequently referred to by those who are given access to it
IC Box 2 Communication Channels
Management should establish communication channels that
provide accurate information at the right time
meet individual demands
inform employees of their roles and responsibilities
support reporting
allow employees to make recommendations for improvement
give messages that top management can understand enabling them to
make decisions
inform employees of the importance of internal control and of decisions
taken
are both internal and external and
have the right target group
111
61 Internal and External Communication
Administrations should consider the following general issues regarding their internal and external
communication
The public should be provided with timely accurate clear objective and complete
information about policies programmes services and activities
The language used should be comprehensible and plain Turkish
Administrations should be visible accessible and accountable to the public for the services
they provide
Various means and methods should be utilised in communication and information from a
variety of sources should be engaged to meet different needs
Communication needs should be regularly identified
Administrations should receive opinions from internal and external stakeholders while setting
out objectives and aims and formulating processes and should establish mechanisms to
assess these
Public administrations should work cooperatively with stakeholders when necessary in order to
ensure efficient communication
Services should be provided in a fair quick and responsive manner
Administrations should have the capacity and equipment to follow up innovations in
technology in the field of communication and allocate necessary resources to do so In this
context activities carried out should be proportionate to resources allocated and results
expected
IC Table 2 Communication Principles and Procedures
Internal
Communication Principles Method
Top management and employees should
understand the internal communication
system and be well aware of their
responsibilities
Internal communication activities and
processes should be reviewed regularly and
revised where necessary New
communication methods should be adopted
to stay in line with the changing
administrative structure
It must be ensured that staff
communicate their considerations
recommendations and questions to top
management
Staff should be regularly informed about
the operation of the internal communication
system what to do and the responsibilities in
writing or electronically (including
information and communication system for
risks)
Necessary mechanisms (Intranet
internet announcement boards compliant
and suggestion boxes top manager briefings
etc) should be established to inform the
employees about the mission vision and the
objectives of the administration
Communication between managers and
employees should be clear and cooperative
in order to achieve the goals and mission of
the administration
Staff objectives should be made
consistent with those of the administration
A more effective communication should
be ensured between Senior management
and personnel
Regular meetings and an electronic
mechanism that enables the SDUs to
coordinate spending units and produce
statistical data via necessary analysis
Recommendations and ideas of
personnel should be heard and action taken
to address them when appropriate
To this effect in-house communication
seminars and training programs should be
organised
Vertical communication A reporting system should be established
112
Personnel should convey the necessary
timely complete and accurate information
to their managers in time for the managers to
make decisions and achieve objectives
Personnel should notified by their
managers when in which scope in what
way and from which unit the information is
demanded
Managers should inform the staff about
the policies goal and objectives of the
administration
within the administration which flows from
staff to managers (minutes of meetings unit
activity reports exchange of information on
a weekly or daily basis in person or
electronically a reporting system that
enables the managers to monitor daily
activities etc)
Regular meetings between management
and internal auditors timely submission of
internal audit reports to top management
Horizontal Communication
Refers to the effective sharing of
information among employees of the same
hierarchical level in order to carry out the
tasks and activities in the administrations
Personnel and units to share
information should be announced to staff
and the duty to share information should be
included in the job descriptions of the
relevant personnel and units
Managers should hold regular meetings
to exchange ideas on their respective fields
of competence and the problems and
suggestions regarding management
Establishment of a system to monitor
meetings and activities of people of the
same level
Creation of an e-mail group for the
people from the same hierarchical level
Strengthening data processing
infrastructure and ensuring active operation
of units
Ensuring that top management have
more effective communication with
employees
Internal communication seminars and
training programmes should be organised
EXTERNAL
Communication Principles Method
The accessibility of the citizens to the
information and services of the
administrations should be enhanced
Services delivered by administrations within
the framework of ldquoe-staterdquo should be shared
with the other relevant administrations and
citizens (MERNIS UYAP etc)
The administrationrsquos website which provides
the necessary documents should be
established and some services should be
provided via this website 247
Documents and services provided online
should be updated regularly and the
administration should assign certain people
to manage the design and content of the
website
Furthermore English broadcast for the
access of foreign users to information will be
useful
Mechanisms should be set up to enable
citizens to express their complaints and
suggestions (forum frequently asked
questions activation of use of Information
Acquisition System and BIMER etc)
Administrations should inform the press
about issues deemed important for decision
The press should be invited to important
conferences and seminars
113
makers and the public
Services provided by the administration
should be advertised on TV or the internet
The head of administration should inform
the public annually about the performance
programme and activity report of the
administration and these should be
published on the administrationrsquos website
Active operation of the press and public
relations units should be ensured
62 Communication Methods
A communication system is made up of methods and records produced to determine
acquire change and transfer useful information Staff must be able to communicate with all the
units in the organisation including sharing risky information
With the advancements in technology numerous and various communication means are
now available in public administrations The most widely used means of communication are
detailed in IC Annex 2
621 Reporting
Reports are crucial tools for the establishment of an effective internal control system as they
facilitate the monitoring of control effectiveness
Managers should take reports submitted to them into consideration when making decisions
In this context accurate and succinct reports that have been prepared on time would help the
managers Furthermore communication and reporting is an important element of risk
management (see Risk Management Chapter)
Administrations should communicate financial and non-financial information and results
regarding their policies programs activities and projects to the relevant persons and bodies in
writing or verbally at particular times Within this framework vertical and horizontal reporting lines
within the administration should be determined in writing Furthermore each administration should
also take into consideration external reporting mechanisms
IC Figure 3 shows the mechanism of vertical reporting among the hierarchical stages
regarding the decisions and works at the strategic programming and operational levels and the
mechanism of horizontal reporting among the personnel of the same level Vertical reporting is the
reporting of personnel to managers Horizontal reporting on the other hand is the necessary flow
of information among the people and units that are on the same level
IC Figure 3 Reporting Lines
ObjectiveActivity
Other staff
Medium-
level managers
VERTICAL
REPORTING
Strategic
Operational
Top
Management
114
Examples of horizontal reporting within an administration
Staff attending a training program sharing with colleagues the report they prepare
about training results and
Minutes of Meeting shared with other units
Examples of vertical reporting within an administration
Consolidated Risk Report submitted to senior management
Minutes of Meeting copied to a senior manager for their information
Internal Audit Reports submitted to senior management and
Quarterly Reports Semi-Annual Reports submitted to senior management
Examples of reporting outside the administration
Internal Control System Evaluation Report prepared by the SDU and submitted to the
CHU and
Annual activity report for an administration prepared by the Head of Administration
published to the public and copied to the Turkish Court of Accounts and Ministry of
Finance
IC Box 3 Basic Principles for Effective Reporting
IC Annex 3 details the reports prescribed to be prepared as per the Public Financial
Management and Control Law No 5018 and the applicable regulations in the framework of the
principles of financial transparency and accountability
7 WHISTLEBLOWING OF FAILURES IRREGULARITIES AND FRAUD One of the most important elements of accountability and transparency is the existence of
a mechanism that ensures that staff and stakeholders are able to effectively express their concerns
Article 279 of Turkish Penal Code states that if a civil servant learns by means of the position
he holds that a crime which necessitates investigation and prosecution was committed and
neglects or delays notifying the competent authorities of this crime he will have committed a crime
It should be explicitly determined and announced to staff which reports will be
prepared by whom at what frequency and when they will be prepared and who
they will be submitted to and who will control them Reports must be in compliance
with tasks responsibilities and the principles of financial transparency and
accountability
The information included in the reports must be accurate up-to-date succinct
objective complete relevant and sufficient
Reports should use a common and clear language that everyone can understand
Reports must be produced at certain periods and on a consistent basis so that
comparisons can be made between years
Reports should attract the attention of readers be easy-to-read-and-understand
and include sufficient and appropriate visual material
All reports should have a conclusion and evaluation section
Desired format for the report should be determined in advance by
administrationunit requesting the report and notified to the relevant
administrationunit
HORIZONTAL
REPORTING
115
himself
71 Concepts of Failure Irregularity Fraud and Whistleblowing
Failure refers to an unintentional action against the legislation
Irregularity and fraud on the other hand refer to the behaviours of the administrationrsquos staff
or third parties on purpose against the present rules in order to achieve unfair or unlawful gain
Whistleblowing is the notification of illegal and unethical behaviours and actions to top
management third parties outside the management or authorised bodies or persons (who can be
inside or outside the administration) by the persons with information (employees or stakeholders)
Failure to blow the whistle can cause damage to the administration
In line with the above given information administrations must determine distinct methods for
evaluating irregularities fraud and failures they have been notified about
It should be borne in mind that person who makes the notification may be left alone
isolated his or her career may be undermined or he may not be taken seriously Therefore any kind
of biased or discriminative conduct against the personnel or third parties that blow the whistle
should be prevented
72 Scope of Notifications
There are three basic types of whistleblowing and complaints in public administrations
Those regarding the violation of ethical values
Those regarding faults irregularities and fraud
Complaints by civil servants regarding administrative actions and processes
implemented against them by managers or administrations
721 Whistleblowing and complaint in cases of violation of ethical values
Whistle blowing mechanisms are defined in the No 5176 Law on Establishment of Civil Servants
Ethical Board and Making Amendments on Some Laws and Legislation on Ethical Behaviour
Principles and Procedures for Civil Servants
Under this legislation cases of ethical behaviour violation by the director general and by those
who have a title at this level are notified to Ethical Board while cases of violation by the other
employees are notified to the relevant administrative manager to be directed to the
administrationrsquos disciplinary board Within this framework administrations carry out the process to
ensure compliance with the law
A flowchart showing the detailed process for whistleblowing and complaint in cases of violation
of ethical values is at Annex 4a
722 Whistleblowing and complaint regarding irregularities and fraud
Law no 4483 defines the procedures to be followed in cases of crimes committed by civil
servants by means which are in relation to their duties Accordingly cases of whistleblowing or
complaint about civil servants are filed processed and concluded under this Law
In cases when a complaint by a person is not processed he can appeal to administrative
court if he wishes The administration has to record all the cases of whistleblowing or complaint
processed or not
A flowchart showing the detailed process for whistleblowing and complaint in regarding
irregularities and fraud is at Annex 4b
723 Complaints by civil servants
Proceedings relating to complaints by civil servants regarding administrative actions and
processes implemented against them by their managers or administrations are carried out within
the framework of Article 21 of Law No 657 and Legislation on Complaint and Application Rights of
Civil Servants
116
73 The Responsibility for Detecting Faults Irregularities and Fraud
The responsibility for identifying and preventing failures irregularities and fraud rests with
management and all employees Under the ethical behaviour culture of the administration the
necessary actions should be taken to prevent failures irregularities and fraud under the supervision
of the responsible managers
74 Whistleblowing System
For employees to communicate their concerns and for these concerns to be taken seriously
administrations should have the related regulations that comply with their structures as well as
reporting mechanisms In these regulations the following should be included
the subject-matter of a whistleblowing
how to protect the confidentially of and provide security for a whistleblower who has good
faith
the stages of the whistleblowing procedure (first to manager then head of unit head of
internal audit head of human resources unit or head of financial services unit head of
administration)
how cases of whistleblowing are evaluated by the administration and what actions are
taken (examination inside the administration or official investigation etc)
information given with a view to informing the whistleblower about who the subject matter
concerns whether he can contact that person as well as about evaluation progress andor
results
Within this framework administrations should announce to the personnel all the ways of
whistleblowing and complaint
In cases of whistleblowing and complaint the identity of the whistleblower should be kept
confidential so that they are not exposed to discrimination
Administrations should receive cases of whistleblowing and complaint in the electronic
format via their web sites as well as in writing Besides administration should set up mechanisms to
facilitate it for the external stakeholders to whistleblow or complain and announce it on their
billboards and websites
Administration should not set up different mechanisms other than the preliminary
examination procedures that are determined in Law no 4483 for cases of whistleblowing and
complaint regarding corruptions and irregularities As a result of the preliminary examination the
situation whether investigation permit is given or not should be notified both to the Chief Public
Prosecutorrsquos Office and the whistleblower with a detailed justification and the letters regarding
these notifications should be kept in the whistleblowing files
For an effective whistleblowing system following basic requirements are taken into
consideration
117
IC Box 4 Basic requirements for Whistleblowing
IC Box 5 Issues to consider while evaluating whistleblowing notifications
Are the behaviours or actions in the administration unlawful
Are the behaviours or events taking place in the administration against the ethical
values (morals professional ethics etc)
When the whistleblowing is not in compliance with the procedure it must still be
definitely evaluated as long as it is based on concrete evidence
Seriousness and importance of the issues put forward should be taken into
consideration
There should be good will and public benefit
There should be a reasonable belief that the information and the allegations the
information includes are completely true and may uncover malpractice
Top management should announce the procedures for dealing with whistleblowing
and complaint from inside and outside the administration
Administrations should determine for central and local units who notifications will be
referred to
Methods must be developed for anonymous notifications from staff and third
persons (Telephone in a way that ensures evidenced delivery internet application
provided that forms given are completed anonymous letter suggestion boxes
etc)
Written spoken or electronic cases of whistleblowing should be recorded in a
separate folder by the authorised unit or person regardless of whether they are
based on enough evidence or not
Discriminative treatment towards whistleblower should be prevented
Periodical meetings should be held with staff in which their views should be heard
and their trust should be won in regard to reporting malpractices within the
administration
All the communication channels should be left open to ensure that personnel can
blow the whistle
In the event that the personnel that are proved right after examination and
evaluation process of the whistleblowing they should be rewarded by means of
secret methods to be determined by the administration
118
IC Figure 4 Whistleblowing Process
Whistle blower
Is it illegal
Is it unethical and immoral
Is it based on concrete evidence
Do I have good will
Do I draw benefit
from this
sec
ure
co
mm
un
ica
tion
ch
an
ne
ls (e-m
ail
ad
dre
sses te
leo
ph
on
e
nu
mb
ers
sec
ure
co
mm
un
ica
tion
ch
an
ne
ls (e-m
ail
ad
dre
sses te
leo
ph
on
e
nu
mb
ers
Unitperson to evaluate the case of
whistle blowing
Evaluation Criteria
Disciplinary Board Inspection BoardAudit
Unit
Chief Public Prosecuter
(investigation request is
from outside the
administration)
Authorising officer
119
IC Box 6 Current Legislation relating to whistleblowing and complaint
Law No 5651 on Publications on the Internet and Suppression of Crimes Committed by
means of Such Publication
Law No 4982 on the Right to Information
Law No 3628 on Declaration of properties bribes and combating fraud
Law No 3071 on Official Letters
Ethics Law Regulation and Prime Ministry Circular
Principles and Procedures on the Complaint and application rights of Civil Servants
Compliant regulation under Public Procurement Law No 4734
8 RELATIONS AMONG UNITS
81 Information and Communication between the CHU and SDUs
The extent to which the tasks the CHU carries out are effective and efficient depends on the level
of communication it achieves with SDUs
The CHU must develop organisational communication mechanisms to ensure transfer of information
to the SDUs This could either be done via a call centre to be established within the CHU or
particular CHU staff (client representatives) can be matched with particular SDUs This would
enable CHU staff to better know the unit they are responsible for and therefore make evaluations
and problem solving easier This would also improve the influence of the CHU on other units
Furthermore ensuring face-to-face communication between CHU and SDU staff and organising
periodic meetings andor conference calls to review the internal control system can be another
method of information transfer
The CHU must set out the critical arrangements that are relevant to the SDUs using participative
methods where the participation of SDUs must be ensured Furthermore the level of participation
by the SDUs will enhance the level of communication
82 Information and Communication between SDUs and Spending Units Ensuring coordination with spending units for the adoption of various elements such as preparation
of activity reports and performance programmes and implementation of internal control which are
important elements of Public Financial Management is the responsibility of SDUs An effective and
efficient organisational communication with spending units would also contribute to the smooth
progress of coordination process
SDU staff and spending units must be matched Each member of SDU must be in constant
communication with the spending unit they are responsible for and transfer the necessary
information to the spending units periodically Spending units must also assign the
departmentbranchunit staff to be in continuous communication with Strategy SDU Such
matching plays a crucial role in the transfer of consistent and accurate information both from the
SDUs to the spending units and from the spending units to the SDUs
Furthermore these information flows must also be reviewed in the meetings to be held regularly
(advised frequency minimum monthly maximum quarterly) by the spending unit officials and SDU
managers and the actions to be taken and required development must be discussed in these
meetings
In the event that it is necessary for the SDUs to make decisions which would affect the spending
units officials from spending units must be able to get involved in this process depending on the
level of the decision
120
INFORMATION AND COMMUNICATION ANNEXES
Annex 1 - Legislation on Information and Communication
Regulation on the Principles and Procedures to be applied in Official
Correspondences by the Prime Ministry
Regulation on the Prime Ministry State Archiving Services published in the
Official Gazette number 19816 dated 16 May 1988
Regulation on Public Servants Ethical Behaviour Principles and Principles and
Procedures for Application
Regulation on Declaration of Assets published in the Official Gazette no 20696
dated 15 November 1990
Regulation on the Complaints and Application by Public Servants Assets
published in the Official Gazette no 17926 dated 12 January 1983
Prime Ministry circular on Standard Folder Plan no 20057 dated 24 March
2005
(Manual to be prepared by Central Harmonisation Unit can be included
including the FMC Manual)
Prime Ministry circular dated 19 March 2007 on Civil Servants Ethical Board
Regulation on Complaints under the Scope of the Law no 4734 on Public
Procurement (The arrangements to be made by the CHU including the FMC
Manual can be covered in this part)
Law no 406 Telegraph and Telephone
Radio Law no 2813
Law no 3071 on Official Letters
Law no 4982 on the Right to Information
Law no 5070 Electronic Signature
Law no 5651 on Publications on the Internet and Suppression of Crimes
Committed by means of Such Publication
Law no 5369 on Provision of Universal Service and Amendments to Certain
Laws
Law No 5176 on Establishment of Civil Servants Ethical Board and Making
Amendments on Some Laws
Law No 4483 on Trying cases against Civil Servants
Law No 3628 on Making Declaration of Property and Fight against Bribery and
Corruption
Law no 5809 on Electronic Communication
121
Annex 2 - Widely Used Methods of Communication
Means Objective Advantages Disadvantages
Meetings Informing
Receiving
opinion
Making joint
decisions
Relatively cheap
A method that
people are
accustomed to
Contribute to the
culture of
participation
Open to discussion
and dialogue
Opportunity to come
up with solutions to
problems in the
administration
Difficulty to measure the
success and value of the
method
Possibility that results may not be
useful
Possibility that a minor group
may dominate the meeting in
case of bad management
Reports
Informing
Receiving
opinion
Making
decisions
Evaluation
Informs the target
group about the
subject in a sound
manner
Facilitates decision-
making process of
the manager
Possibility to access
accurate up to date
relevant and
adequately detailed
information
Requirement for qualified staff
Its production is time consuming
Brochures
Periodicals
Informing
Promotion
Opportunity for
creative design
Comprehensible
Particular and wide
target groups
Opportunity to
establish long term
relation with target
group
Opportunity to make
regular up-dates
regarding the subject
Limited feedback
Difficulty to measure the impact
on target group
Questionnaire
Interview
(letter
telephone
face to face)
Receiving
opinion
Evaluation
A method that
people are
accustomed to
Opportunity to reach
a wide group
Opportunity to select
particular target
groups
Scientific methods
can be used
Expensive time consuming
Requirement of in-detail
information to use the method
accurately
Possibility that responding rate
may be low
Possibility that the subject may
not be examined enough
122
Means Objective Advantages Disadvantages
Press releases
and
conferences
Informing
Receiving
opinion
Cheap
Easy to organise
Opportunity to
communicate to
many people
Difficulty to understand whether
the subject reached the target
group or not
Difficulty to measure the success
and value of the method
Difficulty to examine the subject
thoroughly
No feedback or limited
feedback
Brainstorming Exchanging
ideas
Making joint
decisions
Obtaining many
ideas regarding a
subject
Contribution to the
culture of
participation
Cheap flexible easy
to organise
Possibility that results may not be
useful
Possibility that the subject may
not be examined enough
Workshop Informing
Receiving
opinion
Making joint
decisions
Opportunity to set up
new networks
Fun for participants
Chance of finding
solutions to problems
Cheap flexible easy
to organise
Chance of examining
the subject
thoroughly
Opportunity to select
particular target
groups
Easier participation
because of unofficial
atmosphere
Non-scientific
Possibility that results may not
useful
Possibility that a minor group
may dominate the meeting
Possible to receive wrong results
with a small and randomly
selected group
Conference Informing
Receiving
opinion
Making joint
decisions
Opportunity to
become creative
and flexible
Opportunity to work
together with
different groups
Opportunity to set up
new networks
Opportunity to select
particular target
groups
Opportunity to
examine the subject
thoroughly
Opportunity to
discuss different
Expensive time consuming
Possible to receive wrong results
with a small and randomly
selected group
Raising different expectations
Possibility that result may not be
useful
Possibility that a minor group
may dominate the meeting in
case of bad management
123
opinions and ideas
Means Objective Advantages Disadvantages
Focus Group Receiving
grouprsquos
opinion with
the
leadership
of a
moderator
Faster and cheaper
compared to one-to-
one interview
Opportunity to
discuss different
opinions and ideas
Spoken discussion
accelerates the
process that outputs
are reflected in
writing
Possibility that useless information
may emerge in case of bad
moderation
Quality of participators affect
the quality of data
Conference
Call
Making joint
decisions
Finding
common
solutions to
problems
Opportunity to
discuss different
opinions and ideas
Opportunity to
examine the subject
thoroughly
Experienced
decision-makers and
persons with deep
information
accumulation
coming together
Possibility that results may not be
useful in case of bad
management
Expensive time consuming
Possibility that a minor group
may dominate the meeting in
case of bad management
Websites and
intranet
e- mail
Informing
Receiving
opinion
Cheap
Easy to organise
Opportunity to reach
many people
Effective information
sharing
Need for updating
Problem that unfavourable
people may get access
124
Annex 3 Reports Prepared under PFMC Law No 5018
Name of report Responsible unit Submitted to
Unit Activity Report
(Art 41 of Law no 5018)
Spending Units- Authorising
Officers Head of Administration
Local Administrations Activity
Report
Spending Units- Authorising
Officers Head of Administration
Administration Activity Report
(Art 41 of Law no 5018)
Head of Administration
(General budget
administrations special budget
administrations and social
security institutions)
Ministry of Finance Court of
Accounts and Public Opinion
Local Administrations Activity
Report
(Art 41 of Law no 5018)
Head of Administration
(Local Administrations)
Ministry of Interior Court of
Accounts Public Opinion
General Activity Report
(Art 41 of Law no 5018)
Ministry of Finance
(Directorate General for Budget
and Fiscal Control)
Court of Accounts and Public
Opinion
Local Administrations General
Activity Report
(Art 41 of Law no 5018)
Ministry of Interior Court of Accounts Ministry of
Finance and Public opinion
Administration AR General AR
Local Administrations General AR
(Art 41 of Law no 5018)
Court of Accounts (Expressing its
own opinions considering its
external audit results)
TGNA
Draft Law on Final Accounts
(Art 42 of Law no 5018)
Ministry of Finance (DG Public
Accounts) TGNA Court of Accounts
External Audit Overall Assessment
Report
(Art 68 of Law no 5018)
Court of Accounts TGNA
Corporate Financial Status and
Expectations Report
Public Administrations under the
scope of General Management Public Opinion
Central Government Budget
Realisations and Expectations
Report
Ministry of Finance
(Directorate General for Budget
and Fiscal Control)
Public Opinion
Financial Statistics
(Art 52 53 54 of Law No 5018)
Ministry of Finance (DG Public
Accounts) Public Opinion
In the production and submission of the Activity Reports above Law no 5018 and the
principles and procedures set out in the Regulation on Activity Reports Prepared by Public
Administrations are taken into account
In preparation and declaration of the financial statistics of public administrations Law No 5018
and the principles and procedures set out in General Communiqueacute on Financial Statistics of
General Management are taken into consideration
125
Annex 4a Whistle-Blowing Process Related to Ethical Values
Application
Registry (Relevant unitperson)
If related to
EVALUATION
Written petition
electronic mail or oral
application that is
recorded
Registration in the
document registry
system (written
electronic)
a separate folder
system for notification
applications
NOTIFICATION
To the relevant person
(person who whistle-blowing
is about)
To the relevant
administration (conduction
of the work within the
framework of Law No 657)
To whistle-blower
NOTIFICATION
If it is decided that ethical
behavior principles have
been violated
To Prime Ministry
To Public Opinion (Published in official gazette
If it is not detected that
ethical behavior principles
have been violated
- To the Prime Ministry
- To whom it may concern
If related to Director
General and upper
level positions than
Director General
If related lower level
positions than Director
General
Ethical Board Head Office of the
Relevant
Administration
Disciplinary Board
126
Annex 4b Whistleblowing and Evaluation Process for Crimes Committed by Civil Servants
Application
Registry (Relevant unitperson)
Head of the relevant unit
Written petition
(person or a
particular event
serious allegations
name family
name signature
domicile address)
Registration in the
document registry
system (written or
electronic - a
separate folder
system for
notification
applications)
Preparation of preliminary examination report and submission of it to the
body authorised to give the permit
NOTIFICATION
Directly Chief
Public Prosecutor
Other positions or
civil servants
Requesting investigation permit
from body authorised to give
the permit (Article 3 of Law No
4483
Making notification to body
authorised to give the
investigation permit (Article 3 of
Law No 4483
Body authorised to give the
permit starting the preliminary
examination (44835)
Permitting the
investigation about the
complaint whistleblowing
or subject matter of the
allegation
Not permitting the
investigation about the
complaint whistleblowing
or subject matter of
allegation
OBJECTION
(to the Court of Appeals
or regional administrative
court by the civil servant
about whom investigation
is conducted)
to the Chief Public
Prosecutorrsquos Office
to the civil servant
about whom the
investigation is
conducted
to the whistleblower
OBJECTION
(to the Court of Appeals
or regional administrative
court by the Chief Public
Prosecutorrsquos Office or
complainant)
127
MONITORING
1 Introduction
Monitoring is the assessment of the internal control system in terms of harmonisation with the
internal control standards to see whether it makes the expected contribution to the achievement
of goals and objectives of an administration It is the identification of the actions regarding the
aspects open to improvement Within this framework monitoring is an integrated process in which
capacity is assessed in interaction with the other components of internal control system
M Figure 1 COSO Monitoring Process
The main elements of monitoring are formation of a sound infrastructure for monitoring
designing and implementing monitoring procedures assessment and reporting of the results
Monitoring if designed and carried out properly provides the administration with the
reasonable assurance that the internal control system operates efficiently An efficient monitoring
helps
Timely identify and eliminate the problems in the system of internal control
Produce more accurate and reliable information to be used in decision making
Produce correct and timely financial statements
Confirm regularly that the internal control system is effective
Present evidence for the internal control assurance declarations
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Activities
128
Monitoring internal control systems requires participation Question forms internal and
external audit reports and requests and complaints from individuals andor organisations and the
opinions of unit directors must be benefited from during monitoring
2 Monitoring Internal Control Standards Monitoring includes all sorts of monitoring activities performed with the aim of quality
assessment of internal control system
M Box 1 Internal Control Standards
Standard 17 Assessment of internal control
The administrations shall assess their internal control systems at least once a year
Standard 18 Internal audit
The administrations shall ensure a functionally independent internal audit activity
3 Roles And Responsibilities
31 Senior Manager
The main responsibility for monitoring internal control system rests with Senior Manager This is
also emphasized in Article 11 of Law No 5018 and it is stated that Senior Managers are responsible
for observing and monitoring the functioning of financial management and control system
The Senior Manager fulfils this responsibility through internal auditors and Strategy
Development Units (SDU)
Approving the internal control system annual assessment report prepared by his
administration the Senior Manager ensures the submission of it to Central Harmonisation Unit (CHU)
Furthermore the Senior Manager annually states based on evidences that internal control
system gives reasonable assurance for attainment of the objectives and aims of his administration
through internal control assurance statements (Annex 3A)
On the other hand the Senior Manager ensures the implementation of recommendations
put forward as a result of internal and external audits
32 Internal Audit
Internal audit has the functions of providing information making assessments and making
recommendations on the adequacy efficiency and functioning of internal control system Within
this framework the Senior Manager who has the responsibility for a sound functioning of internal
control system receives opinions and support from internal auditors
33 Internal Control and Risk Steering Board (ICRSB)
ICRSB assesses Internal Control System Evaluation Reports prepared by SDU as a result of
annual assessment of internal control system (Annex 2) and following to defining shortcomings of
the report if any submits it with the relevant opinions for the approval of Senior Manager
34 Authorising Officers
Authorising officers have responsibilities regarding internal control and continuous
monitoring Furthermore Authorising Officers provide necessary information for SDUs regarding the
annual assessment of internal control system fill in the internal control question form (Annex 1) and
annually sign the internal control assurance declaration (Annex 3B) to be submitted to Senior
Manager
In addition Authorising Officers have the responsibility for taking relevant actions regarding the
recommendations contained in internal and external audit reports
129
35 Strategy Development Units (SDU)
Have been assigned the function by Law No 5018 and the applicable legislation3 to carry
out studies to establish implement and continuously develop internal control systems and to report
the study results to the Senior Manager
Within this framework SDUs annually assess internal control system on behalf of Senior
Manager Then they report assessment findings gained by means of forming a working group and
using such tools as check lists questionnaires and question forms to the Senior Manager with the
relevant opinions from Internal Control and Risk Steering Board
SDUs sign the declaration on functioning of internal control system with a view to ensure
effective efficient and economical execution of administrationrsquos activities
Personnel of SDUs take active role in the assessment process of internal control systems and
guide the units in filling the reports regarding assessment (Annex 1)
36 Other Managers and Employees
Other managers and employees are responsible for the effective functioning of internal
control system within their own fields Within this framework while carrying out their own duties they
observe the functioning of internal control system and in case of a problem they inform Senior
Manager and contribute to the assessment process of internal control system by providing
information
37 External Audit
External audit is conducted by Court of Accounts Within this framework Court of Accounts
can assess internal control systems in public administrations and can make recommendations
38 Central Harmonisation Unit (CHU)
In accordance with the Article 9 of Principles and Procedures regarding Internal Control
and Ex-ante Financial Control and Article 55 of Public Financial Management and Control Law No
5018 this unit develops standards and methods regarding internal control processes and provides
guidance services in public administrations
Furthermore CHU annually assesses the functioning of internal control systems in public
administrations based on Internal Control Assessment Reports approved and submitted by senior
mangers and submits the assessment report it prepared to the Senior Manager and Minister of
Finance
CHU in necessary cases carries out on-site monitoring activities regarding the factors
contained in reports prepared by public administrations
Within the framework of roles and responsibilities explained above the following scheme
demonstrates the exchange of information and reporting lines envisaged to be realized within the
scope of monitoring activities in the administration
3 Legislation on Principles and Procedures regarding Internal Control and Ex-ante Financial Control and Working
Principles and Procedures of Strategy Development Units
130
M Figure 2 ndash Reporting and information exchange process foreseen under monitoring
CENTRAL HARMONISATION UNIT
SENIOR MANAGER
INTERNAL AUDIT INTERNAL CONTROL RISK STEERING BOARD EXTERNAL AUDIT
(Report) Court of Accounts (Report)
STRATEGY DEVELOPMENT UNIT
AUTHORISING OFFICERS
SUB-UNIT MANAGERS
SUB-UNIT PERSONNEL
1) Straight arrows demonstrate the hierarchy in the reporting process
2) Dotted lines demonstrate the exchange of information
4 Guidance by the CHU4
Article 55 of Public Financial Management and Control Law no 5018 and Article 9 of the
Principles and Procedures on Internal Control and Ex-ante Financial Control prescribe that
standards and methods concerning financial management and control are developed and
harmonised by the Ministry of Finance and guidance is provided to the public administrations
In this context within the scope of its monitoring function the CHU
Monitors whether internal control standards are complied with
Monitors the operation of the systems by receiving information and reports from the
administrations regarding internal control and ex-ante financial control arrangements and
practices
Carries out researches on the national and international good practices and
conducts studies for their implementation
CHU annually assesses the operation of internal control system within the public sector
based on the Internal Control System Evaluation Reports submitted upon the approval by the
4 This part consists of general information on the guidance provided by the CHU detailed information can be found
on the CHU Handbook
131
heads of public administrations and where necessary carries out on-the-spot monitoring on the
issues included in the reports of the administrations
5 Assessment and Reporting Role of SDUs
Assessing internal control periodically and identifying and applying necessary actions are
crucially important to ensure the efficiency of the system In this context each organisation needs
to assess its internal control system Assessment of internal control system means analysing on the
basis of the internal control components whether the system makes the expected contribution to
the achievement of the aims and objectives an administration identifying the aspects open to
improvement and taking corrective actions
Public Internal Control Standards suggests that the internal control systems in the public
administrations must be assessed at least annually using ongoing monitoring or separate
evaluations In the assessment of the internal control system participation of all units is required and
internal and external audit reports and requests and complaints from individuals andor
organisations and the opinions of unit directors must be considered and the assessment process
must be methodological
51 Assessment of Internal Control System by SDUs
Assessment of Internal Control System by SDUs is carried out fundamentally be means of
Internal Control System Question Form Other tools such as checklists and questionnaires can also
be benefited from during the evaluation process Furthermore the opinions of the managers
requests and complaints from organisation andor individuals are taken into consideration in the
evaluations Evaluations are carried out at least annually Quarterly or semi-annual evaluations can
be carried out as well
Coordination of the assessment conveyance of the questionnaires to the relevant units and
consolidation of the responses are tasks of Internal Control sub-units in the SDUs
The staff to be assigned from the SDU must be determined to support the process of filling
the questionnaires and the evaluation process must be planned In the plan a representative must
be appointed for each unit and where the number of staff is insufficient at least one person must
be assigned as responsible and this must be communicated to the relevant units This responsible
person must provide guidance to the units in filling the questionnaires
Spending units are obliged to respond to the questions on Risk Assessment Control Activities
and Information and Communication Responding to the questions in the Control Environment and
Monitoring parts is at the discretion of spending units
SDUs must complete the sections on control environment and monitoring in the internal
control question forms which they will fill in as spending units
The following steps should be followed while evaluating the internal control system
Primarily unit managers should organise an opening meeting for the representatives from
the SDUs In this meeting guidance should be provided for responding the questionnaires
and the deadline for completing the questionnaire should be announced
The time table for the questionnaire SDU representative and their contact details should be
communicated to the unit manager along with the questionnaire itself The units must be
given a reasonable amount of time to complete the questionnaire which should be not less
than one week
The questionnaire should be completed with the participation by sub-unit managers and
staff under the coordination of the unit manager
Completing the questionnaire spending units should bear in mind that this is a kind of self
assessment therefore by means of answers they give to the questions they essentially assess
their own units Within this framework while completing the questionnaire they should make
an in-dept assessment about functioning of internal control in their own units
132
Where necessary support should be received from the SDU representatives
When the questionnaire is received by the SDU representative each question should be
checked and any misunderstanding should be corrected during this process To this end
SDU representative is entitled to get in touch with the unit manager regarding responses to
the questionnaire
Internal audit unitsinternal auditors can be asked for support and recommendation when
there is a need for checking the accuracy of information in the questionnaire
Following the submittal of all questionnaires the SDUs should consolidate the questionnaires
and prepare the evaluation report resorting to the questionnaires primarily and also the
following sources of information
Action plans produced on the basis of internal and external audit reports
Information on budget and ex-ante financial control and
Other sources of information (opinions of the managers requests or complaints by
individuals andor administrations)
Given that evaluation report will be produced using the above mentioned information
sources (questionnaire internal and external audit reports budget ex-ante financial control
information etc) it should be kept in mind that this process would take time
While assessing the results of the questionnaire the points should be added up and converted to a
percentage for each section For example the total number of points that can be scored for the
Control Environment section is 44 If the Unitrsquos score was 22 out of 44 the percentage result is 50
The percentage scores should be recorded for each section and a percentage score for the
whole questionnaire (using the total possible points total of 116)
The percentage scores should be interpreted as follows separately for each category and also for
the overall percentage score
M Table 1 ndash Interpretation of the Results of the Internal Control Question Form
score Interpretation
0-25 Evidence of some awareness and understanding but still in the early
stages of internal control development Direct action needed by SDU
to provide guidance
25-50 Evidence of implementation that is planned and in progress Action
needed by SDU to provide further guidance
50-75 Evidence of implementation in some key areas Further guidance may
be required by the SDU
75-95 Evidence that implementation of internal control is embedded and a
good capability is established SDU may wish to identify the best areas
as examples of best practice and inform CHU
95-100 Evidence of mature internal control system with excellent capability
established CHU will wish to use as example of best practice
52 Reporting of Internal Control System Evaluation Results
The SDU prepares a report regarding the activities carried out for establishing and
developing internal control system and evaluation on functioning effectiveness and efficiency of
the system It will be appropriate to use lsquoInternal Control System Evaluation Reportrsquo template
contained in Annex 2 in making the assessment results into a report
In the preparation of the aforementioned report ldquoInternal Control System Questionnairerdquo is
an important basis The report should include alongside information on the operation of the
internal control system the steps taken for strengthening it Furthermore the areas where the no or
insufficient controls exist where they do not work properly where the controls are excessive or the
plans and tables produced to address the problems identified should also be covered in the report
The report produced is reviewed by the ICRSB if there is one in the administration If not it is
reviewed by a board consisting of authorising officers or their assistants assigned by them chaired
133
by an authorising officer or a Deputy of the Senior Manager After eliminating any shortcomings it is
submitted to the Senior Manager for approval by the board
The annual evaluation report approved by the Senior Manager must be sent to the CHU by
the SDU until the end of the following March
53 Monitoring of Internal Control System Evaluation Reports
The measures and actions to be taken and the arrangements to be made regarding the
aspects identified in the Internal Control System Evaluation Report as requiring development must
be set out within the framework of managerial responsibility In certain areas in order to eliminate
the gaps the unit managers will have to take actions Furthermore if there are horizontal problems
on which most of the units are identified to score low actions for improvement should be initiated
by the Senior Manager
The measures and actions to be taken and arrangements to be made must be
implemented in the context of an action plan in a designated period of time SDUs must monitor
the implementation results of the aforementioned measures actions and arrangements at least
semi-annually and inform the Senior Manager about the implementation results
134
54 Work to be carried out by SDUs concerning Internal Audit Reports
In accordance with Article 64 of Law No 5018 reports submitted by internal auditors to the Senior Manager shall be sent to concerned unit and SDU
following to the assessment by the Senior Manager for taking necessary action It will be convenient that SDUs assess the report sent by the Senior
Manager in light of the following questions
M Table 2 ndash Evaluation of the Internal Audit Reports by the SDUs
Question 1 Question 2 Question 3 Question 4 Question 5 Question 6
What
information is
available in the
report about the
effectiveness of
internal control
system For
example what
information
does internal
audit report
include on risk
management
Are there any
problems
according to
internal audit
report
What are the
problems in
question
What are the works
to be carried out by
spending units for
fixing these
problems
It is possible that
SDUs provide
spending units
with guidance
on actions to be
taken
What are the works to be carried
out by SDU for fixing these
problems
Taking these problems into
consideration SDU identifies
measures to be taken in Internal
Control System Evaluation
Report to be submitted to senior
management
Identifying the training need
within the framework of
shortcomings related to internal
control system SDU can
demand that new training
programs be developed or
available program be revised
Has SDU done what is
necessary for fixing these
problems
It should be found out
whether SDU has done
necessary works
(delivering
trainingsgiving
recommendations) for
fixing the problems
135
136
6 Internal and External Audits
In accordance with the Law No 5018 the audit of our financial management and control
system is divided into two categories internal audit and external audit Internal audit is carried out
by the internal auditors working in the administration within the scope of the general government
with the exception of regulatory and supervisory institutions External audit of the administrations
under the general government on the other hand is carried out by the Turkish Court of Accounts
61 Internal Audit
Articles 63-67 of Law No 5018 sets out the overall scope of the internal audit system and the
professional framework has been established with the secondary and tertiary legislation
Activities and transactions of all the units of public administrations including those abroad
and in the countryside have been undergoing internal audit in line with audit standards within the
scope of risk based audit plans and programmes using a systematic consistent and well-disciplined
approach
The most distinctive difference between the current inspection boards and the internal
audit designed by the aforementioned Law is that internal auditors have a limited authority which
merely enables them to notify the most senior person in the administration when they find out cases
requiring investigation during the course of or following the audit However inspectors have the
authority to initiate investigations and directly submit reports containing findings of the
investigations to legal authorities
611 Definition and Aim of Internal Audit
Internal audit is defined in the Article 63 of Law No 5018 as follows
M Box 2 ndash Article 63 of Law No 5018
ldquo Internal audit is an activity of providing independent and objective assurance
and consultancy performed in order to improve and add value to the activities of
the public administrations by evaluating whether the resources are managed in
conformity with the principles of economy effectiveness and efficiency and by
providing guidance Such activities are performed with a systematic regular and
disciplined approach and in accordance with generally accepted standards
aiming to evaluate and improve the efficiency of risk management and of
management and control processes on the management and control structures
and financial transactions of administrationsrdquo
In the above definition ldquoobjective assurancerdquo refers to providing sufficient assurance within
and outside the organisation that an efficient internal control system exists in the organisation its risk
management internal control system and business processes operates efficiently the information
produced accurate and complete the assets are safeguarded and the activities are carried out
in an efficient economic and productive manner in line with the legislation
Along side the objective assurance it ensures internal audit provides independent and
impartial consultancy to assist the administrations in developing their risk management control and
management processes Consultancy covers providing recommendations to evaluate and
improve the activities and business processes of the administration aimed at the achievement of its
objectives in a systematic and regular manner
Internal auditors get involved neither in the arrangement or implementation of internal
control systems nor in the selection of control actions
137
612 Monitoring within the scope of Internal Audit
Internal auditors submit their reports directly to the Senior Manager of public administration
Following the evaluation of the Senior Manager these reports shall be given to the concerned units
and SDU for taking necessary action Internal audit reports and the actions taken about them shall
be sent by the head of public administration latest in two months to the Internal Audit
Coordination Board
Audit results are monitored within the framework of Public Internal Control Reporting
Standards which has been published by Board The corrective actions and advice recommended
by the internal auditor following the internal audit activity shall be completed by the auditee within
the time period indicated in the relevant report Senior Manager shall follow up whether the
measures stated in the report have been taken or not Senior Manager can fulfil this duty through
internal audit units (through internal auditors in administrations where there is no unit) Internal audit
units (internal auditors in administrations where there is no unit) prepare a follow up system to
monitor the implementation of internal reports
Unit directors the necessary actions regarding the recommendations included in the audit
report about the audited activities In the event that no action could be taken head of internal
audit unit informs the Senior Manager
If the recommendation or corrective measure to be taken will take a certain period of time
this shall be stated in the response to the audit report and the relevant unit shall communicate the
developments to the internal audit unit in the form of six-months periods at least
Actions taken by the audited units upon the report or the justifications for not taking actions
are sent to the internal audit unit to be submitted to the internal auditor
62 External Audit
Another means that contributes into accountability is external audit In this context external
audit has an important role in fulfilment of the legislative bodyrsquos budget right and effective
efficient and economic use of public resources Turkish court of Accounts carries out the audit of
the financial activities and transactions of public administrations in the name of the legislative
body
621 Aim of External Audit
The purpose of the ex post external audit to be performed by the Court of Accounts is to
audit within the framework of the accountability of public administrations within the scope of
general government the financial activities decisions and transactions of management in terms of
their compliance with the laws institutional purposes targets and plans and to report their results to
the Turkish Grand National Assembly
622 Scope of External Audit
External audit is divided into two categories namely regularity audit and performance
audit
Regularity audit is carried out by means of the followings
Detecting whether revenues expenditures and goods of public administrations and related
accounts and proceedings are in compliance with the laws and the other legal regulations
Giving opinions about their accuracy and reliability after assessing financial reports and
statements of public administrations and all those documents produced in relation to these
reports and statements
Assessing financial management and internal control system
Performance audit on the other hand is an act of measuring activity results in light of the
objectives and indicators identified by administrations within the framework of
accountability
623 Functioning of External Audit
External audit makes use of the accounts and other relevant documents of the public
administration In the event the TCA needs reports by the internal auditors can also be requested
138
Reports produced upon the audits are consolidated by the administrations submitted to the Senior
Manager to be responded and finally external audit overall evaluation report produced
considering the external audit reports and the responses to them is submitted to the Turkish Grand
National Assembly It is possible to make external audit results into administration-based or topic-
based reports and submit them to the TGNA as individual reports
624 Coordination between External Audit and Internal Audit
Ensuring coordination and cooperation based upon communication common
understanding and trust between external audit and internal audit assumes importance in
increasing the efficiency of both external audit and internal audit Furthermore such coordination
and communication will ensure effective use of audit resources by preventing unnecessary
repetitions of audit
In accordance with Law No 5018 Court of Accounts can make use of internal audit reports
within the framework of such coordination and communication Moreover it is expressed in internal
audit standards that head of internal audit unit shall share available information with the other
internal and external auditors and conduct his activities in coordination with these people
7 Internal Control Assurance Declarations The new financial management and control understanding brings forward the concepts of
financial transparency and accountability Briefing the public and judicial organ on activities of a
public administration which are carried out in order to attain the objectives and aims and their
results is one of the most important requirements of managerial accountability
This way it is ensured that ones carrying out public services feel more responsible and work
outcome-oriented and beneficiaries of the public services are informed on how they use the taxes
they pay and on the performance of public administrations and it is encouraged that public audit
is strengthened as well as legislative audit To this effect in the new financial management and
control system it is provisioned that authorising officers5 prepare unit activity report Ministry of
Internal Affairs prepare Assessment Report regarding the activities of local administrations Ministry
of Finance prepare Overall Activity Report and it is ensured that the Court of Accounts inform
Turkish Grand National Assembly with its own assessments
In order to deliver the concepts of financial transparency and accountability the actors of
the system Senior Managers and authorising officers allocated with appropriations from the
budget have been commissioned to prepare internal control assurance declarations and attach
these declarations to the activity reports of the administrations and those of the units6
Within this framework those who need to give internal control assurance declaration and
the type of declaration they will give are demonstrated in the following scheme
M Table 3 Types of Internal Control Assurance Declarations
THOSE WHO WILL GIVE INTERNAL
CONTROL ASSURANCE DECLARATION
TYPE OF INTERNAL CONTROL ASSURANCE
DECLARATION
SENIOR MANAGER INTERNAL CONTROL ASSURANCE DECLARATION
(SENIOR MANAGER) (ANNEX-3A)
AUTHORISING OFFICERS INTERNAL CONTROL ASSURANCE DECLARATION
(AUTHORISING OFFICER) (ANNEX-3B)
HEAD OF SDU DECLARATION OF THE HEAD OF SDU (ANNEX-3C)
5 Unit activity report and internal control assurance decalaration are prepared by those authorising officers to whom an
appropriation is allocated to in the budget 6 Art 8 of Principles and Procedures regarding Internal Control and Ex-ante financial Control Art 19 of By-law on the
Preparation of the Activity Reports of Public Administrations Annex234
139
On the other hand every authority signing the internal control assurance declaration should
be sure that the assurance he gave is supported by evaluation reports issued by the SDU internal
and external audit reports other external assessments and similar sound evidences Furthermore
while filling internal control assurance declaration of his administration the Senior Manager should
assess the Assurance Declarations of authorising officers and Head of SDU and should state in the
Internal Control Assurance Declaration that the reasonable assurance these declarations gave to
him formed an important basis for his own declaration
71 How to complete Internal Control Assurance Declarations
Guidance on the internal control assurance declarations to be completed by the Senior
Manager (Annex 3A) Authorising Officer (Annex 3B) and the Head of SDU (Annex 3C) is as follows
711 Guidance on Internal Control Assurance Declarations for Senior Manager
and Authorising Officer
Internal Control Assurance Declaration (ICAD) is comprised of four main parts namely
Responsibility Basis of Internal Control System and Assurance Declaration Risk Management and
Assessment of Internal Control System (Annex 3A and Annex 3B)
In completing the two Annexes 3A and 3B Senior Managers and Authorising Officers should
observe the standard templates and complete the relevant boxes Each box has a cross reference
to where more information can be found in the main body of this chapter
7111 Responsibility
The Senior Manager is responsible for establishing operating and monitoring an effective
financial management and control system which will contribute to the realization of the objectives
and aims of his administration Within this framework he is obliged to take necessary measures in
order to ensure that regulations regarding internal control system are adopted by employees and
that internal control standards are observed Authorising officer is responsible for compliance of
spending orders with the budget principles laws legislations by-laws and regulations as well as for
economical and efficient usage of subsidies and functioning of the internal control within the
framework of his duties and authorities
As the paragraph of ICAD regarding responsibilities is regulated within this framework name
of the relevant administration should be written only in the part written as [administration] other
than this no change should be made on the text
7112 Basis of Internal Control System and Assurance Declaration
Aim of the internal control system is to ensure the followings in order to give a reasonable
assurance on realization of the strategic objectives of administration
Effective efficient and economical management of public revenues expenditures
assets and obligations
Public administrations carrying out their activities in line with the law and the other
applicable regulations
Prevention of corruption and irregularity in every kind of financial decision and
operation
Gaining regular timely and reliable information and reports to make decisions and
to monitor and
Prevention of abuse and waste of assets and protection against losses
However internal control system will not give absolute assurance to administration for
realization of aims mentioned above even in the case that it is designed and operated very well
Because some factors outside the influence and control of administration can affect the capacity
of administration to attain its objectives Therefore we need to admit that internal control system
gives reasonable not absolute assurance to management for realization of objectives
The cost of internal control should not exceed the obtained benefit The management has
to take into consideration the control costs and its benefits while making decisions on regulation of
140
responses to risks and control activities Authorising officer in the same manner has to take into
consideration these factors while identifying and assessing the risks related to his unit
On the other hand while identifying weaknesses in internal control system correcting the
faults and contributing to the development of the system Senior Managerauthorising officer
receives support from internal and external assessments made within the framework of
management information systems evaluation reports issued by the SDU internal and external audit
reports and internal and external assessments Therefore it will be appropriate that such support
provided within this line be explained in ICAD by Senior Managerauthorising officer
7113 Management Information Systems
Managers need financial and non-financial information in order to detect whether the
administration has attained its objectives and aims or not and whether accountability function has
been fulfilled or not for an effective economical and efficient usage of resources Therefore best
fulfilment of such requirements and timely and accurate decisions are possible if there is proper
accurate timely and accessible information
Therefore management information system in the administration should be designed in a
way to produce the necessary information and reports needed by the management and to give
the opportunity to make analysis
Senior mangerauthorising officer should briefly touch upon in ICAD the management
information system that is available in administrationunit and explain what kind of contributions this
system make to functioning of internal control system
7114 Internal Audit
Responsibility for establishing an adequate and effective internal control system rests with
Senior Manager By giving information to the management on effectiveness adequacy and
functioning of internal control system making assessments and recommendations internal audit
takes an important part in helping senior management this responsibility
Within this framework during the audits carried out by internal auditors followings are
realized
It is detected whether internal control system functions in a sound manner and
Success of internal control system in compliance to the legislation and relevant
regulations in the accuracy of accounts and operations and in the reliability of
financial system tables in providing an effective economical and efficient
execution of activities programs and projects of the administration is determined
Senior Manager on the other hand assesses the factors which are envisaged to be
corrected and improved in internal audit reports and takes necessary measures
First of all Senior Manager should state in ICAD whether his administration has an internal
audit unit or not Internal audit unit if any should give a brief summary of what measures they take
regarding the adequacy effectiveness and functioning of internal control system in line with the
recommendations and assessments of internal auditors in this part of the declaration
The Senior Manager can make explanations in ICAD on how action plans that have been
prepared by the audited units regarding the measures to be taken by the administration as a result
of internal audits are monitored and also he can touch upon the support provided by internal
audit unit if provided regarding the monitoring activity in question
Authorising officer on the hand can make explanations in ICAD on action plans prepared
on the measures needed to be taken by his unit as a result of internal audit and their
implementation
7115 External Audit
Senior Managerauthorising officer should include in Internal Control Assurance Declaration
a summary of the relevant findings and assessments if the Court of Accounts has conducted an
external audit as well as of the operations carried out by the administration in response to these
findings and assessments
141
If an operation in relation to external audit reports of the previous years has been carried
out within the year the summary of such operation should be contained in this part of the
declaration
7116 Strategic Development Unit (SDU)
SDU carries out studies in such fields as establishing internal control system implementing
and developing the standards and submits the study results to Senior Manager
Although standard and method setting duty in financial management and internal control
processes is assigned to the Ministry of Finance every kind of method process and standards
regarding special operations which are considered to be necessary are prepared and submitted
for the approval of Senior Manager by the SDU provided that they are not opposed to Law No
5018 and the standards set by Ministry of Finance Authorising Officers bases his activities on the
relevant regulation along with the legislation
Furthermore SDU prepares an annual Internal Control Evaluation Report on functioning of
internal control system and submits them to senior manger Therefore the Senior Manager should
mention in ICAD these regulations and Internal Control Evaluation Reports regarding financial
management and control system prepared by SDU and enforced following to his approval
Within this framework authorising officer should touch upon in ICAD the guidance
provided by SDU for a sound functioning of internal control system in the unit
7117 Risk Management
Administrations introduce their missions and visions as well as their objectives aims and basic
policies in their strategic plans Besides preparing their strategic plans administrations analyse their
institutional strengths weaknesses threats and opportunities
With the help of such techniques as SWOT and PESTLE analyses administrations have the
chance to identify define and assess the risks they can come across in carrying out their activities
Generally risk is an uncertain event that may occur and its unfavourable outcomes and impacts
Risk is generally considered to be the threats which prevent the realization of aims and objectives
however well managed risks paves the way to benefit from probable opportunities
The two most important components of administrative risks are probability and impact
Therefore while addressing risks both the probability to occur and the impact it may create if
occurs are handled The most important feature of the risk concept is that it is inevitable Therefore
administration should prefer managing risks instead of overlooking them and referring to crisis
management in case it occurs It should be emphasized that as time and resources to manage risks
are limited and it is impossible to eliminate risks necessary control activities are conducted to keep
risks at a tolerable level
Risk perception risk awareness and risk appetite can be different according to the
organisational structure human resources and activities of an administration Therefore Senior
Manager should include in ICAD the following elements relating them to the activities and
functioning of administration (Authorising Officers should take into consideration only the parts
included in their own ICADs)
7118 Risk perception of administration
Leadership that Senior Manager has in risk management process
How the risk awareness is raised among the staff and how the staff is encouraged for
practicing risk management
Administrative risk appetite and how it is perceived by the staff
Whether there is a common agreed risk perception among the staff
should be summarized
7119 Capacity to cope with risks
For and effective risk management
How a training is provided and awareness is raised among the staff
142
How the staff is guided in addressing relevant risks in relation to their duties and
responsibilities how and when they will consult with senior management in the field
of risk management
How risk management is internalized within the framework of overall activities of
administrationunit should be explained
71110 Risk identification and assessment
What affects the activities of an administration is not merely financial risks In relation to the
activities of an administrationunit such risks as follows can also be encountered
Risks with outer sources such as political economical social cultural technological
environmental legal and ethical risks
Risks with inner sources such as assets infrastructure labour force and organisational
structure
Assessing the risks with outer sources can be handled within the strategic risks of an administration
Spending units should give more attention to the operational and functional risks related to their
own fields of activity Various risk categories in relation to the activities of administration and how
such risks are assessed should be briefly explained in ICAD (for example whether risk have such
definitions as risks to be eliminated to be transferred to be managed to be tolerated or not)
71111 Addressing controlling monitoring and reporting risks
Responses to be given to identified risks and the method to address risks should be briefly
explained It should be emphasized whether risk register report on risk status consolidated risk
report and similar methodologies are functional in the administration or not
Identifying control environment by defining the followings and reporting after an effective
monitoring will strengthen the effectiveness of internal control
Impact
Probability
Responses to be given measures to be taken
Ownership and
Type and frequency of reporting
Taking into consideration that ICAD is a declaration made within the framework of
accountability that internal control system of administration gives a reasonable assurance
supported with evidence a summary should be made within the above mentioned explanations
regarding risk perception and risk management
71112 Assessment of Internal Control System
While preparing ICAD an assessment related to the effectiveness of internal control system
in the activity period should be included It is quite useful to touch upon especially the specific high
risk areas and positive and negative developments regarding internal system in these areas As
such areas in question can vary according to the organisational structures and activities it is
appropriate to make the assessment according to the following headings
Human resources differences regarding the key personnel of administrationunit
differences regarding the qualities that activities necessitate wage policy working
conditions developments regarding underemployment over-employment
Physical infrastructure and assets developments which can influence the
fundamental activities of administrationunit in physical infrastructure and all the
assets of administrationunit
Information and communication infrastructure information infrastructure software
and hardware park that administrationunit uses important developments regarding
information systems new or updated information systems
Data security assessment of the effectiveness of controls regarding the security of
strategic information of administrationunit which has confidentiality
143
New structures and changing fields of activity how structures that emerged in
administrationunit as a result of changes occurred in the foundation law of
administration or new duty and activity division among administrations reflect in the
internal control system
Problems encountered in main fields of activity or examples of good practice Senior
Managerauthorising officer should include in assurance declaration the problems
which are experienced because of inner and outer factors and rooted in the
weaknesses of internal control system Besides measures to be taken in order to
overcome such problems should be summarized in the declaration Likewise threats
eliminated with the help of an effective internal control system should be touched
upon within the scope of lsquogood practicesrsquo
Developments regarding weaknesses stated in previous years Senior
Managerauthorising officer should include in this part the measures taken and
improvements experienced regarding the weaknesses and problems contained in
the assurance declarations of previous years and
Other developments Senior Managerauthorising officer should include in this part
important developments if any which are not within the scope of the above
mentioned headings
Senior Managerauthorising officer may not feel comfortable touching upon the
weaknesses and problems listed above in ICAD However it is clear that no assurance declaration
which does not mention any thread problem and weakness will be convincing and meet the
requirements of transparency and accountability principles What is important is to emphasize that
controls are developed and internal control system is strengthened for the identified problems and
weaknesses
Proceedings which are not found to be appropriate following to ex-ante financial control
authorising officer should include in this part the proceedings performed which are found to be
inappropriate by financial services if any Supporting opinion report and evidence of authorising
officer despite the negative opinion should be summarized to contribute to accountability 7 If
there is not such a proceeding as mentioned above then the expression ldquothere is not such a
proceeding I performed that is not found to be appropriate by SDUrdquo should be available in the
assurance declaration
On the other hand Senior Manager should state while filling Internal Control Assurance
Declaration that he evaluated the Assurance Declarations of Authorising Officers and the head of
SDU and that reasonable assurance provided by these declarations formed an important basis for
his own declaration
In case that Senior Manager received support from support and consultation boardsBoards
established officially and unofficially (ad hoc) such support should be explained in ICAD It is
possible that these boardsBoards prepare reports regarding the assessment of internal control
system emphasizing risk strategy and risk management to be submitted to Senior Manager In the
case that a similar supportconsultation unit to those which are called Consultation Board Audit
Board Risk Board or Steering Board and show differences among countriesadministrations in terms
of composition and working style is established the support received from such a Board should be
summarized which will strengthen the assurance that declaration provides
712 Guidance for Internal Control Assurance Declaration of Head of SDU
7 Regulation on Principles and Procedures regarding Internal Control and Ex-Ante Financial Control ndash Article 28
Financial services unit keeps a record of transactions carried out by the authorising officers despite the fact that ex-ante
financial control declared them inappropriate and these records are submitted to the Senior Manager monthly The said
records are also provided to auditors during internal and external audit
144
The Declaration by the Head of SDU (DHSDU) is a very important element which lays the
groundwork for the assurance that the Senior Manager needs to provide regarding the internal
control system in their administration(ANNEX 3C)
In completing Annex 3C Head of SDUs should observe the standard templates and
complete the relevant boxes Each box has a cross reference to where more information can be
found in the main body of this chapter
Head of SDU is responsible to ensure that the internal control system is implemented
monitored and their opinions and recommendations are reported to the Senior Manager to take
the necessary actions in time in order to ensure that the activities in the administration are carried
out in accordance with the financial management and control legislation and other legislation
and public resources are utilised in an efficient effective and economic manner
As the Field of Competence part of the DHSDU is based on this framework this part should
not be changed either except for writing the name of the administration in the brackets
(administration)
Furthermore if the declaration is supported by the explanations under the following
headings it will be the basis for the reasonable assurance that the Senior Manager has to provide
to the public opinion
7121 Management Information Systems
The Head of SDU financial and non-financial information is needed to identify whether the
aims and objectives of the administration are reached resources are used effectively effectively
and economically accountability purposes are met Meeting these requirements and ensuring
timely and right decision making by the administrationrsquos management is only possible with the
existence of proper accurate timely up-to-date and accessible information
Therefore the management information system within the administration must be designed
in a manner to produce the information and reports needed buy the management and provide
them with the chance to make analysis
The Head of SDU in the declaration should included the explanations that the activities in
the administration have been carried out in compliance with the legislation and in line with the
budgets prepared according to the strategic plan and annual performance programmes and
provide supportive evidence They should explain the contribution made by the management
information systems utilised in the administration to the legality of the activities
7122 Development of Internal Control System
SDUs are responsible for the establishment internal control systems in the administrations and
carry out studies regarding the implementation and development of the standards Head of SDU
should mention the studies carried out to ensure that the internal control system of the
administration is harmonised with the Public Internal Control standards and briefly describe the
process for the design of job descriptions formation of business processes and preparation and
implementation of action plans in this part of the declaration
7123 Monitoring and Review
Head of SDU should include the supportive evidence regarding the ex-ante financial control
activities carried out in line with the legislation and approval form the Senior Manager and the
monitoring of the due process control In addition it should be suggested that the transactions
carried out by the authorising officers despite the negative opinion upon ex-ante financial control
are recorded and submitted to the Senior Manager on a monthly basis for information purposes
On the other hand it should be stated that financial decisions and transactions to be
subject to the ex-ante financial control by the SDU are grouped according to their type cost and
subject considering the risky areas and reviewed at least once a year
Among the duties of SDU are establishing performance and quality criteria in issues within
the duty field of administration collecting analysing and interpreting the data and information on
management of administration improvement of the services and performance in issues within the
145
duty field of the administration analysing the external factors which will affect services conducting
capacity research within the institution analysing the effectiveness of the services and level of
satisfaction by these services and doing a general research in that sense
In this context the Head of SDU should include the studies carried out to increase the quality
of the services provided by the administration and studies for analysing the external factors which
will affect services the capacity research within the institution to analyse the effectiveness of the
services and the conclusions of these evaluations in the declaration
In this part of the declaration Head of SDU should provide explanations about the
arrangements prepared by their unit and put into effect upon the approval form the Senior
Manager
Finally the studies regarding the establishment of the internal control system in the
administration implementation and development of the standards and the process where the
financial management and control system of the organisation is reviewed on an annual basis and
reported to the Senior Manager should be described
7124 Briefing and Advising
Providing necessary information and consultancy to the Senior Manager and Authorising
Officers regarding the implementation of financial laws and other related legislation are also
among the duties of SDUs
In this part of the DHSDU it should be underlined that coordination has been ensured while working
with the spending units regarding the establishment of internal control system and the
implementation and development of the standards A brief explanation that information and
consultancy to the Senior Manager and Authorising Officers has been provided regarding the
implementation of financial laws and other related legislation should be included
7125 Financial Information
The Heads of SDU should themselves be convinced that the information included in the
section IIIA-Financial Information of the Activity Report is reliable complete and accurate
depending on the supportive evidence
146
MONITORING ANNEXES
Annex 1 Internal Control System Question Form
INTERNAL CONTROL SYSTEM QUESTION FORM
This questionnaire is designed for the public administrations to see whether the internal
control system complies with the internal control standards Furthermore it will provide the
opportunity to identify to what extent the internal control system facilitates the achievement of risks
considering the changing conditions resources and risks It is of crucial importance that those
responding to this questionnaire give factual answers to the questions as the questionnaire will be
used to identify the level of advancement of the internal control system in the administration
Heads of units are responsible for making an in-dept assessment about the functioning of
internal control in their respective units and completing the internal control questionnaire Within
this framework the questionnaires completed by heads of units under the guidance by SDUs are
sent back to SDUs to be consolidated and formed into an overall evaluation report for the entire
administration SDUs submit the report produced using these questionnaires to the CHU following
the approval by the Senior Manager
Completing the questionnaire
This questionnaire is made up of five parts each of which is based on the components of Internal
Control
Control Environment
Risk Assessment
Control Activities
Information and Communication and
Monitoring
Each part includes questions regarding functioning of internal control system in the context
of the aforementioned components It should be paid attention that responses to the questionnaire
should be consistent with the administration action plans produced to achieve compliance with
the Public Internal Control Standards
Spending units are obliged to respond to the questions about Risk Assessment control
Activities and Information and Communication Responding to the questions about Control
Environment and Monitoring is at spending unitrsquos discretion
The response part is made up of three options YES NO and IN DEVELOPMENT There is also a
forth column titled EXPLANATION YES means that the issues included in the question are properly
understood and implemented within the administrationunit NO means that the issues included in
the question are not understood or implemented within the unit overall administration IN
DEVELOPMENT means that the issues included in the question are partially understood or
implemented in unitsome divisions of administration In explanations part evidence and
recommendations should be written if any Guidance is given following the questions with a view
to helping better understand the questions
The questionnaire will be evaluated by means of scores assigned to answers to each
question The answer ldquoYesrdquo will correspond to score ldquo2rdquo while the answer ldquoIn Developmentrdquo to
score ldquo1rdquo and the answer ldquoNordquo to score ldquo0rdquo For each chapter of the questionnaire there will be a
total score calculated Besides there will be a total score for the whole questionnaire
If answer ldquoNordquo is given in response to a question steps should be taken to improve the
relevant areas by Head of UnitSenior Manager
If answer ldquoIn Developmentrdquo is given in response to a question head of unitSenior Manager
should assess what can be done to achieve progress in the relevant area
147
If answer ldquoYesrdquo is given in response to a question then it means that there is no factor in that
area which needs improvement
Taking into consideration that this questionnaire is a kind of self-assessment and internal
control system is a new practice for administrations please give realistic and reliable answers
In the event that you have some hesitations in completing the questionnaire please refer to
the SDU
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
1 Are the public internal control standards
well known in your administration It will
be convenient to deliver trainings and
hold meetings with a view to raising
awareness in this subject
CONTROL ENVIRONMENT
CONTROL ENVIRONMENT Control environment provides a general framework that is the
basis for the other components of the internal control system and it is concept used to
describe the setting out of the goals and objectives of the administration their
communication to the staff and creation of a due organisational structure and culture
Great influence on the control environment have personal and professional integrity ethic
values of the employees and the management supportive attitude towards internal
control written procedures and the practices for human resources management
organisational structure management philosophy and the operating style
2 Are there mechanisms in your
administration that ensure familiarization
of all employees with the code of
ethics
For example are trainings provided or
meetings organised to adapt the public
code of ethics to your administration
and to adopt them are leaflets
produced in this regard
3 Are there any codes of conductethics
available in addition to public codes of
ethics produced for your
administration
4 Has any standard been developed in
your administration in terms of duration
and method for services directly
delivered to citizens
8 If the response is ldquoYesrdquo evidence (details of the activities carried out etc) must be provided in the ldquoExplanationsrdquo column
9 If the response is ldquoIn Developmentrdquo necessary information (details of the activities carried out etc) must be provided in
the ldquoExplanationsrdquo column
148
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
5 Is it ensured that authorised bodies and
staff have access to outputs related to
all the works and transactions
6 Are there mechanisms available in your
administration for staff and the other
people who are delivered service by
the administration to submit their
recommendations assessments and
questions (questionnaires face-to-face
meetings group meetings electronic
applications etc)
It is recommended that questionnaires
to be developed be based upon the
principle of confidentiality
7 Is your administrationrsquos mission written
down and announced Mission can be
announced to the staff via bulletin
boards intranet or e-mail
Production of a strategic plan indicates
that the mission has been set out
8 Are there any directives circulars or
approvals in your administration
regarding job descriptions of units sub-
units and staff
Job descriptions for the units and sub-
units as well as for staff must be written
down and announced in order to
ensure that your administrationrsquos mission
is being carried out
If the response is ldquoNordquo when this is going
to be done must be stated
9 Does organisational chart of your
administration demonstrate key areas of
authority and responsibility reporting
lines which are appropriate to
accountability and coordination and
integration points
If the response is ldquoYesrdquo roles and
responsibilities regarding each objective
must be set our clearly
Organisational chart for units must be
produced
149
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
10 Have procedures regarding sensitive
tasks been set out in your
administration
It is recommended that procedures in
question be defined in writing and
announced to staff and that rotation
policy regarding sensitive duties be set
out
For detailed information on sensitive
duties refer to Control Environment
Chapter of the Manual
11 Do mechanisms available in your
administration to enable managers from
each level to monitor the results of tasks
assigned
If the response is ldquoYesrdquo these
mechanisms (reports work plans
regular meetings automation programs
etc) must be stated
12 Have competence skill and knowledge
each task entails been identified in your
administration
Answering this question it must be
assessed whether factors mentioned
above are taken into consideration or
not while recruiting staff
13 Have promotion procedures been
defined in writing in your administration
Factors mentioned above must be
defined taking into consideration staff
performance and these factors must
be announced to staff
14 In your administration is there a unit
responsible for trainings which identifies
training needs for each task identified
and ensures that training activities to
satisfy the needs are planned and
carried out each year
15 Do managers of your administration
share results of assessments they make
on staff competence and performance
with the staff
It is recommended that that the Senior
Managers share the results of the
150
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
assessments with the staff
16 Is action taken to increase the
performance of the staff whose
performance is deemed unsatisfactory
upon the performance assessment For
example is any action such as
providing private training for that
person discussing the areas where their
performance is deemed unsatisfactory
assigning them under the supervision of
more experienced staff taken
17 Are there rewarding mechanisms in your
administration geared towards those
staff who give a high performance and
are these mechanisms applied
It is recommended that rewarding
mechanisms be developed for staff who
give a high performance (picking
employee of the month abroad
assignments etc) and that these criteria
be announced to all the staff
18 Have procedures regarding human
resources (staff employment
replacement promotion training
performance appraisal personal rights
etc) been documented
If so examples must be provided
Procedures mentioned above must also
be announced to staff
19 Are the bodies of signature and
approval set out in the flowcharts
If the response is ldquoNordquo it is
recommended that these business flow
processes are defined bodies of
signature and approval are identified
and communicated
20 In your administration have delegations
been defined in writing
Delegations must include the
information on its scope quantity
duration and whether the authority
delegated can be delegated to
another person
Furthermore striking a balance
151
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
between authority and responsibility
should be paid attention in delegation
of power
21 Have minimum requirements
(knowledge skill and experience) been
identified in your administration for staff
to be delegated authority
Please explain how you define these
knowledge skills and experience and
how you ensure that the person to
whom the authority is delegated have
them
22 Does the employee who receives the
authority report information to the
delegator on a certain basis about the
utilisation of the authority
Reporting period must be proportionate
to the duration of the delegation
TOTAL POINTS - CONTROL ENVIRONMENT
RISK ASSESSMENT
RISK ASSESSMENT RISK ASSESSMENT is the process where the risks that might prevent the
achievement of the administrationrsquos objectives are defined analysed and necessary
actions are taken In this section the risk perception and risk handling capacity of the
administration must be self-assessed using the following questions
1 Have methodologies and responsibilities
as well as reporting procedures for
monitoring and assessing the
performance given in achievement of
objectives been identified in strategic
plans
If answer is ldquoYesrdquo how monitoring and
assessment processes work in practice
must be explained briefly
2 Have strategic plan and performance
programs been taken into consideration
in budget preparations
The activities and projects carried out to
reach the aims and objectives set out in
the strategic plan the indicators to be
followed and the resource needs for
these activates and projects must be
shown in the performance programmes
There these strategic plans and
152
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
performance programmes must be
taken into consideration during the
budget preparations fort he
administrations
3 Do activates carried out in your
administrationunit comply with the aims
and objectives set out in the strategic
plans and performance programmes
Administrations must focus on the aims
and objectives set out in the strategic
plans and performance programmes for
effective efficient and economic use of
resources
4 While setting out the objectives of your
administration and units has it been
ensured that they are SMART
5 Have your units set out within their area
of competency specific objectives in
accordance with the objectives of the
administration
Responses to this question by the units
that are unable to set out specific
objectives (such as support services)
must be considered during the
evaluation
Furthermore specific objectives that
have been set out must be announced
to staff
6 Does your administration have a risk
strategy and policy document which is
approved b Senior Manager and
accessible to all the staff
Administrationrsquos risk strategy must be
reviewed at least once every year and
updated when deemed necessary
7 Are contributions from employees
received in risk management process
Employees feeling a sense of ownership
for risk management (identifying
handling responding to reviewing and
monitoring risks) and regarding risk
management as a part of their works
will produce a strong corporate reflex
against risks
153
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
If answer to this question is ldquoYesrdquo please
explain how you ensure this
contribution
8 Is risk management which covers
identifying assessing responding to and
reviewing risks for your objectives and
aims implemented in your
administration
While identifying the risks on the
achievement of aims and objectives a
methodology and a certain process
must be adopted and it must definitely
be documented (risk register risk
progress report consolidated risk report
and so on)
Measures to mitigate risks taken by the
administrations must be applied within
the framework of action plans
9 Are annual Internal Control Evaluation
Reports prepared in your administration
about how effectively risk management
process works in your administration
These reports must cover information
about what has been done throughout
the year to mitigate risks
TOTAL POINTS - RISK ASSESSMENT
CONTROL ACTIVITIES
CONTROL ACTIVITIES Control activates are the policies and procedures produced to
ensure that the administrationrsquos aims and objectives are achieved and the risks identified
are managed
1 In your administration are efficient
control strategies and methods set out
and practised for each activity and risk
Defined controls must comply with the
risks different control methods must be
applied for different types of risks
Control strategies and methods must be
set out and applied in the form of
periodical reviews control by sampling
comparison approval reporting
coordination confirmation analysis
authorisation supervision review
154
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
monitoring periodical check and
security of assets etc
The controls within the administration
must also cover ex-ante process and
ex-post controls where necessary
2 Is cost-effectiveness analysis made in
your administration in identifying control
activities
The expected benefit and the cost of
the set out control activity must
compared controls with costs
exceeding the benefits must be
identified and less costly alternative
controls must be selected
3 Are there written procedures regarding
your administrationrsquos activities financial
decisions and transactions
There must be written procedures
regarding your administrationrsquos
activities financial decisions and
transactions These procedures and
relevant documents must cover the
initiation implementation and
conclusion phases of the activity
financial decision or transaction
Procedures and relevant documents
must be up-to-date comprehensive in
compliance with the legislation
understandable by and accessible to
the relevant staff
4 Do managers of your administration
carry out necessary controls for
effective and continuous
implementation of procedures
Activities and transactions of the
administration must be carried out in
accordance with the regulations
developed in this area Managers must
systematically check whether these
regulations are complied with or not (in
this regard such control processes as
initials assent control lists and physical
counts can be defined) Within this
framework managers should monitor
whether works carried out by staff are in
155
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
compliance with the regulations or not
Manager instructions must be produced
about how to remedy faults and
irregularities detected
5 Is the principle lsquosegregation of dutiesrsquo
practised in your administration
The tasks of approving implementing
recording and controlling each activity
or financial decision must be carried out
by different people and that the
principle of segregation duties is
complied with must be supported by
written documents
Where segregation of duties is not
possible due to insufficient number staff
the managers must be aware of the risks
and take necessary precautions In such
cases other control procedures must be
established to manager the risk
6 Are necessary measures taken against
the factors that affect the continuity of
operation in your administration
Necessary measures must be taken
against the factors that affect the
continuity of operation such as
insufficient number of staff temporary or
permanent leaves adoption of new
information systems changes to the
methods or the legislation and
emergencies
If the response is ldquoYesrdquo efficient written
procedures trainings guidance and
planning can be provided as evidence
7 Is the system of deputation applied
efficiently in your administration
Where necessary deputies must be
assigned in accordance with the
relevant procedures The person
assigned as a deputy must have the
necessary qualifications Detailed
internal arrangements must be carried
out regarding the deputation
procedures included in the personnel
laws and the qualification required from
the deputies must be defined in detail
156
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
8 Do the staff leaving their positions report
to their successors about status of works
and transactions they have
conducted
Managers must ensure that the staff
leaving their positions prepare a report
on the status of the task and the
operations along with the necessary
documents and submit it to their
recently assigned successors The report
must include the list of the important
tasks being carried out the risks to be
considered as priority list of periodic
tasks and so on
9 Are there defined authorisations for
data and information input and access
to the information system in the
administration
Information system must only be
accessible to authorised staff To this
end regularly updated information
security softwarersquos must be used for
Access to the computer programmes
Arrangements regarding the
designated level of security must be
complied with while working on
documents
10 Are there sufficient back-up
mechanisms and tested disaster
recovery plansaction plans for the
information system
TOTAL POINTS - CONTROL ACTIVITIES
INFORMATION AND COMMUNICATION
INFORMATION AND COMMUNICATION Information and communication includes a proper
system of information communication and registry that ensures necessary information is
communicated to the person employee or manager who needs it in a certain format and
in a timely manner that the objectives are reached and that enables the relevant people
fulfil their internal control responsibilities
1 In your administration is there an
efficient written electronic or verbal
internal communication system that
covers both horizontal and vertical
communication
The response to this question should
157
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
include the meansmethods (in person
via telephone e-mail in writing etc) the
staff use to communicate with each
other or their managers and the
consideration on whether these are
appropriate andor efficient
In order for the employees receive the
information they need to carry out their
uninterruptedly it must be ensured that
they are in touch with managers from all
levels including top management
2 Is there an external communication
system to ensure efficient
communication with external
stakeholders
This system monitors communication and
checks whether the questions can be
answered or not
3 Do the present internal and external
communication systems ensure that the
staff or external stakeholders can
communicate their expectations
recommendations and complaints
For example whether the Law no 4982
on right to Information is efficiently
executed within the administration
requests and complaints are responded
in time should be considered
4 Is it ensured that all the information and
documents regarding the activities of
your administration are accurate
complete reliable useful and
understandable
Information systems must ensure timely
Access to the accurate complete
reliable and understandable
information required while carrying out
the operations
The response to this question must
include a statement whether
mechanisms (decision support systems
archive and document management
systems etc) for ensuring the
aforementioned principles exist
158
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
5 Do the present information systems
ensure that the objectives set by the
administration are monitored and
activities regarding these objectives are
efficiently supervised and assessed
Management Information
System must be designed in a way that
it produces the information and reports
that the managers need during decision
making processes and provide them
with the chance to make analysis
6 Are there reporting mechanisms with
rules and standards set out in line with
the monitoring of objectives supervision
of activities and accountability
purposes
The performance programmes
published financial progress reports that
include the expectations and objectives
and the content of the activity reports
must be in line with the requirements of
the relevant legislation
7 Is there a documentation and archiving
system that complies with certain
standards for the record classification
protection of and access to the
operations and transactions of the
administration
While responding to this question
Standard 15 of Public Internal Control
Standards and the legislation on
archiving and documentation must be
considered
8 Are there available tools to report from
inside and outside the administration
faults irregularities and possible or
ongoing problems
Employees and outer stakeholders must
be informed enough about these tools
There must be a whistle-blowing process
and a procedure for protecting
personnel and they must be informed
about these
Managers must take necessary actions
to prevent discrimination and ill
159
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
treatment against whistle-blowers
TOTAL POINTS- INFORMATION AND COMMUNICATION
MONITORING
MONITORING Internal control system is a dynamic process where the administration has
to continuously adapt to the risks and changes it faces Therefore the internal control
system needs to be monitored in order to ensure that it adapts to the changing objectives
environment resources and risks as necessary The basis for an effective and efficient
monitoring is the design and implementation of monitoring procedures that are relevant to
the administrationrsquos objectives and that assess the important controls regarding
meaningful risks
When monitoring is designed and implemented properly it provides correct and
convincing information on the efficiency of the internal control system identifies internal
control failures on time and notifies the people responsible for taking action and the top
management where necessary This will ensure that the problems faced are corrected
before they harm the objectives of the administration Monitoring is carried out by the
management and internal and external audit
1 Is the internal control system monitored
and assesses at least once a year
Please explain at what intervals the
internal control system in your
administration is assessed and the
methods used
Internal control system must be assessed
via ongoing evaluations or separate
evaluations It is recommended that
these two methods are applied at the
same time(Separate evaluation of the
internal control system can be carried
out by setting up working groups or via
questionnaires)
2 Are processes and methods set out in
your administration to identify and
disclose the shortcomings of internal
control and improper control methods
and to take the necessary actions
If the response is ldquoYesrdquo please briefly
mention the process and method
adopted in your administration It is
recommended that the processes and
methods are put into practice upon the
approval by the Senior Manager Please
give brief information on the responsible
staff notified in the event of an
incomplete or improper control method
160
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
the time limit set for taking action and
how these procedures are monitored
Management fulfils this responsibility via
SDUs and internal auditors
3 Are trainings plenary sessions and
meetings held which will create the
atmosphere in which managers will be
provided with feedback about whether
internal control functions effectively or
not
4 Are the units of the administration
involved in the evaluation of internal
control
If answer is ldquoYesrdquo please explain how
participation is ensured It must be
ensured that units take active part in the
process and the task of evaluating
internal control system must not be
perceived as the responsibility of only
the Senior Manager internal auditor
and SDU
5 Is there internal audit unitinternal
auditor in your administration
6 Is there efficient cooperation among
internal audit unit management and
staff
What has been done to increase the
level of awareness of the manager and
the staff on internal audit activities
What has been done to see the
relations with the internal audit unit and
the expectations Please explain briefly
7 While evaluating internal control are
the opinions of the managers requests
and complaints by
peopleorganisations and the reports
produced upon internal and external
audit taken into consideration
The method to adopt for the collection
assessment and reporting of the
information required for the evaluation
of internal control must be set out
Please refer to the staff responsible for
161
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
assessing the internal and external audit
findings and recommendations for the
evaluation of internal control the time
limits for these assessments and the
management level to which this
information is communicated
Compare the internal and external
audit reports with the results of the
internal control system evaluation by
the SDU for consistency In the event
that any inconsistency is identified the
reasons for this must be questioned
8 Are recommendations from internal
audit and SDU about how to improve
internal control taken into consideration
by management
9 Are action plan(s) where internal control
evaluation results and
recommendations made upon internal
and external audit produced and
implemented Are they followed-up
If the timing is appropriate action plans
can be combined Please give brief
information on the staff responsible for
following-up the action plans and the
method used Furthermore please
provide information on the method
used fort he follow-up of internal audit
reports if there is any With which level
of management are the results of the
follow-up shared and how often Please
explain
TOTAL POINTS ndash MONITORING
GRAND TOTAL
162
Annex 2 Internal Control System Evaluation Report
helliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphellip(NAME OF ADMINISTRATION)
INTERNAL CONTROL SYSTEM EVALUATION REPORT
I INTRODUCTION
11 Mission
12 Aims and Objectives
13 Organisational Structure
II INTERNAL CONTROL QUESTIONNAIRE RESULTS
II1 Consolidated Summary on strengths and aspects open to improvement regarding the entire
organisation relevant to each COSO component
- Control Environment
- Risk Management
- Control Activities
- Information and Communication and
- Monitoring
III OTHER INFORMATION
III1 Internal Audit Reports
III2 External Audit Reports
III3 Other Information Sources
III31 Budget Information
III32 Data on Ex-ante Financial Control
III33 Requests by Individuals andor Administrations
III34 Other Information
IV CHANGE SINCE THE LAST REPORT
IV1 For each COSO component has the position got better or worse and why
V CONCLUSION
V1 Strengths
V2 Aspects Open to Improvement
V3 Recommendations for action
163
Annex 3a Internal Control Assurance Declarations Senior Manager
I RESPONSIBILITY
As the Senior Manager I am responsible for ensuring the establishment delivery and
oversight of an efficient financial management and control system that will contribute to the
achievement of the policies goals and objectives of [the administration] In this regard I declare
that I have taken the necessary measures to make sure that the arrangements of internal control
are adopted by the staff and that the internal control standards are practised
II PILLARS OF INTERNAL CONTROL SYSTEM AND ASSURANCE DECLARATION
I declare that my administrationrsquos budget has been prepared and implemented in line with
the development plan annual programmes strategic plan performance objectives and service
requirements resources allocated from the budget for the achievement of aims and objectives are
utilised in compliance with the planned targets and in accordance with good financial
management principles
In this context I announce that the internal control system provides sufficient and
reasonable assurance that my administrationrsquos revenues expenditures assets and liabilities are
managed effectively economically and efficiently my administration operates in line with the laws
and other regulations irregularities and fraud are prevented in each financial decision and
transaction regular timely and reliable reports and information are acquired for decision making
and monitoring assets are safeguarded against abuse waste and losses
This assurance is based on my knowledge and considerations as the Senior Manager
management information systems internal and external evaluations carried out within the context
of quality assurance development programme studies of the SDU internal and external audit
reports (if available)
In the following part the Senior Manager must explain the support by the management
information systems internal and external evaluations within the framework of the quality assurance
development programme internal and external audit and SDU
Management Information Systems
Please read section no 6113 before completing this part
Internal Audit
Please read section no 6114 before completing this part
External Audit
Please read section no 6115 before completing this part
SDU
Please read section no 6116 before completing this part
164
III RISK MANAGEMENT10
As the Senior Manager I have a key role and responsibility in the development of a risk
strategy in my administration production of a common corporate risk perception adopted by all
employees Recognising that risk management is the most important element of the internal control
system creation of the necessary organisational capacity and embedding risk management into
the general activities is valued
In the following part the authorising officer should address the risk perception of the
administration and its capacity to deal with risk
Risk perception of the administration should summarise
Please read section no 6117 and 6118 before completing this part
Capacity to handle risk
Please read section no 6119 before completing this part
My administration faces a wide range of risks during the course of its activities These risks are
considered in accordance with the principle that the cost of the internal controls to be developed
with control purposes do not exceed the benefit received from the controls A systematic
approach has been adopted in levels of management for the identification assessment
addressing monitoring and reporting of the relevant risks
In the following part the Senior Manager should set out the issues related to the
identification assessment addressing control environment monitoring and reporting of the
administrationrsquos risks
Identification and assessment of the risks
Please read section no 61110 before completing this part
Addressing control environment monitoring and reporting of the risks
Please read section no 61111 before completing this part
IV APPRAISAL OF THE INTERNAL CONTROL SYSTEM
As the Senior Manager during the preparation of the foregoing declaration I also
considered the assurance declarations by the Authorising Officers and Head of SDU The
10 This part must be completed when risk management process starts to function in the administration
165
information and evaluations I have received from these declarations pose an important basis
regarding the assurance I have to provide on the internal control system in my administration
Furthermore [advisory audit risk steering] boardscommittees have been set up within
[the administration] to provide support and guidance for the evaluation of the internal control
system in terms of particularly risk strategy and management Reports prepared by these boards
have made a great contribution to the evaluation on the internal control system
Regarding the main activities of my administration the most distinctive developments that
took place within this reporting term and how these developments have been handled are
summarised below
Please read section no 61112 before completing these parts
Human Resources
Physical infrastructure and assets
IT and communication infrastructure
Data security
New structures and changing fields of activity
Problems faced in the main fields of activity or examples of best practice
Developments regarding weaknesses stated in previous years
166
Other developments
(Date)
Signature
Name
Title
167
Annex 3B Internal Control Assurance Declaration Authorising Officer INTERNAL CONTROL ASSURANCE DECLARATION11
I RESPONSIBILITY
As the authorising officer within my field of competence I am responsible to ensure that my
expenditure orders are in line with the fundamentals and principles of the budget the laws rules
and regulations and other legislation the appropriations are utilised in an efficient effective and
economic manner and that the internal control operates properly
II PILLARS OF INTERNAL CONTROL SYSTEM AND ASSURANCE DECLARATION
I declare that the operations and transactions carried out by my spending unit comply with
the aims and objectives of the administration high financial management principles control
arrangements and the legislation resources allocated with the administration budget to the
spending unit has been utilised in line with the planned objectives and the internal control system
within my unit provides the sufficient and reasonable assurance
This declaration of assurance is based on my own information and evaluations as the
authorising officer and on the management information systems internal and external evaluations
carried out within the context of the quality assurance development programmes studies by the
SDU internal and external audit reports
In the following part the support provided by the management information systems the
internal and external evaluations carried out within the context of the quality assurance
development programmes studies by the SDU should be elaborated by the authorising officer
Management Information Systems
Please read section no 6113 before completing this part
Internal Audit
Please read section no 6114 before completing this part
External Audit
Please read section no 6115 before completing this part
SDU
Please read section no 6116 before completing this part
11 Please read section no 611 before completing this part
168
III RISK MANAGEMENT12
Within the framework of the overall risk perception strategy and awareness of the
administration the capacity to handle risk has been determined for the activities specific to my unit
and the necessary importance has been attached to embedding risk management in its activities
In the following part the authorising officer should address the capacity to handle risk
Capacity to handle risk
Please read section no 6119 before completing this part
My spending unit faces various risks during the course of its activities These risks are
considered in line with the principle where the cost of internal controls to be developed do not
exceed the benefit planned to be gained from them A systematic approach has been adopted in
the spending unit for the identification addressing assessment monitoring and reporting of the risks
faced
In the following part the authorising officer should set out the issues related to the
identification assessment addressing control environment monitoring and reporting of the
administrationrsquos risks
Identification and assessment of the risks
Please read section no 61110 before completing this part
Addressing control environment monitoring and reporting of the risks
Please read section no 61111 before completing this part
IV EVALUATION OF THE INTERNAL CONTROL SYSTEM
The following is the summary of the most significant developments experienced in the
activities of my unit within the period covered by the foregoing report and how these
developments have been addressed by the internal control system
Please read section no 61112 before completing these parts
Human Resources
IT and communication infrastructure
Data security
12 This part must be completed when risk management process starts to function in the administration
169
New structures and changing fields of activity
Problems faced in the main fields of activity or examples of best practice
Developments regarding weaknesses stated in previous years
Other developments
As the authorising officer I hereby declare that we have also carried out some transactions
overriding the opinion of the SDU Information and justifications for these transactions are as follows
There is no such a work I carried out that is not found to be appropriate by SDU
(In this part transactions if any carried out by the authorising officers despite the
negative opinion provided upon the ex-ante financial control If there is no such a
work as mentioned above then expression ldquothere is no such a work I carried out that
is not found to be appropriate by SDUrdquo should be included)
(Date)
Signature
Name
Title
170
Annex 3b Internal Control Assurance Declaration Head Of SDU INTERNAL CONTROL ASSURANCE DECLARATION
As the Head of SDU I declare that the internal control system has been implemented
monitored and my opinions and recommendations have been reported to the Senior Manager to
take the necessary actions in time in order to ensure that the activities in [the administration] are
carried out in accordance with the financial management and control legislation and other
legislation public resources are utilised in an efficient effective and economic manner
Please read section no 612 before completing this part
In the following part the studies should be explained regarding the management
information systems development of internal control system monitoring and review and briefing
and advising by the Head of SDU
Management Information Systems
Please read section no 6121 before completing this part
Development of Internal Control System
Please read section no 6122 before completing this part
Monitoring and Review
Please read section no 6123 before completing this part
Briefing and Advising
Please read section no 6124 before completing this part
Financial Information
Please read section no 6125 before completing this part
I confirm that the information included in the section IIIA-Financial Information of
the Activity Report (year) is reliable complete and accurate
(Date)
Signature
171
Annex 4 Example Of A Complete Declaration INTERNAL CONTROL ASSURANCE DECLARATION
(SENIOR MANAGER)
Name-Surname
Title
I RESPONSIBILITY
As the Senior Manager I am responsible for ensuring the establishment delivery and
oversight of an efficient financial management and control system that will contribute to the
achievement of the policies goals and objectives of the Ministry of Space Exploration In this
regard I declare that I have taken the necessary measures to make sure that the arrangements of
internal control are adopted by the staff and that the internal control standards are practised
II AIMS AND PILLARS OF INTERNAL CONTROL SYSTEM
I declare that my administrationrsquos budget has been prepared and implemented in line with
the development plan annual programmes strategic plan performance objectives and service
requirements resources allocated from the budget for the achievement of aims and objectives are
utilised in compliance with the planned targets and in accordance with good financial
management principles
In this context I announce that the internal control system provides sufficient and
reasonable assurance that my administrationrsquos revenues expenditures assets and liabilities are
managed effectively economically and efficiently my administration operates in line with the laws
and other regulations irregularities and fraud are prevented in each financial decision and
transaction regular timely and reliable reports and information are acquired for decision making
and monitoring assets are safeguarded against abuse waste and losses
This assurance is based on my knowledge and considerations as the Senior Manager
management information systems internal and external evaluations carried out within the context
of quality assurance development programme studies of the SDU internal and external audit
reports (if available)
Management Information Systems
Management information systems has been established in all General Directorates in order
to provide information for managers that enables effective decisions to be made and for
information on changing risks to be monitored in our Ministry However not all of our legacy IT
systems have been fully assessed for security risks As part of the measures being taken to
strengthen data security governance we will ensure that the IT systems supporting our most time
critical business processes are reviewed to establish a known risk position by December 2010 We
will carry out a review of our remaining systems during 2011
Internal and External Evaluations Carried Out Within The Context Of Quality Assurance Development
Programme
Presidency of Strategy Development has carried out one internal evaluation of the effectiveness of
internal control within the context of the quality assurance and development programme The
main findings of this evaluation are
That compliance with internal control standards was good in terms of effective control
activities in order to minimise risk
Internal Control and Risk Steering Board has been set up within the Ministry to contribute to
the evaluation of the internal control system
Unit managers needed to develop their skills regarding ongoing monitoring of internal
control systems
Based on the evaluation findings the Ministry has produced an action plan which is planned to
put into practice as of June 2010
There were no external evaluations carried out within the context of the quality assurance
and development programme but the CHU has declared that this is scheduled for 2013
172
Internal Audit
Our Ministryrsquos Internal Audit Unit continues to operate within the framework of a three-year audit
plan Internal Audit operated to requirements defined in the Public Internal Audit Standards Their
audit programme was focused around the Ministryrsquos key risks of internal control together with
recommendations for improvement The Director of Internal Audit Unit provided me with an annual
Internal Control Evaluation Report which contained an independent opinion on the adequacy
and effectiveness of internal control The conclusion of the Director of Internal Audit Unit was that
the following aspects of internal control should be improved
Awareness of the Deputy Undersecretaries and General Directors on internal control
responsibilities and risk management
Improvement of the present arrangements regarding promotion assignment and
appointment system to make it transparent and competence based
Improvement of communication between the central and provincial organisations of our
ministry
Review of management information systems to update old systems
Improvement of allowances and supplementary payments for personnel going to the
space
It has been decided that a working group consisting of managers from the SDU General
Directorate of Personnel and other relevant units to put these recommendations into an action
plan
External Audit
The TCA has approved the annual accounts of the Ministry
SDU
An evaluation on the internal control system has been carried out with the full participation
from the SDU Spending Unit managers and the staff and a report has been produced and
submitted to the CHU on 30th March 2010 The main findings of the review are listed above under
the heading ldquoInternal and External Evaluations Carried Out Within the Context of Quality Assurance
Development Programmerdquo in this document SDU staff also underwent training in risk management
during this year
III RISK MANAGEMENT
As the Senior Manager I have a key role and responsibility in the development of a risk
strategy in my administration production of a common corporate risk perception adopted by all
employees Recognising that risk management is the most important element of the internal control
system creation of the necessary organisational capacity and embedding risk management into
the general activities is valued
The SDU took the lead in embedding risk management in the organisation by reviewing and
updating the key corporate external and internal risks facing the Ministry each month The SDU also
began an exercise to identify long term risks that may have posed a significant threat to the Ministry
in the future These risks were recorded on a long term risk register and the intention is that they will
be reviewed every six months Should the threat increase then these risks will either be escalated to
my part for appropriate action to be taken
The Internal Control and Risk Steering Board also endorsed an action plan to further embed
good risk management practice within the Ministryrsquos processes and systems and to support
Innovation through well managed risk taking Work to establish this position will continue and focus
on those areas identified as still most in need of improvement This will include giving further
consideration to risk appetite where the focus will be on practical examples of how it can be
applied in practice thus making it easier to communicate its awareness among staff
Guidance was available to all staff on risk management through the risk management
intranet site In addition to a risk management policy specific guidance was available on
undertaking risk self assessment which includes guidance on applying risk management as an
integral part of the Ministryrsquos business planning process Risk management workshops were
available to all staff and practical guidance on its application had been incorporated into a wide
173
range of training courses These courses covered all ranges of staff and were tailored to be
appropriate to their authority and duties
My administration faces a wide range of risks while carrying out its activities These risks are
assessed in accordance with the principle that the const of the internal controls to be developed
with control purposes do not exceed the benefit received from the controls A systematic
approach has been adopted in levels of management for the identification assessment
addressing monitoring and reporting of the relevant risks
The risk management framework for our Ministry operated through the initial identification of
risks as part of the business planning process which threatened achievement of the Ministryrsquos
objectives These risks were then evaluated in terms of impact and probability This process
established the level of residual risk against which the Ministry was exposed and which was
monitored over time as part of performance management Ownership for each risk was assigned
to a named individual Reasonable assurance that risk mitigation activities were appropriate was
obtained through regular management reviews and internal audits of the key activities undertaken
in the Ministry
In order to further embed best practice in risk handling and to ensure a consistent
interpretation of the acceptable extent of residual risk our Ministry will review its risk appetite and
communicate it more effectively across the organisation
IV APPRAISAL OF THE INTERNAL CONTROL SYSTEM
As the Senior Manager during the preparation of the foregoing declaration I also
considered the assurance declarations by the Authorising Officers and Head of SDU The
information and evaluations I have received from these declarations pose an important basis
regarding the assurance I have to provide on the internal control system in my administration
Furthermore Internal Control and Risk Steering Board has been set up within the Ministry of
Space Research to provide support and guidance for the evaluation of the internal control system
in terms of particularly risk strategy and management Reports prepared by this Board have made
a great contribution to the evaluation on the internal control system
Regarding the main activities of my administration the most distinctive developments that
took place within this reporting term and how these developments have been handled are
summarised below
In our investment programmes the underspend reported last year in the spacecraft
development programme has been managed There is now less than 2 slippage in that
programme Underspends have arisen this year in other areas for example
The satellite programme TL 121 m Internal Audit Unit has reviewed the Investment Budget
management and an action plan is being developed to address the audit findings
Astronauts training programme TL 113m due to slower than expected take-up Processes
will be streamlined to reduce barriers and it is expected the budget will be fully used in the
next year
Renovation of launching stations programme TL 16m arising mainly from slippage in
international cooperation projects affecting the expected refurbishment programme
together with some incorrect historical data for tracking capital allocation New systems will
prevent the reoccurrence of this problem
Whilst recognising the above summarised issues good progress has been made in resolving them
and there are plans in place to further enhance internal control system and improve practice As
Senior Manager I provide reasonable assurance that the above issues do not represent a material
threat to operational effectiveness and that the our Ministry complies with the public internal
control standards on risk management internal control and governance
(Date)
Signature
Name
Title
174
GLOSSARY
CONCEPT DEFINITION
Explicit information is the information which can be created expressed obtained and
transferred in accordance with a specific system Aim is the concept which refers to the objectives contained in the strategic
plan that administration aims to attain Information Financial and non-financial data related to internal and external events
and activities which is created obtained and communicated in a
particular form and at a particular time to ensure that people carry out
their duties Information security refers to safeguarding valuable assets in an administration against loss
misuse or damage Information map is demonstration of information kept in units or their systems which can be
shared and expertise and experience of personnel and demonstration of
them on an organisational scheme or map in accordance with
organisational structure Information pool is the accessible area where information obtained in hard form or soft
form is stored and kept ready for re-use Information
architecture Organisation of information with a view to make it accessible
manageable and useful form infrastructure level to end-user level Information stock Financial and non-financial information available in administration at a
particular time Information
technology is a system that controls all activities including communication and
computers which are used for the purposes of collecting storing and
processing of information its transmission from one point to another
through communication systems and computers and to the service of
users Information technology is a concept that is used to refer to all
information services which can be connected through communication
and computer systems Information
management
is a process where information is planned and obtained from any kind of
source internally or externally classified stored communicated to
relevant bodies in a timely manner for interpretation reviewed for
updating and disposed External audit Within the framework of accountability responsibility of public
administrations within the scope of general management it is the activity
of examining the compliance of financial activities decisions and
procedures of the administration with laws administrative objectives aims
and plans and reporting the results to TGNA by Turkish Court Accounts Audit trail It requires the maintenance of records giving the full documentation and
justification at all stages of the life of a transaction together with the ability
to trace transactions from summarized totals down to the individual
details and to trace all reporting stages Inherent risk refers to those risks whose probability and impact cannot be changed
unless particular precautions are taken by administration When risks are
identified for the first time they are at inherent risk level Ethics Ethics is a body of moral principles values and standards which forms the
basis for the behaviours of a person and guides them on how to do works Cost-Benefit Analysis It is the identification and comparison of the costs and benefits regarding
the implementation of a planned work or activity In cases when benefits
outweigh costs the work or activity is considered to be cost-effective SWOT Analysis
is a method in which the administration systematically examine itself and
the conditions having an impact the administration In this framework
strengths and weaknesses of the administration as well as the threats and
opportunities that may occur outside the administration are identified This
is an analysis which forms the basis for strategic planning process Segregation of duties covers the duty of approval implementation recording and control of
175
each activity or financial decision and transaction shall be assigned to
different people Objective These are the specific and measurable sub-aims geared towards
attaining the aims contained in the strategic plan
Performance objectives are out-come oriented objectives administrations
plan to attain in a program period with a view to attaining the aims and
objectives contained in the strategic plan Internal audit is an independent and objective activity of giving assurance and
providing counselling with a view to providing guidance and assessing
whether resources are managed in compliance with principles of
effectiveness and efficiency in order to improve and add value to the
activities of the public administration Internal control is the body of financial and the other controls covering the organisation
method process and internal audit in an administration carried out with a
view to ensuring that activities are conducted effectively efficiently and
economically in line with the administrationrsquos aims its identified policies
and legislation assets and resources are protected accounting records
are kept accurately and completely and financial information and
managerial information is produced in a reliable and timely manner Internal control
assurance declaration is the declaration annually signed by senior managers authorising officers
and heads of strategy development units within the framework of
accountability and transparency to state that processes and transactions
are conducted in line with the principles of good financial management
control regulations and the legislation Internal Control and
Risk Steering Board The Board makes assessments concerning development of process and
methods related to internal control system such as determination of
policies about monitoring internal control practices and introduction of
risk in the administration Whistleblowing is the notification of illegal and unethical behaviours and actions to
internal and external authorities that have the power and authority to
solve the problem by persons with information (employees or
stakeholders) therefore administrations or third persons inside or outside
the administration are not affected Business continuity The plans that aim at ensuring continuity for the activities of the
administration or ensure continuity without any interruption after any
extra-ordinary situations Ex-post controls Are the controls applied by management to administrationrsquos activities
after they have been carried out using pre-identified methods Monitoring Monitoring is the activity of assessing within the framework of compliance
with internal control standards whether internal control system provides
the expected contribution to attaining objectives and aims of the
administration and determining the activities to be carried out in fields
that are open to improvement Residual risk refers to risks remaining after management has taken precautions to
reduce their probability and impact Control activities are actions aimed at reducing the impact andor the likelihood of a risk
occurring and thus increase the probability of attaining the goals and
objectives of the organisation or part of the organisation Financial
Management and
Control
is the development implementation monitoring and improvement of
suitable organisations methods and processes within the of managerial
responsibility to ensure effectiveness efficiency and economy in
obtaining and using resources as well as compliance with the identified
aims and objectives and the legislation Central Harmonisation
Unit is affiliated to the Ministry of Finance The unit develops and harmonises
methods and standards concerning financial and internal control
processes and provided related guidance for public administrations Mission mission is the cause of existence of an administration and its place within
176
the state structure In other words mission is the answer to such questions
as what the public administration does and how and for whom it does
what it does Focus group These are such meetings that are held among a target group composed
of 6-8 people to receive their thoughts and reactions in a detailed and
elaborate manner They are managed by a moderated within the
framework of a flow plan Probability refers to the likelihood that an event may occur Organisational
structure is general system covering all the activities and procedures undertaken to
attain the aims and objectives of the administration Ex-ante financial
control Ex-ante financial control is a control performed to check the compliance
of the financial decisions and operations of administrations regarding their
incomes expenditures assets and liabilities with the budget of the
administration Further checks are carried out with the available
appropriation amount expenditures programme financing programme
and the provisions of central government budget law and other financial
legislation It is also checked whether resources are used effectively
economically and efficiently Implicit information is the information in peoplersquos minds which is not regulated in accordance
with a particular system therefore not easy to transfer and circulate and
the registered information which is not accessible to employees Stakeholders are the people groups and administrations which are relevant to the
administrationrsquos products and services and can directly or indirectly
positively or negatively affect or be affected by the administration Risk can generally be defined as uncertainty of events that may occur in
future or undesirable outcomes and impacts of an event For
administrations risk can be defined as negative or positive effects of
internal and external factors that may occur in future on attaining the
objectives and aims of administrations In risk terminology positive aspects
of risk and wins it may bring along are referred to as opportunity and
negative aspects and losses it may cause are referred to as threat Risk assessment is analysing those factors which can have an impact on attaining the
objectives of administration Transferring risk is the response to the risks by taking some of them away from the
responsibility of the administration and transferring it to others Handling risks is the identification of responses to risks identified and assessed (within the
framework of risk appetite) by public administrations and reducing the
expected threats and benefiting from the opportunities that may emerge
within this context Impact of risk refers to outcomes or effects that risk posing event can produce once it
occurs Risk appetite is the amount of risk an administration is ready to accept (toleratebe
exposed to) at any time before deciding on the need to take any
relevant precautions in line with its strategic objectives mission and vision
In terms of threats it refers to exposure level which can be tolerated and
justified and in terms of opportunities it refers to how a person is ready to
actively take the risk to gain benefits of the opportunity Tolerating risks is a passive method of response given to risks which public administrations
are comfortable to undertake Avoiding risks is a response to risks by removing the activities in which risks are probable
to occur thus eliminating the risks that are probable to occur together
with the activities Controlling risks is a method of response to risks by means of control activities carried out
to keep tolerable risks at a certain level in public administrations
Preventive Controls These are controls carried out to prevent threats that
risk may pose and undesirable outcomes risk may produce once it occurs
Corrective Controls These are controls aiming at reducing the impact of
undesirable outcomes that arise from threats risk poses once it occurs
177
Directive Controls These are controls carried out to prevent the occurrence of
risk or avoid the impact it may produce once it occurs
Detective Controls These are controls applied to identify damages and
losses experienced once the risk is realised Risk profile documented and prioritised overall assessment of the range of specific
risks faced by the administration Risk management is a management tool and all the mechanisms related to identify and
assess risks that may have an impact on attaining aims and objectives of
administration identify responses to risks regularly review and update risks
and responses and monitor the whole process Corporate risk
management is a process which covers the entire administration and
ensures that risk management processes are considered and handled as
a whole Risk strategy the overall organisational approach to risk management as defined by
the Accounting Officer andor the Board This should be documented
and easily available throughout the organisation
Risk Strategy and
Policy Document
(RSPD)
corporate approach to risk management identified by Head of
Administration and senior level policies are called risk strategy and the
document in which this approach and policies are set down in writing is
called Risk Strategy and Policy Document (RSPB) Risk identification is the process of identifying ascertaining categorising and updating risks
that prevent or limit the achievement of administrationrsquos strategic
objectives using previously defined methods
Strategy Development
Unit refers to presidencies of strategy development units departments of
strategy development and directorates where strategy development and
financial services are undertaken They carry out studies to establish
implement and continuously develop internal control systems and report
the study results to the Head of Administration Irregularity Faults errors and negligence stemming from violation of regulations and
provisions related to financial management Delegation of authority is delegation of the responsibility and authority for making decisions to
another authority in writing in the way envisaged in the legislation Fraud Is misuse or insufficient use of documents and declarations for monetary
purposes or non-monetary private purposes as well as hiding information
or deliberate acts performed to abuse the benefit legally obtained and
negligence and illegal use of public power Management
Information system supporting systems which provide proper data for managers and
decision-makers for taking decisions and implementing them with a view
to more effectively attaining the previously identified objectives of the
administration by operating and communicating the information used in
administration
Managerial refers to management being accountable for the decisions they have
made regarding duties assigned as well as for effective use of public
resources to the Parliament Government and public opinion Governance Governance is the way in which organisations are directed and
controlled It defines the distribution of rights and responsibilities among
the different stakeholders and participants in the organisation determines
the rules and procedures for making decisions on corporate affairs
including the process through which the organisationrsquos objectives are set
and provides the means of attaining those objectives and monitoring
performance
Conference call A system of telecommunications technology that enables a number of
people in different locations to hold a discussion using the telephone
2
TABLE OF CONTENTS
LIST OF ABBREVIATIONS 6
INTRODUCTION 7
TABLE OF ROLES AND RESPONSIBILITIES 10
CONTROL ENVIRONMENT 15 1 INTRODUCTION 15
2 Internal Control Standards 15
3 LEGISLATION 16
31 Legal Basis 16
4 ETHICAL VALUES AND INTEGRITY 19
41 What is Ethics 19
42 Current Legislation on Ethics 19
43 Main Ethical Behaviours that are Expected from Civil Servants 21
44 Ethical Behaviours That are Expected from Public Managers 21
45 Ethics Training 21
5 MISSION ORGANISATIONAL STRUCTURE AND DUTIES 21
51 Mission 22
52 Organisational Structure 22
53 Job Descriptions 23
6 COMPETENCE AND PERFORMANCE OF PERSONNEL 26
61 Transition to Human Resources Management from Personnel Management 27
62 Activity Areas in Human Resources Management 27
7 DELEGATION of AUTHORITY 28
71 Determination of Delegation of Authority 29
72 Delegation of Authority and Work Flow Process 29
73 Delegation of Authority and Responsibility 29
74 Factors of Delegation of Authority 29
75 Delegation of Authority and Communication 30
8 INTERNAL CONTROL AND RISK STEERING BOARD 30
81 Roles and Members of the Board 30
82 The Boardrsquos Scope of Duty 31
RISK MANAGEMENT 33 1 Introduction 33
2 Risk Management standards 33
3 Benefits of Risk Management for Administrations 33
4 Critical Achievement Factors for an Effective Risk Management 34
5 Risk Strategy and Policy Paper 34
6 TASKS AUTHORITIES AND RESPONSIBILITIES 35
61 Head of Administration 36
62 Internal Control and Risk Steering Board (ICRSB) 37
63 Administrative Risk Coordinator 37
64 Unit Risk Coordinator 38
65 Sub-Unit Risk Coordinator 38
66 Employees 38
67 Internal Auditor 39
68 Strategy Development Unit 39
69 Central Harmonisation Unit 39
7 RISK MANAGEMENT PROCESS 39
71 Identifying Risks 41
3
72 Risk Assessment 45
73 Responding to Risks 49
74 Reviewing Risks 54
75 Communication and Reporting 55
76 Learning 57
RISK MANAGEMENT ANNEXES 59 ANNEX 1 Using the brainstorming method to identify assess and record risks 59
ANNEX 2 Risk Voting Form 61
ANNEX 3 Risk Register 61
ANNEX 3 Risk Register 62
ANNEX 4 Consolidated Risk Report 64
ANNEX 5 Risk Assessment Criteria Table 66
ANNEX 6 Case Study Example of Inherent and Residual Risk 68
ANNEX 7 Case Study Example of completed Risk Voting Form Risk Register and
Consolidated Risk Report 69
CONTROL ACTIVITIES 72 1 Introduction 72
2 Control Activities Standards 72
3 Planning Process of Control Activities 73
4 Classification of control activities 73
4 1 Preventive controls 73
42 Corrective Controls 74
43 Directive Controls 74
44 Detective Controls 74
5 Methods of control activities 75
51 Authorisation and approval 76
52 Segregation of duties 76
53 Double signature system 76
54 Reconciliation of data 77
55 Supervision procedures 77
56 Ex-ante financial controls 77
57 Procedures for accounting operations 77
58 Anti-corruption 78
59 Access to assets and information 78
510 Documentation archiving and storing of information 78
511 Business continuity (or emergency plans) 79
512 Control activities related to Information Technology (IT) 79
513 Assessing costs and benefits of control activities 80
6 Practıcal Stages For Control Actıvıtıes 81
7 Steps to identify and implement control activities 83
Control Activities Annexes 84 Annex 1 ndash Examples of some common risks and controls 84
Annex 2 List of common control activities 87
Annex 3 - Illustrations for cost benefit analysis 95
INFORMATION AND COMMUNICATION 97 1 INTRODUCTION 97
2 Information and Communication Standards 97
3 ROLES AND RESPONSIBILITIES IN INFORMATION AND COMMUNICATION 98
Minister 98
Head of Administration 98
4
Internal Auditor 98
Authorising Officer 98
Realisation Officer 99
Accounting Officer 99
Strategy Development Units 99
Central Harmonisation Unit 99
4 INFORMATION 99
41 Characteristics of Information 99
42 Information Management 100
43 Information Security 106
5 MANAGEMENT INFORMATION SYSTEMS (MIS) 108
51 Stages of Establishing MIS 109
6 COMMUNICATION 110
61 Internal and External Communication 111
62 Communication Methods 113
7 WHISTLEBLOWING OF FAILURES IRREGULARITIES AND FRAUD 114
71 Concepts of Failure Irregularity Fraud and Whistleblowing 115
72 Scope of Notifications 115
73 The Responsibility for Detecting Faults Irregularities and Fraud 116
74 Whistleblowing System 116
8 RELATIONS AMONG UNITS 119
81 Information and Communication between the CHU and SDUs 119
82 Information and Communication between SDUs and Spending Units 119
INFORMATION AND COMMUNICATION ANNEXES 120
Annex 1 - Legislation on Information and Communication 120
Annex 2 - Widely Used Methods of Communication 121
Annex 3 Reports Prepared under PFMC Law No 5018 124
Annex 4a Whistle-Blowing Process Related to Ethical Values 125
Annex 4b Whistleblowing and Evaluation Process for Crimes Committed by Civil Servants
126
MONITORING 127 1 Introduction 127
2 Monitoring Internal Control Standards 128
3 Roles And Responsibilities 128
31 Senior Manager 128
32 Internal Audit 128
33 Internal Control and Risk Steering Board (ICRSB) 128
34 Authorising Officers 128
35 Strategy Development Units (SDU) 129
36 Other Managers and Employees 129
37 External Audit 129
38 Central Harmonisation Unit (CHU) 129
4 Guidance by the CHU 130
5 Assessment and Reporting Role of SDUs 131
51 Assessment of Internal Control System by SDUs 131
52 Reporting of Internal Control System Evaluation Results 132
53 Monitoring of Internal Control System Evaluation Reports 133
54 Work to be carried out by SDUs concerning Internal Audit Reports 134
6 Internal and External Audits 136
61 Internal Audit 136
5
62 External Audit 137
7 Internal Control Assurance Declarations 138
71 How to complete Internal Control Assurance Declarations 139
MONITORING ANNEXES 146 Annex 1 Internal Control System Question Form 146
Annex 2 Internal Control System Evaluation Report 162
Annex 3a Internal Control Assurance Declarations Senior Manager 163
Annex 3B Internal Control Assurance Declaration Authorising Officer 167
Annex 3b Internal Control Assurance Declaration Head Of SDU 170
Annex 4 Example Of A Complete Declaration 171
GLOSSARY 174
6
LIST OF ABBREVIATIONS
ARC Administrative risk coordinator
BiMER Prime Ministry Communication Centre
CHU Central Harmonisation Unit
COBIT Control Objectives for Information and Related Technology
COSO Committee of Sponsoring Organisations of the Treadway Commission
DHSDU Declaration by Head of Strategy Development Unit
e- SAC Electronic System Audit and Control
FMC Financial Management and Control
HRM Human Resources Management
ICAD Internal control assurance declaration
ICRSB Internal Control and Risk Steering Board
INTOSAI International Organisation of Supreme Audit Institutions
ISOIEC International Organisation for Standardization International Electrotechnical
Commission
IT Information Technology
MERNIS Central Civil Registration System
MIS Management Information System
PESTLE Political Economic Social Technological Legal and Environmental
RSPD Risk Strategy and Policy Document
SDU Strategy Development Unit
SMART Specific Measurable Achievable Relevant Time-related
SURC Sub-unit Risk Coordinator
SWOT Strengths Weaknesses Opportunities and Threats
TGNA Turkish Grand National Assembly
TSE Turkish Standards Institute
URC Unit Risk Coordinator
UYAP National Judicial Information System
7
INTRODUCTION
From the late 20th century onwards the focal point of governments in the whole world
has been to establish mechanisms to increase performance ldquoGood governancerdquo put
forward to serve this end has recently come to be a guiding principle both for the private
sector and the public sector Within the framework of the principle of good governance such
factors as ensuring accountability for the provision of better quality public services
improvement of transparency delegation of authorities and responsibilities by means of
managerial flexibility outcome-oriented management and budgeting understanding and
meeting the expectations of citizens have come to the foreground
On the other hand provision of quality public services has brought along the need for
the public resources to be used effectively efficiently and economically thus necessitating
the usage of effective tools in public administrations in many areas from organisational
structure to information and monitoring which are related to financial management and
control The most important tool for accountability adopted in this reform process is internal
control
Internal Control Internal control which is internationally used is a system designed to give reasonable
assurance to attain the objectives of a given administration Within the framework of
Committee of Sponsoring Organisation (COSO) which is the mostly widely-known system
among the others internal control aims to ensure compliance of actions and works with the
legislation as well as the reliability of financial and managerial reporting and effective and
efficient asset protection COSO which is made up of control environment risk management
control activities information and communication and monitoring components is such an
internal control model which is also accepted as a reference point by such institutions as the
International Organisation of Supreme Audit Institutions (INTOSAI) and the European
Commission The following figure shows the components of COSO
IN Figure 1 The COSO Cube
8
Our country on the other hand which has been carrying on membership negotiations
with the EU has been going through a reform process since the early 2000rsquos with a view to
strengthen its public internal control system The basic factors of the internal control system
which is recommended by the European Commission to all the candidate countries and is in
compliance with COSO can be summarized as financial management and control (FMC)
system based on managerial responsibility and accountability functionally independent
internal audit activity and Central Harmonisation Unit (CHU) responsible for the harmonisation
of these two areas in the whole public sector
FMC refers in the most general terms to the management and control processes
related to public revenues expenditures assets and obligations In this context public
managers of every level are responsible for the establishment and sustainability of a sound
FMC system to ensure resource-based planning programming budgeting accounting
controlling reporting archiving and monitoring Internal audit on the other hand which
assists the manager in assuming this responsibility and attaining the objectives gives based
on risk management objective assurance and provides guidance regarding the compliance
of the current FMC system with the identified rules and standards Furthermore a full capacity
and quality central harmonisation activity is required in order to identify and develop
methodologies legislation and standards in the areas of FMC and internal audit in public
administrations as well as to coordinate and monitor them and provide the training needed
In the light of the best practice examples our country has taken important steps in
strengthening transparency and accountability in public financial management and ensuring
an effective internal control function Public Financial Management and Control Law No
5018 which is the most important step among the others and adopted in 2003 defines the
functioning of internal control system and the roles and responsibilities of the actors involved
in the system and assigns the Ministry of Finance (MoF) the duty of identifying standards and
methods as well as ensuring coordination and providing guidance in this area As per this
duty the MoF published a Public Internal Control Standards Communiqueacute in 2007 which was
in compliance of the international standards
Financial Management and Control Manual which is an extension of all these works
has been prepared with a view to supporting decision-making and implementation
processes for a better management and thus contributing to the rational usage of public
resources The Manual which has been started to be prepared in 2010 and completed in the
first quarter of 2011 is the outcome of a painstaking work carried out by the Experts both from
the United Kingdom and our country within the framework a twinning project financed by the
European Union
FMC Manual has been designed with a view to ensure the implementation of internal
control standards as a guideline which explains all the basic factors of internal control by
means of methods tools and examples which can be used by all the stakeholders In
addition it is also possible for administrations to use according to their own needs other tools
than this Manual which can be modified and revised in time in line with the changing
circumstances and needs in public administrations however it is foreseen than tools
adopted should not be in conflict with the basic requirements contained in the Manual
This Manual is made up of five main parts based on Internal Control Standards
Following this introduction there is a table showing the main responsibilities of the major actors
in financial management and control
In the first part conceptual explanations regarding ethical values and integrity
mission organisational structure and duties competence and performance of personnel and
delegation of authority which are the milestones of the control environment as well as
information on the legislation and implementing tools are given
In the second part information on the importance and aim of risk management
stages of risk management process and roles and responsibilities of the actors involved in the
process Risk Strategy and Policy Document and communication and reporting tools that can
be used is given
9
In the third part control strategies and methods identifying and documenting
procedure principle of separation of authorities hierarchical controls sustainability of
activities and information processing controls are explained within the framework of control
activities which is closely related to risk management and a set of control activities (approval
authorisation verification reconciliation of accounts etc) are dealt with
In the fourth part the concept of information and its management functioning of
Management Information Systems internal and external communication tools and reporting
mechanisms are handled within the framework of information and communication
component
In the fifth part information on the roles and responsibilities of Financial Management
and Control Central Harmonisation Unit (FMC CHU) in the overall public sector and of
Strategy Development Units (SDU)Financial Services Units in each public administration as
well as the tools used internal control system quality assurance development program roles
of internal and external audit content of Internal Control Assurance Declaration and
guidance on how to fill the Declaration is given within the framework of regular monitoring
and assessment of internal control system
In the last part of the manual a glossary of the concepts used in the manual is given
Users of the Manual Besides for the relevant stakeholders and users it is believed that this Manual will be a
reference document for the followings
Senior mangers responsible for establishing an effective and adequate FMC system as
well as observing and monitoring it
Authorising officers who have responsibility within the scope of their duties and
authorities to ensure the functionality of the internal control regarding administrative and
financial decisions and proceedings
Relevant managers and employees of the Ministry of Finance who carry out the
central harmonisation duty in the area of FMC
Managers of SDUs and financial services experts who have responsibility concerning
the development of internal control system and implementation of the standards
Realization officers and accounting officers who are involved in the financial
processes and accountable to authorising officers
The other public managers who have responsibilities arising from the activities
conducted in the area of FMC in units
All the employees working in public administration
Internal auditors who have the responsibility to assess and report to the Head of
Administration the effectiveness of FMC system
External auditors who responsible for examining the accounts financial transactions
and activities and internal control systems of public administrations as well as whether
resources are used effectively efficiently and economically as well as in compliance with
laws and reporting the results to the TGNA
10
TABLE OF ROLES AND RESPONSIBILITIES
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
MINISTER
Within the framework of the
responsibility for ensuring
effective economic and efficient
utilisation of public resources the
Minister should be aware of the
potential risks to the
administrationrsquos objectives
He ensures coordination and
cooperation with the other
ministries and informs the public
opinion and the TGNA about the
annual performance programme
and activity report of the
administration
Within the framework of the
responsibility for ensuring
effective economic and efficient
utilisation of public resources the
Minister is responsible for ensuring
effective monitoring of the
internal control system
HEAD OF ADMINISTRATION
He defines strategies and policies
for an effectively functioning risk
management system in
accordance with the aims and
objectives of his administration
He explicitly defines tasks roles
and responsibilities He ensures the
participation of the stakeholders
and the public opinion
As the quality of the information
exchange and communication
between the head of
administration and the other
actors has a direct effect on the
accountability of the head of
administration he must inform the
relevant units about the
frequency and methods of
feedback he prefers
He ensures effective
communication among spending
units SDUs and internal audit
He is responsible for observing
and monitoring the functioning of
financial management and
control system
He approves annual internal
control system evaluation reports
and signs the Internal Control
Assurance Declaration
INTERNAL CONTROL AND
RISK STEERING BOARD
The Board develops policies for
improvement of risk management
in the administration and submits
them for the approval of the
Head of Administration The Board
notifies the unit of the policies and
procedures for coordination
purposes ICRSB determines a
particular number of risks which it
deems significant as the key risks
It provides the Head of
Administration with timely and
accurate information about the
effectiveness of internal control
and risk management
It assesses internal control system
evaluation reports prepared by
the strategy development unit as
a result of annual evaluation of
internal control system and
following to defining shortcomings
of the report if any submits it with
the relevant opinions for the
approval of Head of
Administration
11
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
among those risks that are
submitted to itself and reports
whether these key risks function
well or not to the Head of
Administration in regular periods
or whenever it deems necessary
AUTHORISING OFFICER
He acts as the unit risk
coordinator or assigns someone
to act so URC coordinates the
management of the unitrsquos risks
that may have an impact on
objectives of the administration
and provides guidance to this
end
He ensures that tasks authorities
and responsibilities of staff are
defined clearly and in writing and
communicated to all the staff
He ensures that sub-units are
informed about the activities of
each other
He ensures that an effective
communication and archiving
system is established for the
information related to the
objectives and activities of the
unit
He has responsibility for
continuously monitoring internal
control system
He provides necessary
information for strategy
development units regarding the
annual evaluation of internal
control system completes internal
control questionnaire and
annually signs internal control
assurance declaration to be
submitted to the Head of
Administration
HEAD OF DEPARTMENTUNIT
He is responsible for the
coordination of risk management
activities within sub-units (if having
such units or their management
at this level is deemed
appropriate) of the spending units
in administrations He is directly
accountable to URC regarding
risk management
He ensures that an effective
communication and archiving
system within the sub-unit is
established for the information
related to the objectives and
activities
He ensures that tasks authorities
and responsibilities of staff are
defined clearly and in writing and
communicated to all the staff
He is accountable to the
authorising officer
He has responsibility for
continuously monitoring internal
control system
He supports the authorising officer
in providing SDUs with information
Every employee is directly Every employee is responsible for They observe the functioning of
12
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
EMPLOYEES responsible for managing risks in
their fields of duty (identifying
assessing responding to
reviewing and reporting risks
delivering accurate and timely
information to managers
colleagues and stakeholders by
using right communication
means
internal control system and in
case of a problem they inform
senior management and
contribute to the evaluation
process of internal control system
by providing information
STRATEGY DEVELOPMENT
UNIT
It organises trainings on risk
management in the
administration and provides
guidance in this respect
It is responsible for providing the
Head of Administration and the
units with accurate and timely
information In addition it is
responsible for providing the unit
with guidance and trainings on
the area of internal control
It annually assesses internal
control system on behalf of the
Head of Administration It signs
the declaration on functioning of
internal control system with a view
to ensuring effective efficient
and economical execution of
administrationrsquos activities Staff of
Strategy Development Units take
active role in the evaluation
process of internal control systems
and guide the units in completing
the reports regarding evaluation
ACCOUNTING OFFICER
Within the scope of his duty the
Accounting Officer should identify
and manage the financial risks
The Accounting Officer is
responsible for performing
accounting services and keeping
accounting records in a regular
transparent and accessible way
Accounting Officers must
regularly report to the authorising
officer on the accounting
records
CENTRAL HARMONISATION
UNIT
It is responsible for such activities
as making regulations and
chances when necessary
carrying out developmental
activities as well as ensuring
guidance harmonisation inter-
administrational coordination and
reporting
It is responsible for making
arrangements setting out
standards providing guidance
and advice ensuring
harmonisation and coordination
among administrations
monitoring and reviewing the
implementation in the fields of
financial management and
It annually assesses the
functioning of internal control
systems in public administrations
based on Internal Control
Evaluation Reports approved and
submitted by senior managers
and submits the evaluation report
it prepared to the Head of
Administration and the Minister of
13
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
control and internal audit Finance
INTERNAL AUDIT
Internal auditor provides the
Head of Administration with
advice regarding risk
management by making
evaluations on whether risk
management process is effective
and risks are managed in the right
way or not
He examines the functioning of
information and communication
system in the administration and
reports the results to the Head of
Administration There must be an
effective communication system
between
Head of Administration and
internal audit
It has the function to provide the
management with information
about the sufficiency
effectiveness and functioning of
internal control system as well as
making evaluations and giving
recommendations
EXTERNAL AUDIT
Within the framework of
performance management it
can audit the functioning of risk
management processes in
administrations
Within the framework of
performance management it
can audit the functioning of
information and communication
systems in administrations
Court of Accounts can assess
internal control systems in
administrations during the audits it
conducts and give
recommendations
14
15
CONTROL ENVIRONMENT
1 INTRODUCTION
According to the COSO model control environment is creation of the basic
infrastructure for the other components of internal control by providing internal control
awareness for employees working in a particular administration Control environment
generally includes internal control awareness values working styles and procedures of the
administration Basic factors of control environment are summarized below
CE Box 1 Basic Factors of control Environment
Creation and sustainability of a positive and supportive environment for internal
control by the management is of great importance As employees also have their relevant
roles in carrying out internal control all the individuals within the administration need to know
hisher responsibilities and authorities very well Employees need to uphold personal and
professional integrity and ethical values and comply with the current behavioural norms In a
well-functioning control environment the public administration should previously determine its
mission organisational structure and terms of reference and should regularly assess the
performance of personnel
2 Internal Control Standards
Four standards were determined regarding control environment among Public
Internal Control Standards
CE Box 2 Control Environment Standards
Standard 1 Ethical values and integrity
It should be ensured that rules which regulate how personnel behave are known by the
personnel
Standard 2 Mission organisational structure and duties
Mission of the administration and job descriptions for units and personnel should be set out
Risk Management
Control Environment
Control Activities
Info amp Communicattion
Monitoring
Principles of personal and professional integrity
Adoption of ethical values by management and personnel
Supportive attitude of senior management towards internal control
Organisational structure
Professional competence and performance of personnel
Human resources policies and practices
Management philosophy and working style
16
in writing and announced to the personnel and a suitable organisational structure should
be established in the administration
Standard 3 Competence and performance of personnel
Administrations should ensure the compatibility between the competence and duties of
personnel and take actions about performance appraisal and improvement
Standard 4 Delegation of authority
Administration should explicitly identify authorities and limits of delegation of authority and
announce them in writing Authority should be delegated by taking the importance and
risk of authority to be delegated into consideration
This part gives explanations regarding the relevant legislation and standards with a
view to rendering Public Internal Control Standards more comprehensible and to guide the
practices Besides it stresses upon the methods to be applied for ethical values and integrity
principles to be owned by senior management and adopted by personnel which is very
important for a well-functioning control environment Besides criteria are determined for the
assessment of competence and performance of personnel as well as giving explanations on
determination of mission organisational structure and duties Moreover the part explains how
the delegation of authority which is a priority for accountability needs to be conducted
3 LEGISLATION
31 Legal Basis
In utilising of public resources or in providing effective and efficient public services the
principles and procedures of a work financial or non-financial are determined by the
regulations made by laws or the central administration
Internal Control standards provide the minimum and overall framework for managers
for giving an assurance on the provision and sustainability of services In the following
diagram the international and national standards and legislation relating to Control
Environment are given
17
CE Figure 1 Legal Basis Framework regarding Control Environment
Part Five of Law No 5018 regulates lsquointernal control systemrsquo Within this framework in
order to establish an effective and sufficient internal control system the top manager and
the other managers should take necessary action to ensure that the following factors are
implemented
bull Having professional values and an integral management understanding
bull Assignment of financial authorities and responsibilities to informed and competent
managers and personnel
bull Compliance with the standards set
bull Prevention of actions that are opposed to the Legislation
bull Provision of a proper working environment and transparency with a comprehensive
management understanding
The main legislation related to control environment is given below
CE Table 1 Main Legislation on the Control Environment Standards
CONTROL
ENVIRONMENT
STANDARD
RELATED LEGISLATION
1 Ethical Values
and Integrity
Behaviour Principles and Application Principles Law No 5176 on
the Establishment of Civil Servants Ethical Board and Making
Amendments on Some Laws
Legislation on Ethical and Procedures of Civil Servants
2 Mission
organisational
structure and Tasks
Law No 3046
Decree of Law No 217 on the Establishment and Duty Principles
of State Personnel Presidency
Strategic Planning Guideline for Public Administrations
3 Competence
and Performance
of Personnel
Turkish Constitution
Law No 657 on Civil Servants Law No 2802 on Judges and
Public Prosecutors Law No 2914 on High Education Staff Law No
926 on Turkish Armed Forces Personnel Law No 3269 on
18
CONTROL
ENVIRONMENT
STANDARD
RELATED LEGISLATION
Specialized Sergeants Law No 3466 on Specialized Gendarmerie
Law No 4678 on Contracted Officers and Petty Officers to be
Recruited into Turkish Armed Forces
Regulation on Examinations for Those to be Appointed for Public
Duties for the First Time
Regulation on Appointment Conditions for Public Services of
Disabled Persons and Competition Examinations to be Conducted
Special Regulations Prepared by Administrations (expert
coordinator inspector etc)
General Regulation on Training of Candidate Civil Servants
Registry Regulation for Civil Servants
Regulation on Civil Servants to be Sent Abroad for Training
Purposes
General Regulation on the Principles of Promotion and Title
Change in Public Administrations and Entities
Regulation on Promotion and Title Change in Supreme Institutions
and Agencies of High Education
4 Delegation of
Authority
Law No 3046
Law No 2547 on High Education
Law No 5393
Organisational Laws
Communiqueacute Serial No 1 on Authorising Officers
19
4 ETHICAL VALUES AND INTEGRITY
41 What is Ethics
Ethics is a body of moral principles which forms the basis for the behaviours of a
person In other words ethics is the guidelines values principles and standards which help
people determine lsquohow to do worksrsquo Ethics is at the same time a process In this process while
making and implementing decisions actions are carried out upholding particular values
The aim of observing ethical behaviour principles is to prevent corruption and
upholding integrity in a state and community
42 Current Legislation on Ethics
Law No 5176
The Law determines the establishment duty and working principles and procedures for
Civil Servant Ethical Board to determine and monitor the implementation of such ethical
values that civil servants must observe as transparency impartiality accountability and
observing public interests However scope of the law is too narrow that it diverges from its
original aim (Provisions of the Law on President Members of TGNA Members of Council of
Ministers officials of Turkish Armed Forces and officials of jurisdiction are not enforced)
Civil Servants Ethical Board is authorised and responsible for determination of ethical
behaviour principles through the legislations it will prepare conduction of the relevant ex-
officio examinations and investigations as well as conduction of examinations and
investigations upon applications on ethical behaviour violations and notification of the results
to the relevant authorities carrying out studies to settle ethical behaviours in a community
and supporting studies to be carried out in this field
Within the framework of laws the Board can be applied to with allegations of violation
of ethical behaviour principles about the civil servants of at least director general or
equivalent positions in a public administration and institution
Applications to be made with allegations of violation of ethical principles about the
other civil servants are evaluated by the concerned boards of the relevant administrations to
see whether there is a condition that is opposed to ethical value principles or not Results of
the evaluations are communicated to the applicant and to whom it may concern
The Board conducts its examinations and investigations regarding the applications
referred to itself to see whether ethical value principles are violated or not The Board has to
conclude the examinations and investigations to be conducted upon the whistle blowing or
complaint applications in three months at most Results of the examinations and
investigations are communicated to the relevant authorities and to the Prime Ministry in
writing (For further information please refer to ldquoInformation and Communicationrdquo chapter
Legislation on Civil Servants Ethical Behaviour Principles and Application Procedures
Civil servants are liable to observe ethical behaviour principles while fulfilling their duties and
sign the Ethical Contract document Authorised appraisal managers in administrations and
institutions assess the performance and employment records of personnel in terms of
compliance to ethical values
CE Figure 2 demonstrates ethical behaviour principles determined in the Legislation
20
CE Figure 2 Ethical Behaviour Principles
Granting
decleration
of property
Relations with
the previous
civil servants
Accountability
requirement for
managers
Informing
transparency
and
participation
Binding
explanations
and unreal
declerations
Being
economic
Utilisation
of public
properties
and
resources
Prohibiton
of giving
presents and
drawing
benefits
Not abusing
duties and
authorities to
draw benefits
Avoiding
conflict of
interest
Notification
of authorised
bodies
Courtesy
and
respect
Esteem
and trust
Integrity and
Impartiality
Commit
ment to
aims and
mission
Compliance
with service
standards
Service
awareness
for public
Public service
awareness in
fullfilment of
duties
ETHICAL
BEHAVIOR
PRINCIPLES
21
43 Main Ethical Behaviours that are Expected from Civil Servants
Observing all the time high ethical standards and working to increase public belief in
the state and civil servants for public benefit
Behaving in compliance with the ethical values and principles when fulfilling duties
obtaining and using public resources and purchasing goods and services from
outside
Showing respect for colleagues and users of services exhibiting impartial and fair
behaviours
Having a participatory decision-making process by taking the views of colleagues
and users of the services into consideration
Appreciation and announcement of good works colleagues do
Not abusing public authorities and resources for personal benefits and not favouring
relatives or friends in using public services
Being careful about the possible and real conflict of interests
Assuming responsibility for decisions and behaviours
Filling in the property declaration forms in time accurately and without any reserve
Not working in a second job that is prohibited by the Legislation other than his public
service
Not establishing private relationships with the persons and firms that are in connection
with the administration that civil servant works in
Warning other civil servants whose behaviours are not in compliance with the ethical
principles and notifying authorities in case that warning turns out fruitless
44 Ethical Behaviours That are Expected from Public Managers
While fulfilling their duties managers should
Inform all the civil servants of the overall aims main objectives and values of the
administration
Create a positive working environment where behaviour expectations are clearly
defined and violations are identified and corrected if any
Assume all the responsibility for the activities of administration
Take into consideration the merits current behaviours and developmental potential of
personnel while appointing for a position
Behave in a fair equal and impartial way towards all the personnel
Solve the problems and conflicts in a quick and fair manner
Be consistent reliable predictable fair and objective in decisions and behaviours
Set a personal example in terms of ethical principles and values
Maintain the highest standards possible to be followed in the field of efficiency and
effectiveness at work
45 Ethics Training
One of the most important prerequisites of establishing a culture in the administration that
is based on ethical values and principles is ethics training All the personnel of every level that
are employed in public administrations and institutions need to be informed of the ethical
behaviour principles and their responsibilities related to these principles
Administration and institution managers are liable to include ethical behaviour principles
in the basic preparatory and in-house training programs that are implemented for civil
servants
5 MISSION ORGANISATIONAL STRUCTURE AND DUTIES
Mission of an administration is the cause of existence of the administration and its
place within the state structure Organisational structure ensures that duties that are carried
22
out to attain the objectives and aims of the administration are controlled and monitored
Duties that are carried out by the administration are led by the mission and organisational
structure These factors in question which complete each other form an important basis for
the other components of internal control system
51 Mission
Public administrations set out their missions visions aims objectives and strategies in
strategic plans As Strategic Planning Guideline for Public Administrations states mission is the
cause of existence of an administration In this regard mission covers all the services and
activities an administration carries out In other words mission is the answer to such questions
as what the public administration does and how and for whom it does what it does Mission
should be sound realistic and participatory to lead the administration and should be
developed according to the changing conditions and needs It will also be proper to receive
opinions from personnel and stakeholders in forming and updating the mission
The following should be taken into consideration in mission declarations of administrations
The mission should be up-to-date precise and clear
The mission should be determined in line with the established aims of
administration not process of service provision
While determining the mission tasks and authorities granted to the
administration with legal regulations should be taken into consideration
In mission promotion people and entities that the administration provides
services for and the goods and services that the administration offers should
be stated
CE Box 3 Mission Example
For the mission which is very important for public administration to be achieved
personnel should be informed enough about the mission of administration they are affiliated
to Being informed about the mission and adopting it will guide the decisions and activities of
the administration and help the personnel understand their duties within the administration To
this effect firstly mission should be set down in writing and it should be announced to the
personnel and a system should be developed for the mission to be adopted by the
personnel On the other hand job descriptions of the sub-units should be determined in
writing in compliance with the mission and compliance with the mission should be regularly
reviewed
52 Organisational Structure
Organisational structure of the administration is another important factor which
influences the control environment Organisational structure is the provision of a framework
for the attainment of the aims and objectives of administration
In order to establish a proper control environment organisational structure should
Indicate the division of authorities and responsibilities within the organisation
Include accountability mechanisms and relevant reporting line which will ensure
the functionality of these mechanisms
Indicate the coordination and integration points
Carrying out research training and publishing activities developing and supporting
projects for strengthening and increasing the problem-solving capacity of families and for
identification and solution of the problems in cooperation with the institutions and
organisations in the light of scientific and ethical valuesrsquorsquo
(General Directorate of Family and Social Research 2007-2011 Strategic Plan)
23
Organisational structures of administrations are generally determined by the
organisational laws that are prepared in compliance with the framework that is set in Law No
3046 and duties of administrative units (main services consultationaudit and support units)
are shaped in these organisational laws Duties of the sub-units of administrations on the
other hand are determined in administrative regulations such as circulars and regulations
not in the organisational laws
Furthermore organisational structures of public administrations which fall under the
scope of the local administration are determined by Law No 5393 on Municipalities Law No
5216 on Metropolitan Municipalities Law No 5302 on Special Provincial Administration and
Law No 5355 on Local Administration Unions
Mission of the administration is achieved by the activities carried out by the units of the
administration and their sub-units and the units of the local administration Within this
framework duties of both the units and sub units should be in compliance with the mission of
the administration
Relevant chances regarding the organisational structure units and sub-units of the
administration and duties that are carried out by these units and sub-units can be made by
amending organisational law or revising administrative regulations according to the
circumstances within the framework of the reviewing activities in question
53 Job Descriptions
As it is stated in Public Internal Control Standards written definition of duties to be
carried out by units and sub-units of administrations and formation of a task distribution chart
covering duties of the personnel in the administrative units and their relevant authorities and
responsibilities assume importance for the mission of the administration to be accomplished
Within this framework preparation stage of job descriptions is demonstrated below
Public administrations can prepare their job descriptions by following the below given
process
CE Figure 3 Preparation Process of Job Descriptions
Job analysis is a process in which information regarding
the quality of every job carried out in the administration and
working environment the job will be carried out in as well as
working conditions is collected and collected information is
systematically examined and assessed While making job
analysis the followings should be followed
Determination of jobs to be analysed taking into
consideration the organisational structure of the
administration
Determination of the objective
Formation of the team to make the analysis ( it is
essential that the team members to make the
analysis should be selected from inside the
administration However it possible to receive
counselling from outside when necessary)
MAKING JOB ANALYSIS
24
KEY QUESTIONS IN JOB ANALYSIS
What are the requirements of the job (In terms
of knowledge experience and competence)
How is the job done
When is the job done
Where is the job done
Why is the job done
What are the assistive tools for the job
(Equipment)
What kinds of outputs are obtained
Job analysis does not have a value on its own It is only
valuable when it contributes to attaining the objectives of
administration Therefore analysing should start by
understanding the philosophy mission and objectives of the
administration and the role and importance of every unit
within the administration and should continue in this
direction
The findings gathered from the job analysis should be
submitted in a systematic and consistent way and the job
descriptions that are formed according to these findings
should be submitted to the top management for the job
description whose final draft has been completed
At minimum job descriptions should include the following
Unitamp Sub Unit
Name of the job (Name of the position)
Title that the job has
Level of competence (areas of responsibility
information problem solving)
Basic duties and responsibilities
Authorities
Required skills and abilities for the job
Its relation with the other jobs
Approval section and section regarding communiqueacute to
personnel
25
State Personnel Presidency determined standard job descriptions for some
titles (chief programmer warehouse official statistician personnel titled as inspector in the
municipalities etc) In this process it is possible that public administrations receive guidance
form State Personnel Presidency
531 Sensitive Duties
Some of duties that are carried out in public administration assume more importance
because of their nature than the other duties do in terms of esteem of administration risk of
corruption disclosure of secret information etc Therefore integrity of the personnel who
carry out the duty in question is attached more importance
It would be convenient to assess at least the followings while deciding whether a duty
is sensitive or not
Capacity to make important decisions that can impact administrationrsquos objectives
Its relations with the third parties and administrations outside the administration
which can impact decisions
Regular accession to confidential information
Whether financial transactions of high value are involved
The duty requiring special expertise at high levels
Other criteria that can be introduced by administrations
According to the criteria in question administration should determine sensitive duties
develop control mechanisms to mitigate the risks identified and review the chances to occur
at the level of the risk
The following table demonstrates the fields of activity which can be sensitive for
administrations and gives examples regarding these fields
CE Table 2 Examples of Sensitive Duties
Areas of Management Examples for Sensitive Duties
Financial management Accounting
Managing payments
Analysing the financial reports
Job descriptions should be announced to the personnel for
them to learn what they need to do under which rules they
work and what their objectives are
Job descriptions should be reviewed and updated annually
ANNOUNCING JOB
DESCRIPTIONS TO THE
PERSONNEL
UPDATING JOB DESCRIPTIONS
26
Commitment process Membership for the Tender
Commission
Contracting process
Process of examining and accepting
Publishing tender documents
Human resources management Definition of positions
Job description
Recruitment process
Assessment
Implementation of salary system
Information management systems Accession to the system and controls
Security of the systems and key
documents
Developing the system
Support Services Controlling valuable stocks
532 Monitoring the Results of Duties
Administrations should continuously assess sensitive duties and decide what steps to
take in accordance with the changes in the level of the risks (such as renewing controls
identifying new sensitive duties re-evaluating sensitive dutiesrsquo risk levels by taking into
consideration the cost-effectiveness)
Managers carry out the activities of administrations through written or spoken
instructions However it may be difficult for the management to monitor the results of duties
due to such reasons as the structures of units organisational complexity scattered
organisations the number of the personnel being high and duties being varied Managers
should develop such methods as introducing reporting mechanisms and holding regular
meetings to overcome this difficulty
6 COMPETENCE AND PERFORMANCE OF PERSONNEL Good management of human resources aims to ensure the efficiency effectiveness and
productivity of personnel
27
CE Box 4 Humans first
The basic aim is the selection of proper personnel for the fulfilment of the mission of
administration appraisal of personnel career planning for those who are successful and
ensuring they have the basic skills and adequate knowledge with a high sense of
responsibility and identity
61 Transition to Human Resources Management from Personnel Management
As it assumes the responsibility for identifying policies objectives and standards in
human resources management (HRM) top management plays a significant role in HRM
Besides top management should create a transparent and accountable environment
complying with laws and legislation
The expertise that human resources managers have in this area should lead the
other unit managers to apply human resources standards at every level of the administration
Furthermore HRM is a responsibility for all levels of management starting from top
management In line with the policies in question the unit managers when they carry out in
an effective way the tasks given to them by the senior managers should also assume such
duties as orientation and training of the new personnel improvement of their work
performance developing a proper work environment and relations in which they will work in
cooperation boosting the moral and motivation of personnel safeguarding the health of
personnel and improving the working conditions of the personnel
62 Activity Areas in Human Resources Management
The basic functions of HRM can be listed as follows
Conduction of job analyses
Job descriptions
Job requirements
Labour force assessment
Staff analysis
Cost-benefit analysis
Limitations of various legal regulations (Budget Law Decree of Law on General Cadre
Procedure etc)
Recruitment process
SWOT analysis (of the recruitment process)
With the principle lsquogood people make good organisationsrsquo we can say the quality of the
employees of an administration is the quality of the outputs of that administration First of
all it must be kept in mind that employees are humans and a balance must be
established between the needs of administration and employees It is important for
personal motivation that assignments be conducted in line with merits and careers of
employees in every stage from recruitment to retirement The only capital an
administration has which can not be materially measured is human
Humans First
28
Announcements on newspapers internet and administrationrsquos billboards
Developing easy application methods which meet the needs are fair and do not
lead to discrimination
Examination process being open which will give confidence
Merit and career evaluation system
PromotionAchievement criteria
Personnel performance indicators
Appraisal system
Rewarding mechanisms
Training Activities
Training needs questionnaire
Training programs (theoretical and practical)
Abroad trainings and internships
Post-training assessments
Participation in such activities as conferences and workshops which support personal
development
Poor performance management and disciplinary practices
Determining the data on which decisions about non- appropriateness for duty will
based and announcing this to all the personnel
Clearly determining the criteria to terminate duties and announcing these criteria to
the personnel
7 DELEGATION of AUTHORITY Authority refers to the power of administrative bodies to make administrative decisions
and to conduct administrative transactions
Responsibility can be defined as a body of rules and sanctions that those who assume
roles in administrative activities are subject to
Delegation of authority is the transfer of authority and responsibility to make decisions
to another body within the framework of the applicable legislation Delegation of authority
does not remove the managerial responsibility of the delegator
Rigid and traditional administrative structures in which all the authorities as well as
transferring and execution functions gather in a single centre are not preferred In such
administrations motivation of employees and managers of lower levels will be decreased to
own the administration and produce services in line with the objectives of the administration
Administrations on the other hand in which managers delegate all their authorities to
lower levels with insufficient capacity and do not monitor the results are not desirable either
Delegation of authority forms a step for transition form an authoritarian management
understanding to a transparent and accountable management understanding In modern
administrative structures a proper control environment is created employees are assigned
responsibilities and authorities at the level of their duties and employees together with the
lower level managers are included into the decision-making mechanisms In such
administrations working motivation will increase therefore effectiveness and efficiency
indicators will go up with the attainment of the aims and objectives
In relation to delegation of authority authorities to be delegated and their limits are
defined by regulations on various laws The main regulations in this regard are as follows
Law No 3046 on Ministries
Law No 5442 on Provincial Administration
Law No 2547 on High Education
Law No 5393 on Municipalities
Law No 5018 on General Management
Organisational Laws of Administrations
29
71 Determination of Delegation of Authority
Delegation of authority should be carried out according to the hierarchical structure of
the organisation With a top-down approach authorities to be delegated from Minister to
undersecretary (-authorities to be delegated to Head of Administration-) to his deputies and
to heads of units from head of unit to head of department from head of department to
director of branch should be determined in writing and consulted with whom it may concern
72 Delegation of Authority and Work Flow Process
Work flow processes of administrations should be determined and the officials to take part
in the processes and their authorities and responsibilities should be set out These processes
which are determined should be analysed and who to be assigned which authority in the
processes should be determined
What is expected in the delegation of authority is that the official who is to be delegated
the authority should be well-informed of the process and have the quality and experience to
manage the process Employees that are delegated authority are expected to report the
current situation of the process to the delegator and the delegators are expected to seek for
this report
73 Delegation of Authority and Responsibility
We can handle responsibilities in three different categories
Managerial responsibility
It refers to the responsibility to the senior level in hierarchical terms Besides it is
defined as performance responsibility
Delegation of authority will not remove the managerial responsibility of the
delegator
Financial (Compensation) Responsibility
It is the financial responsibility for public andor personal loss caused by using
the authority delegated Financial responsibility to arise from the usage of this
authority will belong to the user of the authority
Legal (punitive) Responsibility
Legal responsibility covers managerial and financial responsibility Legal
responsibilities are defined in the Constitution organisational laws Turkish Penal
Code and special legislations It is a must that all the employees and political
authorities working in the public administration behave with legal responsibility
while carrying out their duties
74 Factors of Delegation of Authority
Those authorities that can be delegated and those that cannot be delegated
should be determined with their limits on senior management level and announced
The basic factors to be taken into consideration in delegation of authority are as
follows
Delegation of authority must be in writing
Legally there are authorities which can not be delegated and these are
not at the administrationrsquos discretion (For example authority to give
disciplinary punishment or the authority of administrative tutelage etc)
Limits of the authority to be delegated must be set out
As long the as the delegation of authority continues the delegator will not
be able to use that authority
That the official delegatingdelegated authority leaving the job will
terminate the authority
30
75 Delegation of Authority and Communication
Employees taking over the authority should periodically report the current situation of
the process to the delegator and the delegator should seek for this report which will provide
feedback to Head of Administration regarding the process This forms an example about
monitoring function
8 INTERNAL CONTROL AND RISK STEERING BOARD
81 Roles and Members of the Board
The Board has a consultation role which will provide additional value for the activities
of administration in development of methods and processes regarding internal control system
such as monitoring internal control practices preparation of action plans and implementation
of the current plans
The Board is formed by the approval of Head of Administration for commencement of
studies on the internal control system within the framework of Action Plan Manual on
Harmonisation with Public Internal Control Standards The Board consists of authorising officers
(or their deputies) under the chairmanship of the deputy Head of Administration and when
the deputy Head of Administration is not available an authorising officer to be assigned by
the Head of Administration will take over as chairman All or some of the authorising officers
are selected for the ICRSB and how many to select should be determined with a view to
provide efficiency in line with the organisational structure When deemed necessary The
Head of Administration can invite those authorising officers who are not members of the
Board to meetings of Board to get their opinions provided that they are not included in the
decision-making Secretarial services of the Board are provided by strategy development
units
The Board periodically convenes Experts from inside and outside the administration
can be invited to the Board if deemed necessary in order to contribute to the objectives and
aims The Board is free within the framework of the duties and responsibilities given to itself in
determination of the dates and content of meetings and notifies the relevant persons of the
relevant arrangements in advance
Decisions are made based on majority voting Each member has only one voting right
including Chairman of the Board However when the voting of both sides is equal the
majority is considered to be the side that the chairman takes Those members who do not
side with the decisions state their justifications for not siding with the decision in writing
Deputy senior manager authorising officers or the deputies they assign should have a single
equivalent voting right in the meetings however the other representatives and experts
whose opinions are received should not have a voting right The Head of Administration on
the other hand should be able to participate in the Board meetings without having a voting
right and should encourage the participation of authorising officers for strengthening internal
control system For meetings which are not participated by Head of Administration briefing
should be made through reporting system
Details about how the Board works should be specified in the relevant legislation
The Board regularly monitors internal communication activities and processes and
revises them when deemed necessary and determines new communication methods to fit
the changing organisational structure
31
CE Figure 4 Information Flow in Internal Control and Risk Steering Board
82 The Boardrsquos Scope of Duty
The Board works to support the accountability of senior management in the fields of
management internal control and especially risk and is authorised to carry out the followings
with the approval of senior manager Within this framework its duties in the field of risk can be
listed as follows
It prepares the Risk Strategy and Policy Document (RSPD) or reviews the available RSPD
and submits it for the approval of senior manager
It determines policies in establishment of the risk management culture in the
administration
It determines the risks of spending units to be managed in partnership and the related
policies and procedures and communicates them to the unitrsquos risk coordinator for
coordination purposes
It determines the risks to be managed in partnership with the other administrations and
communicates them to the relevant administrative risk coordinator to ensure that
necessary precautions are taken for management in partnership with the relevant
administrations
The Board periodically assembles to assess whether risk management process functions
well or not and the level achieved regarding risks and reports the level achieved to the
senior manager
The Board fulfils following duties other than risk management
Assessing internal audit reports and providing guidance for implementation of
recommendation and ideas regarding internal control environment and the other
components in line with the requirements of the administration
Monitoring the activities of the administration carried out within the framework of
strategic plans and policies of the administration by means of periodical meetings
Making decisions on dissemination of good practice examples both inside and outside
the administration as a result of monitoring activities that are carried out
Deputy Head of
Administration
Internal Control and
Risk Steering Board Strategy
Development
Unit
Authorising
Officer
(A) Spending Unit (B) Spending Unit (C) Spending Unit
Authorising
Officer Authorising
Officer
32
33
RISK MANAGEMENT
1 Introduction Administrations utilise the resources allocated for them in order to reach the set out
objectives Activities processes and projects which are carried out for utilisation of these
resources bring along risks Risk management is a good tool for administrations to achieve the
aims they set out in accordance with their missions and visions Box RM1 describes Risk
RM Box 1 Definition of Risk
Risk is the uncertainty of events that may emerge in the future (if positive it is an opportunity if
negative then it is a threat) For the administrations this means that aims and the objectives
they set out to achieve these aims can be affected positively or negatively by internal or
external factors
Risk management covers risk assessment determination of effective control activities
monitoring and continuous improvement of these processes Risk management must be
practised corporately for consistency purposes which brings us to the concept of Corporate
Risk Management Corporate risk management covers the entire administration and ensures
that risk management processes are considered and handled as a whole
2 Risk Management standards Administrations while implementing risk management take into account the following
standards
RM Box 2 Risk Management Standards
3 Benefits of Risk Management for Administrations
The followings are the important benefits of a properly applied risk management in
corporate terms
Helps improve performance of administrations and assists administrations in attaining
their aims and objectives
Helps provide the continuity of services the administration provide and improve the
quality of activities the administration carries out
Info amp Communication
Monitoring
Control Activities
Risk Management
Control Environment
Standard 5 Planning and Programming
The administrations shall establish and announce their activities goals objectives and indicators as well as the
plans and programs including the resources which are required for the realization of above listed elements They shall
also ensure that the activities are in compliance with plans and programs
Standard 6 Determination and assessment of risks
The administrations shall define and assess the internal and external risks that could prevent the achievement of
goals and objectives by performing a systematic analysis and determine the measures to be taken
34
Ensures cost-benefit balance between the risks identified and the controls applied
and therefore increases the efficiency in resource allocation
Helps control the impacts of potential losses and decrease the costs of such losses
Ensures compliance with the legislation and regulations
Helps strengthen decision making mechanisms by supporting evidence and risk-based
decision making
Enhances accountability by supporting the clear definition of tasks roles and
responsibilities within the administration
Helps the administration have a more positive image in the eyes of public opinion
4 Critical Achievement Factors for an Effective Risk Management
For administrations to obtain the expected benefits from risk management the
followings are required
Ownership of the risk management process and determination of a risk strategy
encouraging its implementation in accordance with the mission and vision
Establishment of necessary mechanisms to have a single risk management language
Provision of sufficient information guidance and advice regarding risk management
Simplicity flexibility and practicality of risk management processes and integrated
planning and implementation with the other basic processes (strategic planning
performance management human resources management etc)
Supporting the assessments regarding risks with reliable evidence at all times
Systematic monitoring reporting and evaluation of risk management processes
Increasing within the administration awareness that everyone has an important role to
play in risk management and risk management should be fulfilled as an integral part of
the existent processes
Having an organisational communication strategy and proper and functional
communication channels inside and outside the administration
5 Risk Strategy and Policy Paper Risk Strategy is the organisational approach defined for risk management and top
level policies whereas Risk Strategy and Policy Paper (RSPP) is the document in which this
approach and policies are set down in writing Risk strategy sets out the administrationrsquos
attitudes towards risks and forms a framework for the risk management process The RSPP of
an administration is prepared by the Internal Control and Risk Steering Board (ICRSB) for the
endorsement of the head of administration and should be available to and known by all
staff
The Organisational risk strategy should clearly set out the structures regarding the
management and ownership of risks how to address risks at strategic level and program and
activity levels the structures regarding communication monitoring assessment and getting
assurance the criteria for key risks risk register format and risk measurement criteria Attention
must be paid the risk policies of the organisation comply with national level policy papers
The Risk strategy must be set out to reflect the risk appetite of the administration at
strategic level As risk appetite can change in time based on various conditions (for example
risk appetite may be low in periods of financial crisis) risk strategy of the administration should
be reviewed at least once a year and updated when deemed necessary Box RM3 gives a
basic explanation about Risk Appetite
RM Box 3 Risk Appetite
Risk appetite is the amount of risk an administration is ready to take at any time
(toleratebe exposed to) in accordance with its mission vision and objectives Risk
appetite should be taken into consideration while preparing strategic plans
35
Risk appetite is affected by internal and external environment people business systems
and policies Within this framework risk appetite should be set out with a top down
guidance
It is possible for the administration to set different appetite levels as long as the
administration does not exceed its overall risk appetite limits
Both taking too many risks and taking too few risks may lead to failure Although low risk
appetite is considered to be a reliable management method it may constrain the
administration in terms of creativity innovation and taking advantage of
opportunities
Another prerequisite in risk management is the existence of a common risk language
While producing this common language what is needed is a joint terminology and
mechanisms to disseminate it Otherwise it is not possible to build a strong common
understanding to manage risks
Corporate risk management requires a contribution from all employees Ownership of
the risk management process by the staff (Identifying addressing responding reviewing and
monitoring the risks) and considering it as a part of their jobs can increase the effectiveness of
corporate risk management
In order for the risk management to contribute the achievement of objectives and to
improve management quality and also to reduce costs it should be embedded in the
activities Embedding risk management in the processes means that activities are carried out
as a whole including risk management
Box RM4 gives details of the content of the Risk Strategy and Policy Paper
RM Box 4 Risk Strategy and Policy Paper
6 TASKS AUTHORITIES AND RESPONSIBILITIES Good risk management is only possible if the administration is well organised Clear definition
of tasks roles and responsibilities awareness of staff on the expectations of them within the
framework of policies and practices of the administration existence of horizontal and vertical
communication mechanisms and mechanisms for communication that are outside the
administration are the requirements for a good control environment The assignment of tasks
roles and responsibilities to appropriate competent and authorised people in risk
management will provide a strong infrastructure for risk management in the administration
While it is necessary to define roles and responsibilities all staff are responsible for risk
management Diagram RM1 explains the structure of roles and responsibilities in risk
management
RM Figure 1 Tasks and Responsibilities in Risk Management
RSPP should include at least the following
Aim of risk management
Risk appetite
Compliance with the legislation and binding policy papers
Risk methodology to be adopted
How to determine key risks (criteria)
Organisational structure and duties
Roles and contributions of the employees
Communication Plan
36
61 Head of Administration
This person is defined within the framework of Law no 5018 on Public Financial
Management and Control and is authorised and responsible for risk management at the
highest level
Regarding risk management the Head of Administration
Ensures the establishment of the strategy regarding the management of risks in
accordance with the aims and objectives of his administration at the outset of each year
and approves the Risk Strategy Policy Paper (RSPP) which demonstrates how the strategy
will be implemented and notifies all staff of this in writing
In the RSPP he clearly defines all the tasks roles and responsibilities and the necessary
structures (for example the ICRSB) within the scope of this manual for risk management
Provides the Administrative Risk Co-ordinator (ARC) with necessary support regarding the
risks to be jointly managed with other administrations
Ensures that the proper mechanisms are established to provide for the necessary
sensitivity and participation regarding the management of risks for the public opinion and
the stakeholders
Sets out the strategic actions for the future in accordance with the considerations and
recommendations by the ICRSB and the ARC
Receives assurance on risk management from the ICRSB and presents an assurance
declaration to the Minister on whether the risks are managed effectively
He encourages the consistency of risk management processes
He reviews monitoring of reports and encourages the effectiveness of risk management
He sets an example in terms of his behaviours particularly in strategic risk management
He encourages the employees for identification of risks
He should show leadership in risk management
37
62 Internal Control and Risk Steering Board (ICRSB)
The Board develops policies for the improvement of risk management in the
administration and submits them for the approval of Head of Administration The Board
notifies the units of the policies and procedures On the advice of the ARC the ICRSB
determines a particular number of risks which it deems significant as the key risks among the
risks that are submitted to itself and reports whether these key risks are managed well or not
to Head of Administration in regular periods or whenever it deems necessary
Secretarial services of the board are carried out by the Administrative Risk
Coordinator (Head of SDU) Whenever necessary people with the relevant expertise from
within or outside the administration can be invited to the meetings ICRSB has the authority to
enforce the elements it determined regarding the following duties with the approval of the
Head of Administration
Regarding risk management the ICRSB carries out the following
Preparing Risk Strategy and Policy Paper (RSPP) of the administration or annually
reviewing the already available RSPP and submitting it to the Head of Administration
for approval
Defining policies for establishment of a risk management culture
Ensuring that risks are consistently managed in the administration
Determining critically strategic risks of the administration
Determining the risks of spending units which require a joint management and related
procedures and policies and submitting them to URC for coordination purposes
Setting out the risks that require joint management with other administrations and
ensure that necessary measures are taken for the joint management by notifying the
ARC
Meeting at least quarterly in order to consider whether the risk management processes
in the administration work effectively and assess the current status of risks and
reporting it to the Head of Administration
Ensuring that good practice cases are determined and spread to a larger place
63 Administrative Risk Coordinator
It is advisable that the Head of the SDU takes the role of Administrative Risk Co-
ordinator The ARC is a member of the ICRSB and is responsible to the Head of Administration
for consistency of risk management processes of the administration and their compliance
with the standards
Regarding risk management the ARC
Is responsible for the efficient operation and coordination of all risks processes in all units
Calls the relevant Unit Risk Coordinators (URC) for meeting at least once in three months
Prepares the Consolidated Risk Report (using the report form in this manual) on the basis
of the reports submitted by the URCs and submits this Consolidated Risk Report to the top
management and the ICRSB on a quarterly basis The report should include the ARCrsquos
personal considerations on the key risks
Carries out secretarial services of ICRSB and such tasks as setting out meeting agendas for
the Board keeping minutes of meetings submitting decisions of the Board to Head of
Administration for approval
Discusses the issues on common risk fields with the ARCs of other administrations and
coordinates these within the administration
ARC provides technical support to the units on risk management of the administration
Identifies the needs of units regarding risk management and reports them to the ICRSB
and the Head of Administration before each meeting
Sends feedback to URCs regarding opinions advice and decisions of ICRSB and takes
necessary precautions for the consistency of risk management processes of the
administration
38
64 Unit Risk Coordinator
The Unit Risk Coordinator (URC) is the authorising officer or the person who is determined
by the authorising officer Regarding risk management URC
Coordinates the identification of the unitrsquos risks that may have an impact on the
objectives of the administration and provides relevant guidance at the beginning of the
year URC associates risks that are determined with the activities of the sub-units using
their knowledge and expertise and pays attention to ensure that all important issues are
addressed Important risks included in the risk register are submitted to the ARC to be
presented to the ICRSB for consideration
Reviews the risk registers and relevant reports that are annually prepared on periods (such
as monthly quarterly semi-annually) to be set out by the administration and reports them
to the ARC
Monitors the risks managed and reported by the Sub-Unit Risk Coordinators (SURCs) at unit
level Evaluates the changes on the risks or the arising risks if any and reports them to the
ARC upon the approval from the unit director
Submits an assurance declaration to the ICRSB on whether the risks are managed
effectively
Provides feedback to SURCs regarding opinions advice and decisions of ARC and ICRSB
Determines training needs regarding risk management
65 Sub-Unit Risk Coordinator
The SURC is responsible for the coordination of risk management activities within sub-
units of the units in administrations (if such units exist or it is seen to be appropriate to manage
the risks at this level) and is the person to be determined by the authorising officer Heshe is
directly accountable to URC regarding risk management Sub-unit risk coordinators must be
selected from among those who have the sufficient competence and experience
Regarding risk management the SURC
Coordinates the conduction of tasks of identifying assessing addressing reviewing and
reporting of the sub-unitrsquos risks that are associated with the objectives of the
administration
Reports in line with the risk strategy of administration the recently identified risks that are
related to the activities of the sub-unit those risks with changing scores and the
effectiveness of controls carried out to decrease these risks to the Unit Risk Coordinator
(URC) on periods determined by URC
Is accountable to the URC and furthermore responsible for providing the Administrative
Risk Coordinator (ARC) with requested information and documents
66 Employees
The most important factor for risk management to be successful is the ownership of risk
management by employees Therefore every employee is responsible for managing risks in
their field of duty (identifying assessing responding to reviewing and reporting risks)
Regarding risk management employees
o Contribute to the risk management processes in their respective units by defining
communicating and responding to the expected emerging and changing risks
Manage the risks within their own fields of responsibility through the power and
responsibility assigned to them by the administration
Provide evidence to the SURCURC regarding the effectiveness of the management of
risks in their respective fields
Employees should not hesitate to identify risks and submit them to the relevant risk
coordinator It is important to bear in mind that just one loose screw could cause a plane
crash
39
67 Internal Auditor
The Internal Auditor provides the Head of Administration with advice regarding risk
management by making evaluations on whether risk management process is effective and
risks are managed in the right way or not Internal Audit can also provide advice on whether
any key risks have been overlooked or inappropriately controlled
68 Strategy Development Unit
The Strategy Development Unit (SDU) is responsible for providing training identifying
training needs and facilitating delivery of necessary training They are also responsible for
identifying best practice in risk management encouraging such practice to be shared and
providing guidance where necessary
69 Central Harmonisation Unit
The Central Harmonisation Unit (CHU) carries out such activities as making regulations
on internal control including risk management and activities for the development of risk
management The CHU also provides guidance ensures harmonisation and inter-
administrational coordination and reports on the effectiveness of risk management
7 RISK MANAGEMENT PROCESS
Basically the risk management process should start simultaneously1 with strategic planning
studies In cases when strategic plans should be renewed or amended studies concerning
risks should be carried out with current amendments in mind Within the framework of risks
identified in light of strategic objectives attitude of an administration towards risk
management are set out in the Risk Strategy and Policy Paper with information on risk
appetite involved Within this framework administrations identify risks at strategic
programproject level and operational (activity) level In identifying risks an administration
can start with strategic level (top-down) or activity level (bottom-up) or it can start the risk
management process by implementing both methods together
Figure RM2 shows the Risk Management process
1 If strategic plans are already prepared the risk management process should then begin as soon as possible
40
RM Figure 2 Risk Management process
The administration should manage the risks at strategic programme and operational level as
shown in figure RM3
RM Figure 3 Hierarchy of Risk
Administration level This is the area which covers the whole administration where decisions
related to strategic objectives are made and for which senior management of administration
is responsible Strategic objectives are medium and long term objectives and are associated
Idetification of
risks
Assessment of
risks
Monitoring and
reviewing risks
Responding to
risks
Risk
Managament
strategy
Risk Managament
Process
Idetification of
risks
Assessment of
risks
Monitoring and
reviewing risks
Responding to
risks
Risk
Managament
strategy
Risk Managament
Process
41
with senior level policy documents Therefore while making decisions for the future decision-
makers (top management) have to take into consideration a lot of uncertainties This is the
area where risks have the highest impact Besides this is the area which is affected most by
external risks such as governmental policies general economy and technological
developments This area assumes specific importance as those risks which are not managed
well at strategic level affect the other levels as well
Unit level This refers to units where policies of senior management are implemented and
which are responsible at the highest level for the usage of public resources within the
administration Impacts of such risks last for a shorter period of time comparing to those of the
strategic risks This is the area where units should identify their objectives and manage related
risks for the administration to achieve its strategic objectives This is the area which is affected
by risks both form inside and outside the administration For risks from upper and lower levels
to be assessed and coordinated it is vital that this level be managed well Besides there
should be strong communication in this area
Sub-Unit level In this area there are only those works which are carried out at operational
level with a view to achieving unitrsquos objectives Daily activities of all employees fall within the
scope of this area This is the area where short-term-decisions are made products and
services are produced and fewer uncertainties are experienced This area is affected more
by internal risks than external risks Risks not being managed well at this level may affect the
achievement of strategic objectives
71 Identifying Risks
Risk identification process which is the first stage of risk management is the process of
identifying categorising and updating the risks that prevent or limit the achievement of
administrationrsquos strategic objectives using previously defined methods The following box
suggests some questions to be considered when starting to identify risks
RM Box 5 Questions to be considered when starting to identify risks
The following should be considered while identifying risks
As a generally accepted rule strategic risks that can affect the administration are
determined at the stage of strategic plan preparation and risks identified are included
in the strategic plan
Risks should also be identified at programme and operational level Programme and
operational risks should include all the strategic risks However when identifying the
programme and operational risks we should not limit our scope with strategic risks but
have a wider spectrum
When identifying risks the administration can determine a top-down or bottom-up
method preferably used at the same time
What are the main objectives
What are the key activities
Who are the stakeholders
42
Risks identified should be associated with objectives of the administration It must be
taken into consideration that some risks can indirectly affect the objectives such as
those which damage the reputation of the administration
Risks should be identified systematically with previously determined methods These
methods can vary according to the characteristics of administrations and its activities
In this process administration can either use one or more of the below defined
methods or develop a new method in line with its own needs
Risks identified should be expressed as lsquoxrsquo risk or risk that lsquox may emergersquo It will be
convenient to register them this way in the risk register (see Annex 3 for the risk register
form)
Assess whether risks identified are internal or external risks
o Internal risks are the risks stemming from the events directly controlled by the
administration itself Internal risks can be grouped into three as strategic risks
program risks and activity risks
o External risks on the other hand are the uncertainties arising due to the
events that are out of the control of the administration which hampers or
prevents the achievement of objectives While identifying external risks it will
be useful to classify them by their subjects (Generally PESTLE analysis is used
see Box RM7)
After risks are identified their owner or the person to be responsible from them must
be defined and this information must be included in the risk register
Since risk identification is a dynamic process emerging risks should be identified and
changes to the existing risks should be consistently followed-up
RM Box 6 Factors and methods to be taken into consideration during the process of
identifying risk
The following box explains the PESTLE and SWOT analysis
HHHooowww dddooo III iiidddeeennnttt iiifffyyy rrriiissskkksss
Firstly decide how to identify the risks namely at strategic
level operational level or both
Identify and categorise the risks (social cultural political
scientific etc) taking into consideration the threats
opportunities and the scope
Decide on the required human resource tools and methods
Mostly the following methods are used to identify risks
However administrations can determine different methods
other than these methods in light of their needs
o PESTLE analysis (see Box RM7)
o SWOT Analysis (see Box RM7)
o Brainstorming (this method can be used both for
identification and assessment See Annex 1)
Group risks as internal and external ones
Make a stakeholder analysis (identify the risk tolerance
position and attitude of the stakeholders )
Repeat the identification regularly and in periods of change
43
PPPEEESSSTTTLLLEEE AAAnnnaaalllyyysssiiisss Pestle Analysis is the identification of risks by making assessments based on the
following categories
Politic
Economic
Social
Technologic
Legal
Environmental
Example
o Politic change of governmental priorities
o Economic inflation rate going above the expected levels
o Social population growth rate going much above the
expected levels
o Technologic information process infrastructure not being set up
o Legal cases in courts turning against
the administration
o Environmental an earthquake strike
SSSWWWOOOTTT AAAnnnaaalllyyysssiiisss (((IIInnn---hhhooouuussseee aaannnaaalllyyysssiiisss)))
SSStttrrreeennngggttthhhsss
WWWeeeaaakkknnneeesssssseeesss
OOOppppppooorrrtttuuunnniii tttiiieeesss
TTThhhrrreeeaaatttsss
EEExxxaaammmpppllleee
SSSttt rrreeennngggttthhhsss SSSpppeeeccciiiaaalll iiissseeeddd pppeeerrrsssooonnnnnneeelll
WWWeeeaaakkknnneeesssssseeesss OOOlllddd ttteeeccchhhnnnooolllooogggyyy
OOOppppppooorrr tttuuunnniii ttt iiieeesss EEEcccooonnnooommmiiiccc gggrrrooowwwttthhh
TTThhhrrreeeaaatttsss SSSuuuddddddeeennn pppooolll iiicccyyy ccchhhaaannngggeee
For detailed information refer to Strategic Planning Guideline for Public Administrations SPO June
2009
RM Box 7 PESTLE and SWOT analysis
44
What could go wrong in the achievement of
objectives
What are the critical achievement factors
Who are our stakeholders and what can their
negative or positives impact be on our activities
What are our risk categories Tables diagrams etc
What are our weaknesses
Which assets assume more critical importance
What areas are open to irregularities and fraud
Which events or situations can hamper our
activities
What are our most critical sources of information
In which areas do we spend most
Which activities or processes are more
complicated
In which areas are we subject to penal sanctions
What are the legal requirements
What are the resource limitations
The following two boxes give some tips for the process of risk identification and some questions to
ask
RM Box 8 Tips for Risk Identification
RM Box 9 Questions to ask in the process of risk identification
WWWhhhaaattt aaarrreee ttthhheee TTTiiipppsss
Whether there is available information regarding the risks and how
accurate it is if any should be taken into consideration
A working group including different fields of expertise would
increase the likelihood of identifying new risks
Using brainstorming method yields effective results (See Annex 1)
Having open communication lines and acting farsighted are the
key points
45
72 Risk Assessment
Risk assessment refers to analysing the factors that may have an impact on the
achievement of administrationrsquos objectives and evaluating the seriousness of the risk in terms
of impact and probability While assessing risks in addition to the potential events the
administration can face aspects which are specific to the administration (for example size of
the administration complexity of activities legislation it is subject to in relation to its activities
its political priorities public interest) should be considered
After risks are identified comes the stage where the risks are measured and prioritised
Prioritisation is listing down the risks in accordance with their priority in line with the scores they
are given Risk assessment helps decide whether to respond to identified risks and if so select
the best response with regards to the costbenefit balance
The following box gives some questions to be considered before starting the risk
assessment process
RM Box 10 Questions to be considered before starting the risk assessment process
Three important principles in risk assessment are
1 Identifying the impact and probability of each risk In assessment probability and impact
are analysed Probability refers to the chance of an event to occur at a particular period
On the other hand impact is the outcome or the effect produced
Three categories are used while assessing risks low risk level (shown in green) medium
risk level (shown in yellow) and high risk level (shown in red) These colours as in the
traffic lights facilitate understanding the degree of importance of the risks These are
shown in the following diagram
Probability and impact of the risks can also be shown using numbers In the following
diagram Point 1 indicates that there is almost no probability for that risk to occur while
point 10 means that it is almost certain that it is going to occur In terms of impact
point 1 is used where the outcome of the realisation of a risk has little importance
whereas point 10 means that this outcome is highly important Risks are scored
between 1 and 10 for their probability and impact (See Annex 5) In assessing impacts
and probabilities of risks one of the methods to be used is voting method (See Annex
2)
Risk maps are made use of to see the severity of the risks better A basic
demonstration of risks on the risk map is given in the following diagram
What are the objectives
What are the present controls
What are the possible results if the risk occurs
Do activities of some other administrationsunits affect my
risk
Who are the stakeholders and what is their level of
experience and expertise
46
RM Figure 3 Risk map
2 Assessing the risks on the basis of inherent risks and residual risks
Inherent risk refers to the amount of risk before it is managed or any action is taken
These inherent risks are transferred to the risk register (see Annex 3 for the Risk Register
form) after assessing their probability and impact In assessment as has been
suggested above the probability and the impact of the risk is scored between 1 and
10 Multiplication of the scores of probability and the impact indicates the risk score
The administration at this stage must decide on the risk appetite It must also be set
out which risks placed between which numbers are low medium or high risks in
accordance with the designated risk strategy of the administration and the risk map
of the administration must be produced in this framework (See Box RM3 Risk Map)
After risk score has been set risks are prioritised starting from the one with the highest
score Responses to be given to risks are determined Controls are identified and
applied considering the methods of responding to risks
The management must identify the level of the remaining risk after the control
activities it carries out to manage the risk Residual risk refers to the remaining risk after
an action has been taken to mitigate the probability and impact of a risk If the level
of the residual risk is still higher than the risk appetite the efficiency and competence
of the present control activities must be questioned and if deemed necessary
responses to be given to the risks must be reviewed The following box gives an
example of inherent and residual risk
RM Box 11 Example of inherent and residual risk
3 Recording the risks
Recording the risks contributes to the prioritisation of the risks and therefore to the
efficiency of the allocation of resources and to production of evidence for the decisions
taken helps people to understand their responsibility within risk management facilitates
the acquisition and communication of information to the right people at the right time
Activity using a car
Inherent risk having an accident because you are inexperienced
Control action getting a licence taking driving courses
Residual risk another inexperienced driver crashing into your car
47
via the reporting mechanism and enables the reviewing and monitoring processes of the
risk
Risk records are reported in two stages Risk Register (see Annex 3) used in the
identification and registry of risks Consolidated Risk Report (see Annex 4)used for the
reporting of risks to the senior managers (see Annex 7 for an example of a completed Risk
Register)
The following box gives some tips for the risk assessment process
RM Box 12 Tips for risk assessment
RM Box 13 Example of the Risk Assessment process
Measure the impacts and probabilities of the risks identified for a
particular period of time
While determining the impact score assess the impact the risk will have
on the objective that is foreseen to be hampered
Utilise proper methods in the assessment
Bear in mind that risk assessment of a job can best be made by the
person who does this job
Note that activities of other administrationunit can have impacts on
your risks and risks are not independent of each other
Utilise such table as risk maps to be able see all the risks together
Prioritise risks in line with the risk scores (Impact X Probability)
48
You are going to deliver training on your subject of expertise
Your Objective Audience understands the subject you explain
You identify your risks
Risk 1 As you arrive late you may not have sufficient time to deliver the training
Risk 2 You may deliver your presentation using an inappropriate approach as you do not know who
the audience is
Risk 3 You may have difficulty in supporting what you explain as you donrsquot have the softcopy of the
presentation
Letrsquos see the likelihood of the Risks 1 2 and 3 and how it would affect your objectives if they occur
RRRiiissskkk 111 Likelihood The traffic would be bad at that hour In addition you have a lot of other things to do that day
Likelihood 7
Impact You can arrive late but you know the subject very well Even if you deliver it in very short time it still
would be understandable for the audience The impact of arriving late on your objective is 3
Risk Score 7x3 = 21
RRRiiissskkk 222
Likelihood In the letter you have been told what the subject is but not who the audience is and you donrsquot have
the chance to ring someone and learn Likelihood 5
Impact If you are to deliver the training to the experts who already know the issue you get into details but if
your audience is made up of people who donrsquot know anything about it you only draw the general framework
If you cannot learn who the audience is and you deliver the training in detail while the audience is unaware of
the subject and they would not understand or you give little information to the people who already know about
it they would not learn anything new The impact of using the wrong approach in the delivery is 9
Risk Score 5x9 = 45
RRRiiissskkk 333
Likelihood You generally carry your computer around You also have habit to carry your pen drive in your
bag after saving your studies in it Likelihood 2
Impact Even if you donrsquot Project the presentation on the screen you know the subject very well You could
still effectively deliver it to the audience The impact of not having the soft copy with you on your objective 3
Risk Score 2x3 = 6
As shown in the risk map
Imp
act
10 10 20 30 40 50 60 70 80 90 100 9 9 18 27 36 45 54 63 72 81 90 8 8 16 24 32 40 48 56 64 72 80
7 7 14 21 28 35 42 49 56 63 70 6 6 12 18 24 30 36 42 48 54 60 5 5 10 15 20 25 30 35 40 45 50
4 4 8 12 16 20 24 28 32 36 40 3 3 6 9 12 15 18 21 24 27 30
2 2 4 6 8 10 12 14 16 18 20 1 1 2 3 4 5 6 7 8 9 10
1 2 3 4 5 6 7 8 9 10
Likelihood
Prioritisation
1 Risk 2 (Risk Score 45)
2 Risk 1 (Risk Score 21)
3 Risk 3 (Risk Score 6)
(Note that risks are not always assessed according to the scores Some strategic risks should be taken into
consideration even if they have a low score Emergency precautionsplans should be available You may not
always foresee what will happen Your plans should be flexible Therefore you will be able to handle the
situation when something unexpected emerges
49
73 Responding to Risks
Responding to risks refers to setting out the responses to the risks identified and assessed within
the risk appetites by the public administration and mitigating the potential threats or taking
the arising opportunities Before deciding on the method to respond to risks a costbenefit
analysis must essentially be carried out The objective desired to be reached by responding
to risks is to mitigate the likelihood of the risk and its impact and achieving the foreseen
objective in the most efficient manner
Box RM 14 Questions to consider in responding to risks
The following figure shows within the framework of risk appetite how inherent risk turns into
residual risk as a result of responses controls actions (also see Box RM3 Risk Appetite)
RM Figure 4 Risk Indication Table
(OGCrsquos Risk Dashboard from HM Treasuryrsquos publication named Thinking about Risk)
Figure RM4 demonstrates the followings Columns 1 and 5 Control activities successfully decrease the inherent risk so that the
remaining risk called the ldquoresidual riskrdquo is reduced to the same level as risk appetite
Such points where the risk appetite and residual risk of an administration overlap are
ideal situations in terms of risk management (cost-effect)
What is the level of risk
What happens if no response is given to the risk
Which risks must be controlled
Which risks can be transferred
What are the consequences of resorting to risk aversion as a public
administration
Is the opportunity good enough to take the risk
50
Columns 2 3 and 4 Control activities decreased the risk However residual risk is still
higher than the risk appetite (tolerable level) This shows that effectiveness and
adequacy of the controls implemented should be questioned and more control
activities should be implemented
In column 6 as the inherent risk is equal to risk appetite risk is tolerable However
these risks should be monitored just as the other risks because of the possibility of
changing
In column 7 on the other hand control activities decreased residual risk below the risk
appetite This shows that more than necessary controls are implemented and
resources are not used efficiently In these over-control cases control activities should
be decreased to a level at which residual risk is equal to risk appetite
There are four methods of responding to risk and these are shown in the following diagram
Figure RM5
RM Figure 5 Methods of responding to risk
Tolerating This is a passive method of response given to the risks which public administrations are
comfortable to undertake In the following cases risks can be accepted
If the inherent risk is within the limits of risk appetite then it is accepted
When it is understood that cost of the actions to be taken (controlling transferring or
avoiding) for an intolerable risk would exceed the potential impact of the risk then the risk
is accepted
Some risks are out of the control of the management Certain risks do not disappear
unless the activity is terminated whereas terminating an activity is not always possible or
desirable
Treating This is a method of response given to a risk by means of control activities carried out
with a view to keeping risks at a tolerable level (risk appetite) in public administrations
This method can be applied using the five following controls
Preventive Controls
Corrective Controls
Directive Controls
Detective Controls
Emergency Plans
Methods of responding to risk
Tolerating
Treating
Transferring
Avoiding
51
For detailed information refer to the Control Activities chapter
Transferring This is the response given to the risks by taking some of them away from the
responsibility of the administration and transferring it to others (Even if the risks are
transferred the responsibility cannot be transferred and they need to be managed under
the control of the administration because it is the administration that will be affected when
the risks are realised)
Risk transfer is carried out using the following methods
Completely and partly transferring the activity to another administration
Transferring its operation to third parties using a procurement method
Transferring it by means of insurance (when appropriate)
Avoiding if the risk we have to take is too big to manage and there are alternatives to the activity
performed it is possible to terminate this activity For example deciding not to build a factory
which is expected to cause too much air pollution or deciding not to purchase the computers
that are planned to be purchased because of budgetary cut
The following box summarises the process of responding to risk
Box RM 15 Process of responding to risk
While managing risks opportunities they bring along should also be taken into consideration
Alongside negative impacts risks can also lead to opportunities In order to be able to take these
opportunities that would make additional contribution to the achievement of administrationrsquos
objectives the administration must have designated strategies Taking the opportunity is not an
alternative method to respond to risks rather it is a method to be applied additionally
Opportunities are taken in the following cases
When the cases of taking the opportunity and reducing the threats coexist For example
making health and scientific researches to find a cure of a disease (Disease threat will
decrease and there will emerge the opportunity at the same time that cost will decrease
with less people going to hospitals)
When opportunities emerge before the negative event occurs For example using a new
technology to be able work better or reaching to a greater number of people via e-state
The following box gives some tips for use when responding to risk
List the Threats and Opportunities according to the analysis results
Define your attitude considering the content of the risk
Tolerate
Control
Transfer
Avoid
Ensure that the benefit that the response will provide is higher than the cost it will bring
52
RM Box 16 Tips for responding to risk
Prioritising risks helps decide on which risk to respond first
As a public administration while determining the responses to be
given to risks recipients of the services and the impacts on them
must be considered
Stay away from over-control measures while responding to risks
Over-control harms the efficiency of the administration as much
as insufficient controls do
The possibility that acting in coordination with other
administrations in responding to risks may be more efficient must
be considered
53
Your organisation has decided to buy a new IT system
You identify your risks
Risk 1 The new system has inadequate response times
Risk 2 Data is not transferred accurately from the old IT system to the new system
Risk 3 You do not have the capability to operate the new IT system
Risk 4 The new IT system does not work
What responses can you give to these risks
RRRiiissskkk 111
Tolerate You have been assured that the new system has a five second response time
which is similar to the current system so you decide that it does not need to be quicker
RRRiiissskkk 222
Treat You need to introduce controls to make sure that data is transferred accurately
Preventive controls Testing done on the new IT system before it is introduced to
ensure that data is not corrupted on transfer
Corrective controls Testing is done comparing data transferred from the old system
to the data on the new system This control activity corrects the errors
Directive controls Requirement that IT staff working on developing the new system
have adequate skills and experience
Detective controls testing is done after one year of operating the new system to see
if standing data transferred from the old system is accurate
Emergency plan You should make sure that you can revert to using the old system in
the event that the new system does not have properly transferred data
RRRiiissskkk 333
Transfer You outsource the running of the new system to another organisation which has the
relevant expertise
RRRiiissskkk 444
Avoid If it is detected during testing that new IT system is not working you quit buying this
system and search for an alternative IT system
Take the opportunity
Your new IT system allows you to operate more efficiently freeing up staff time to do other
activities
The following box gives an example of the process of responding to risk
RM Box 17 Example of the process of responding to risk
54
74 Reviewing Risks
Risks can change in terms of their impact and likelihood due to various changing conditions
or measures taken Furthermore it is also possible that new risks areas are formed due to
changing conditions Therefore all the aspects of risks identified and the risk management
process should at least be reviewed on a regular basis Reviews can be carried out on
frequencies to be set by the administration according to the level of importance of the risks
In the event that extraordinary developments take place and this has a serious impact on the
risks Administrative Risk Coordinator (ARC) upon the spoken or written instruction by the
head of administration organises an emergency meeting for the Internal Control and Risk
Steering Board to assess the risks For example natural disasters economic crises early
election resolutions are extraordinary developments
Reviewing the risks and reviewing the risk management process are two different processes
and the fact that one of them is carried out does not necessarily mean that the other is
carried out as well Whereas each risk is reviewed by its respective owner the risk
management process is reviewed by the Head of Administration and or ARC Reviewing
risks regularly would provide flexibility in adapting to the changing conditions
Risks are reviewed as follows
Whether risks still exist new risks have arisen the likelihood or impact of a risk has
changed or not is reviewed
The priority should be given to key risks (those with the highest probability and impact)
during a review Other risks should be reviewed later
While reviewing strategic risks first and foremost amended policy papers if any
developments in the other counties expectations of the public for that period
Internal Audit Reports Inspection Reports External Audit Reports and other relevant
reports and documents should be considered
Under the light of the developments if there have been any changes to the risk
profile the risk register of the administrationunitsub-unit must be reviewed
The change must be communicated to the risk coordinator at the next senior level
within five working days
By reviewing the prioritisation of the keymain risks the assessment results should be
submitted within five working days by the ARC to the ICRSB in a revised Risk Report
The results of the assessment will be discussed by the ICRSB and the report is then
submitted to the Head of Administration by the ARC
Conclusion and evaluation part of the report must definitely include remarks on
whether the risks management process provides the necessary assurance and
whether new measures are needed or not
o Do we give reasonable assurance on the successful management of
risks
o Do we give reasonable assurance on the effective implementation of
the control activities
The process of reviewing risks is summarised in the box RM18 and questions to consider are
listed in box RM19
55
RM Box 18 Process for reviewing risk
RM Box 19 Questions to consider in the risk review process
75 Communication and Reporting
Communication within the context of risk management refers to accurate and timely
conveyance of the right information to the relevant people through various mechanisms at
the right time Communication is a vital process which needs to be effectively applied in all
phases of risk management
The following are important to communicate
The administrationrsquos objectives policies and procedures
The risk management strategy
The numbering system in the risk assessment stage and measurement mechanisms
Which controls are convenient in responding to risks
How well risks are managed in reviewing risks
It is important to bear in mind that this vertical and horizontal communication is mutual
(communication-feedback)
Set out a review period depending on the characteristic of the activity
Frequently review the first critical risks
During the review assess the probability and impact of the risks for that
period
Decide whether the risk is still a threat
Identify whether new risks have arisen for that period
The condition of the control activities must be reviewed according to the
change in the risk It would be appropriate to eliminate an activity which
became pointless as the risk has disappeared
Record the identified findings on the risk register
Report the risks of every level
Changes regarding the risks are reflected on the risk register however in
emergencies the managers must be informed as soon as possible
What are the changes in the environmental conditions
What are changes that impact on the operation of the activity
How do the changes affect the administration
Are present controls sufficient to address the changing situation
Is there sufficient evidence that the controls are effective
It would be useful to take into consideration the policy papers of
the government and the administration while assessing risks
56
To ensure effective communication the issues in Box RM20 should be considered
RM Box 20 Issues for effective communication
In addition to internal communication efficient communication lines are needed with the
partners where the services provided requires partnerships and with the citizen of NGOs who
are affected directly or indirectly by the services provided by the administration Therefore
while the administration is producing its Risk Strategy and Policy Paper it should prepare an
efficient communication plan which regulates the internal and external communication and
share it with all stakeholders
Reporting has a direct impact on the decision making processes in risk management The
reports should be as short and accurate as possible demonstrate the evidence regarding the
evaluations they should be relevant and submitted to the relevant people where necessary
Reporting must be carried out within the administration both vertically and horizontally It
should be explicitly set out who will report to whom and with what frequency in risk
management process Reporting will be done in the forms to be determined by
administrations and in pre-determined periods by at least using the information contained in
the forms shown in the Annex to this Manual When deemed necessary administrations can
develop different forms other than the forms contained in the Manual
Who will communicate with whom in which format
Who is responsible to whom about what
How the communication should be with high levels
How the communication with the Minister works
Who will communicate what information to which levels
How to ensure the accuracy of information
The expectation of top management from the employees regarding risk
management should be clearly defined and conveyed to all employees
57
Administrationrsquos Mission
Strategic Plan and Performance
Programme Budget
Annual Management Plan Activities Processes Projects
Identify
Measure (impact x
probability)
Prioritise
Tolerate
Control
Transfer
Avoid
Operational Level
Unit Level
Administration Level
Risk Assessment
Assess Manage Monitor
Risk Register
Control Activities
Mo
nito
ring
an
d E
valu
atio
n
Take the opportunities
Within the scope of this chapter of the manual Risk Management can be demonstrated via
the following diagram
RM Figure 6 Risk Management Process
76 Learning
Learning needs to be enriched through systematic training tools and disseminated to the
target groups using the most effective method Depending on the target group such
methods as conferences seminars workshops trainings hands-on trainings internships
exchanging information via various communication channels sharing best practices failures
or mistakes would facilitate learning the risk management processes and establish a basis for
the risk management practices in corporate sense
58
Addressing risks largely depends on experiences Previous experiences and making everyone
aware of the successful and unsuccessful practices via a strong communication network
would facilitate more effective and faster addressing of risks In particular conveying the
positive and negative experiences about the emerging risks and the methods to handle
these to the stakeholders and learning what could go wrong can only be ensured if a
method that focuses on learning from mistakes is adopted and learning experiences are
shared Therefore it will be useful to use the peer review method within the administration In
this method units learn how the others at the same hierarchical levels manage risks and they
can adopt good practice examples in their own units
Sharing risk management experiences with external stakeholders especially organisations
experienced in this field could not only help the administrations develop new methods but
also ensure a more efficient use of risk management resources
59
RISK MANAGEMENT ANNEXES
ANNEX 1 Using the brainstorming method to identify assess and record risks
Step 1
Collect together in the same room all members of the Unit of Sub Unit or all staff who work on
a project or on a business process Identify an appropriate facilitator (see box RM 21) to
guide brainstorming workshop The brainstorming would be most effective if it is facilitated by
an independent person who has experience at facilitating brainstorming
(Note this can also be done by collecting all senior managers in an Administration to
brainstorm strategic risks)
Requirement for step 1 all attendees of the brainstorming should be fully familiar with the Sub
Unit Unit projectbusiness processAdministration respectively
RM Box 21 Role of the facilitator
Step 2
Once all brainstorming attendees are assembled as per step 1 firstly clarify what the
objectives of the Sub UnitUnit projectbusiness processAdministration respectively are
These may be included in the strategic plan or for sub units may not previously have been
identified Think widely ndash are there other objectives that are not included All attendees
should agree that these are the objectives before proceeding to Step 3
Step 3
All attendees at the brainstorming should brainstorm ndash what are the risks to the achievement
of each of the objectives identified in step 2 This can be done as one group or for larger
brainstorming sessions in pairs or sub-groups Risks identified by the brainstorming should be
recorded in the risk voting form in Annex 2 (columns 3 4 and 5) clarifying which objective(s)
might not be achieved if the risk happens
Step 4
Once all risks are identified all brainstorming participants should vote on what they think the
likelihood and impact of the risk are using the guidance for scoring in the risk management
chapter of this manual These votes should be recorded on the risk voting form In line with
the number of participants number of the related columns can be increased (Columns 678
and 101112) (For scoring impacts and probabilities see Annex 5 Risk Assessment Criteria
Table)
Encourage the workshop attendees to all participate in identifying risks
Watch out for duplication of similar risks (if 2 risks are very similar considering
amalgamating them)
Ensure that all attendees vote on impact and likelihood of the identified risks
Encourage attendees to challenge each otherrsquos scores defend their own or
change them if they think appropriate
Ensure that the risk scores are accurately entered in the spreadsheet and
prioritised
Action plan the response to risks starting with the highest priority
For each response ensure responsibility is allocated to a named individual
Ensure for each response that a review and reporting date is identified (exact
date)
60
Step 5
Once initial votes are recorded on the risk voting form where there are large variations
between the highest and lowest score for likelihood andor impact for a particular risk the
individual(s) who gave the highest score should first of all justify why they gave the high score
and try to convince the others why they should increase their score The individual(s) who
gave the lowest score should then justify why they gave the low score and try to convince
the others why they should decrease their score After these justifications have been given
an opportunity should be given to all who were convinced by any of the justifications to
change their score
Step 6
The risks identified should be listed in decreasing order of the multiple (Column 14) between
the average impact (Column 9) and average probability score (Column 13) from the
brainstorming The participants should be asked if the result is what they expected Does
what they considered to be their most significant risk have the highest score If not look at
the voting again and consider if it needs to be changed
Step 7
Once brainstorming participants are satisfied with the prioritisation of the risks complete the
other columns of the risk register (Annex 3) starting with the highest priority risk
Step 8
If the risk which is written in column 5 in the Risk Register arises from an event which will occur
at a particular date (eg elections) column 6 in the Risk Register namely time frame column
can be completed by writing how much time before the date risk is expected to materialize
(eg a month three months etc) Column can be left blank if timing is not important
Step 9
When identifying control activities consider whether the risk level is within the risk appetite for
that particular risk or not what control(s) would be most cost-effective and would mitigate
the risk best by reducing the impact andor the likelihood of the risk materialising Also
consider what the existing controls are whether these are currently effective and whether
they can be improved or it would be more cost-effective to introduce new additional
control(s) in addition to or instead of the existing control(s) Complete the related columns in
line with explanations in the table (Columns 1112 in the Risk Register)
Step 10
Form will have been fully completed when the other columns are completed taking into
consideration the instructions in Risk register Form
The following Box gives some suggestions for ground rules for brainstorming
RM Box 22 Suggested ground rules for brainstorming
There is no such thing as a bad idea
One person speaking at a time
Active participation
Keep to the timetable
The facilitator is in charge (if there is one)
Open discussion but no personal criticism
61
ANNEX 2 Risk Voting Form This form is used to calculate the risk score after risks are identified
62
ANNEX 3 Risk Register This is a form used to report the status after risks identified at administrationunitsub-unit level are recorded
RISK REGISTER
AdministrationUnitSub-unit
Date 20
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Se
ria
l n
o
Re
fere
nc
e N
o
Str
ate
gic
Ob
jec
tiv
e
Un
its
Ob
jec
tiv
e
Risk Identified
Tim
e fra
me
Pro
ba
bility
Imp
ac
t
Ris
k s
co
re(R
)
Ch
an
ge
(Dir
ec
tio
n o
f ri
sk)
CurrentNewAdditional
control activities
Sta
rtin
g d
ate
Risk
owner
Monitoring
and
Reporting
Risk
45
-100
9-4
4
Reason 1-8
Columns
1 Serial no shows the sequencing in the risk register
2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to This
code does not change as long as risk continues to exist The same code is not given to another risk
3 Strategic Objective This is the column in which code of strategic objective related to risk which is demonstrated in strategic plan is
written
4 Units objective If risk register is completed at unitsub-unit level objective of unit which is directly or indirectly related to strategic
objectives of the administration and can be affected by the risk is written in this column if risk register is completed at administration level
63
then this column is left blank
5 Risk Identified Description of the risk Reason Reasons which cause the risk to occur
6
Time frame If the risk arises from an event which will occur at a particular date (eg elections) this column can be completed by writing
how much time before the date risk is expected to materialize (eg a month three months etc) Column can be left blank if timing is not
important
7
Probability Probability value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be
useful to list related control activities actions taken and related regulations In this way probability that risk will materialize
notwithstanding the actions taken can be determined
8
Impact Impact value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be useful
to list related control activities actions taken and related regulations In this way what the impact of the risk will be if it happens
notwithstanding the actions taken can be determined
9 Risk Score (R=IxP) risk score determined by multiplying probability and impact scores in the Risk Voting Form (Annex 2) (between 1-100 )
See below for an explanation of the colours to use
10
Change (Direction of risk) This is the column in which the change in the status of the risk is shown in light of the previous risk register It can
be shown according to the administrations preference in writing such as updownstable or by means of direction signs If there is no
previous risk register then it is stated as New
11
CurrentNewAdditional control activities Current control activities are written in this column It is assessed whether these activities are still
needed or not If not they are removed It is also assessed whether current control activities are appropriate or sufficient If calculated risk
score is above the desired level taking into consideration the current control activities then new or additional control activities which are
planned are written in this column
12 Starting date The exact date that newadditional control activities will start to be implemented
13
Risk owner is the person responsible for managing the risk and implementing the foreseen control activities It is the risk owner who
collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures that
evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement control
activities The risk owner also reports risks and updated risk registers to the next senior level
14 Monitoring and Reporting When to review and to whom to report risks are written in this column
Colours
High risk
Medium risk
Low risk
No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient information
64
Note In the event that a new risk is identified during the year the employee identifying this risk reports it to senior manager If manager decides
this is a risk which needs to be managed then this risk is registered in the risk register form and approved by the relevant manager
ANNEX 4 Consolidated Risk Report
This is the form which enables corporate risks of an administration to be submitted to senior manager as a report composed of a few pages
CONSOLIDATED REPORT
(Corporate Risks)
AdministrationUnitSub-unit Date 20
1 2 3 4 5 6 7 8
Se
ria
l N
o
Re
fere
nc
e N
o
Str
ate
gic
Ob
jec
tiv
e
Risk Identified
Status
Risk Owner Explanation
Previous risk
score and colour
Current risk score
and colour
45-100 45-100
9-44 9-44
1-8 1-8
Columns
1 Serial no shows the sequencing in the risk register
2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to
This code does not change as long as risk continues to exist The same code is not given to another risk
65
3 Strategic Objective This is the column in which code of strategic objective related to risk which is demonstrated in strategic plan is
written
4 Risk Identified Description of risk
5 Previous risk score and colour shows the status of risk in the previous Consolidated Risk Report
6 Current risk score and colour shows the status at the date of the report
7
Risk owner is the person responsible for managing the risk and implementing the foreseen control activities It is the risk owner who
collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures
that evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement
control activities The risk owner also reports risks and updated risk registers to the next senior level
8 Explanation Information about the effectiveness of control activities and foresight for the future are given in the explanation section
Colours
High risk
Medium risk
Low risk
No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient
information
66
ANNEX 5 Risk Assessment Criteria Table
Va
lue
Ra
ng
e
Probability
Impact
Strategy Activities Financial Compliance with
Legislation
10
High
Risks which are almost
certain to occur within
5 years Taking into
consideration the
structure of the
administration they
generally arise form
policies and
procedures The wider
the activity area of the
administration the
more likely it is that the
risky event occurs
Risks which
can have a
major impact
on attaining
strategic
objectives
These are risks
which are
generally
faced in the
long term but
can cause
the
administration
to divert form
its objectives
in case of
occurrence
Risks which cause the
administrationunitsub-
unit not to provide the
service it has to provide
in an effective and
efficient way belong in
this category
Risks which will cause
heavy financial loss for
the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
which are above the
acceptable level
should be accepted as
a high risk
Risks which will cause a
big obligation upon the
administrationunitsub-
unit in case of
intentional or
unintentional non-
compliance with the
legislation Such risks
can be seen in areas
where the legislation is
too complicated and
unclear
9
8
7
6
Medium
Risks which are likely to
occur within 5 years
These are generally
such risks that the
administrationunitsub-
unit or administrations
with similar structures
Risks which
can have a
certain level
of impact on
attaining
strategic
objectives
Risks with a certain
level of impact on the
competence of the
administrationunitsub-
unit to provide the
service it has to provide
in an effective and
Risks which will cause a
certain level of
financial loss for the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
Risks which will create
a certain level of
obligation upon the
administrationunitsub-
unit in case of
intentional or
unintentional non-
5
67
4
have faced formerly efficient way belong in
this category
which are within the
acceptable level
should be accepted as
a medium risk
compliance with the
legislation
3
Low
Risks with low
probability of
occurrence within 5
years These are
generally such risks that
the administration
unitdepartment faces
very rarely These are
risks with almost no
likelihood of
occurrence
Risks which
can have the
least impact
on attaining
strategic
objectives
Their impacts
are generally
little and
cover a
limited area
Risks with little impact
on the competence of
the
administrationunitsub-
unit to provide the
service it has to provide
in an effective and
efficient way belong in
this category
Risks which will cause
little financial loss for
the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
which are below the
acceptable level
should be accepted as
a low risk
Risks which will cause a
little obligation upon
the
administrationunitsub-
unit in case of
intentional or
unintentional non-
compliance with the
legislation
2
1
Unknown
In case that there is no
idea about the
likelihood of the risk
occurring within 5
years the risk is shown
in blue until it can be
clearly identified with
larger data
The impact of
a risk likely to
occur on
strategic
objectives of
the
administration
could not be
determined
The impact of a risk
likely to occur on the
activities could not be
determined
The financial impact of
a risk likely to occur
could not be
determined
The impact of a risk
likely to occur in case
of non-compliance
with the legislation
could not be
determined
Risk has recently emerged no data was obtained regarding its status and there is no sufficient data for analysing the new risk or it is a risk which
previously occurred but there is no sufficient data for the analysis Information should be gained as soon as possible so that an analysis can be
made and an opinion formed
68
ANNEX 6 Case Study Example of Inherent and Residual Risk
Case study example to illustrate the concepts of inherent and residual risk and also to
illustrate how a risk owner can obtain information from several different control owners to
monitor the extent to which the risk they are responsible for is successfully mitigated by the
existing controls
The scenario concerns a storage warehouse for gold bars a risk owner who was the Store
manager a risk that gold bars are stolen and 4 controls
a) An IT system control giving bars in and out and a balance held for each working day ndash
daily printouts sent by the IT manager to the risk owner
b) An independent company comes in once a month to perform a stocktake count of gold
bars in the warehouse which they reconcile with the relevant printout of stock from the IT
manager ndash any variances in stock held was investigated and explanations provided where
possible ndash the independent company provides a monthly report to the risk owner on results of
the work they have done detailing any unexplained variances (which could potentially be
incidences of theft)
c) Security guards ndash professionals guarding access to the warehouse 24 hours a day and 7
days a week ensuring that only authorised staff have access to the warehouse and that all
bags are put through a metal detector on leaving to ensure gold bars are not being
smuggled out (gold bars are too heavy to be easily hidden on the person) On recruitment a
criminal record check is made on the security guards to ensure that they do not have prior
convictions for theft Security guards report weekly to the risk owner on their work and
d) An alarm system ndash any incidences of it being set off are sent in a report by the security
guards to the risk owner Regular (weekly) checks on the alarm systemrsquos functioning are
carried out by the security guards with success of the check included in their reports to the
risk owner
The inherent risk in the absence of the above 4 controls would be considered high (a high
probability that bars would be stolen and a high impact as gold bars are expensive) This
would be above the risk appetite and consequently the above 4 controls would be
designed to mitigate the risk of the gold bars being stolen with the foreseen effect of the four
controls being that the residual risk would be reduced (Note all four control measures
combined would mitigate only the probability of the gold bars being stolen not the impact)
The risk owner would gather evidence as to their effectiveness of the four controls If they
were found to be effective he would consider whether the risk had been successfully
mitigated to within the risk appetite (likely answer Yes unless a further new control or a
strengthening of the existing controls was considered necessary if the risk appetite was very
low due to the high impactthe organisation is very risk averse)
If one or more of the 4 controls is found by the risk owner to be ineffective it is likely that the
risk would still be at a level above the risk appetite and so the risk owner would need to
escalate the issue to his line manager suggesting methods for further mitigating the risk
(either by introducing an additional control or by strengthening the control(s) that had been
found to be ineffective)
69
ANNEX 7 Case Study Example of completed Risk Voting Form Risk Register and Consolidated Risk Report
70
71
72
CONTROL ACTIVITIES
1 Introduction Control activities (also referred to as controls) are actions aimed at reducing
the impact andor the likelihood of a risk occurring and thus increase the probability
of attaining the goals and objectives of the organisation or part of the organisation
For an effective control the introduction of the control activities depends on the
completed risk assessment The management must plan organise and direct
sufficient control activities to obtain reasonable assurance that the tasks and goals
will be achieved Control activities cover both financial and non-financial controls
and they should be designed and implemented as a whole for all the activities of the
administration
This section of the manual within the framework of internal control standards
looks at how procedures should be developed as control activities to ensure that risks
to achieving administrative objectives are managed effectively
2 Control Activities Standards Administrations while identifying and implementing their control activities
take into account the following standards
CA Box 1 Internal Control Standards
Standard 7 Control strategies and methods
The administrations shall determine and implement control strategies and methods
which aim to achieve the objectives and are suitable for risk response
Standard 8 Determination and documentation of procedure
The administrations shall prepare and update written procedures which are required
for administration activities as well as financial decisions and transactions and
arrangements relevant to these areas and also give the relevant personnel access to
these documents
Standard 9 Segregation of duties
With a view to reducing fault flaw error irregularity and corruption risks the duties of
approval implementation recording and control of financial decisions and
transactions shall be allocated among personnel
Standard 10 Hierarchical controls
The administrators shall systematically control the compliance of the works and
transactions with the procedures
Standard 11 Continuity of activities
The administrations shall take necessary measures for continuity of the activities
Standard 12 Information system controls
The administrations shall develop control mechanisms in order to ensure the continuity
and security of information systems
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Environment
73
3 Planning Process of Control Activities Control activities can be regarded as the ability of administrations to get
through the challenges they experience in carrying out their activities Control
activities should be designed within the framework of cost-effectiveness analysis in a
way to directly facilitate attainment of objectives Ideally when introducing control
activities the heads of organisations must take into account the expected benefit
from them as well as the costs of their introduction and implementation Control
activities should ideally be introduced in the processes and systems at the time of
setting up these processes and systems because the introduction of control activities
at a later stage is more expensive and less efficient
It is important for effectiveness of controls that control activities be
understandable applicable and consistent A good control strategy should take into
account how to implement the controls as well as identifying them At this juncture
administrative financial and physical capacity of an administration should be taken
into consideration
Another important point to pay attention to in planning control activities is the
evaluation of effectiveness of controls implemented Such issues as whether the aim
of implementing the control is commensurate with the targeted results and whether
the expected cost is in parallel with the actual cost should be evaluated
Furthermore regular review of control activities in the light of changing circumstances
is also an important factor in terms of effectiveness-evaluation
Administrations should take into consideration the following basic
requirements in identifying control activities
CA Box 2 Basic Requirements Planning of control activities
In order to be effective control activities must be
adequate (the right control in the right place at the right level and
commensurate to the risk involved)
cost-effective (the costs of implementing a control should not exceed its
benefits)
comprehensive understandable and directly related to the control objectives
documented clearly
evaluated as a whole so that they are consistent in their operation
carried on until effectiveness is evaluated
4 Classification of control activities The control activities are generally classified as follows Administrations should
implement the following basic requirements as minimum standard however they
can implement additional control activities depending on the nature of the risk
4 1 Preventive controls
These are the controls to be carried out to mitigate the likelihood and prevent
as much as possible the undesirable outcomes that may emerge when risks occur
For example ex-ante financial control operations applying the principle of
segregation of duties to prevent fraud or irregularities
74
CA Box 3 Basic requirements Preventive Controls
The security of physical and intangible rights (intellectual assets etc) and records
physical safeguarding of assets
recording financialmanagement information
access controls such as passwords identity cards guards and
segregation of duties in order to avoid conflicts of interest
42 Corrective Controls
These are the controls aiming at reducing the impact of the undesirable
outcomes that stem from the threats the risks pose For example placing provisions
regarding the reimbursement of unduly payments in the agreements setting the
period of guarantee in advance
CA Box 4 Basic requirements Corrective Controls
identifying methods for the purpose of recovery from loss or damage which
would effect the activities negatively
appropriate actions are taken for the correction or elimination of the identified
differences
43 Directive Controls
These are the controls applied to reach a certain end For example provision
of trainings on protection against possible threats using protective materials (masks
special clothes etc) preventive medical practices (giving messages for washing
hands in periods of epidemics publishing private leaflets)
CA Box 5 Basic requirements Directive Controls
an approved organisation chart that is constantly up-dated to reflect
organisational changes
manuals or written procedures brochures booklets posters and other similar
documents on implementation
established clear and documented definitions of the responsibilities and tasks for
resources activities program projects objectives and targets
assigning tasks and responsibilities by taking into account their relevant skills and
experiences
delegating authority based on the organisational structure and responsibilities to
do the jobs effectively and it should be documented
establishing effective means of communication throughout the organisation
and
establishing clear reporting methods
44 Detective Controls
These are the controls applied to identify the damages and losses
experienced once the risks are realised For example conformity controls carried out
after spending has been made to identify the responsibility controls performed to
detect negligence by experts or authorities
75
CA Box 6 Basic requirements Detective Controls
periodic countsphysical inventories
comparison of the countinventories with the records
methods for the identification and analysis of differences
5 Methods of control activities The main methods of controls are mentioned below Administrations may also
implement different ex-ante and ex-post control methods based on the requirements
of their organisational structure and field of activity
Ex-ante controls are the controls put into practice in the light of the
appropriate procedures before the activity takes place whereas Ex-post controls refer
to the controls performed by the management through the use of pre-identified
methods after the activities take place
CA Box 7 Tips for control activities
The following box gives some issues to be considered when control activities are
identified
While determining the control activities and allocating resources for them
it may be necessary to give priority also those risks with high probability and
low impact and rating low in the prioritization list which is formulated
according to the risk scores
Preparing emergency plans as well as control activities for those risks with a
very high probability and impact assumes great importance
Reducing both the realization probability and impact of internal risks is
possible with control activities
Reducing the realization probability of external risks on the other hand
may not be under the control of the administration However mitigating
the impacts of risks is possible with a proper risk management
While responding to risks over-controlling should be avoided Both over-
control and under-control can undermine the effectiveness of the controls
According to the content of the risk several control methods can be used
at once if deemed necessary
Have the costs and benefits of implementing the control activities been
analysed
Have the new control activities been piloted to see if they are having the
desired effects
Are the control activities effectively operating as planned Is the required
evidence on controls collected and analysed periodically
After a reasonable period of time are the new control activities and
existing controls that are being continued functioning as expected And
do you report this to the manager risk coordinator
76
CA Box 8 Factors to be determined when identifying control activities
51 Authorisation and approval
Managers should introduce appropriate rules and procedures for decision-
making authorisation and approval taking into account the following Decision-
making and approval shall be carried out only by authorised persons Authority
means that the operations are initiated only by persons acting within their powers
Observance of the order of authorisation requires employees to act in accordance
with directions and within the limits set by the manager of the organisation or the
legislation The procedures for authorisation should include specific conditions and
delegation of powers by managers to employees for performance of particular
activities The approval is endorsement (certification) of transactions data or
documents whereby processes actions proposals andor consequences thereof are
completed or validated
52 Segregation of duties
To minimise the risk of errors irregularities and violations and their non-
detection managers should introduce rules stipulating that different employees be
responsible for the implementation of two or more key stages of an operation
process or activity To ensure effective checks and to strike a balance in the
implementation of an operation the responsibilities shall be segregated in a manner
which precludes an employee from being responsible simultaneously for the approval
(decision-making) implementation accounting and control
In organisations with fewer staff this segregation is more difficult to implement
In such cases the manager may consider the possibility of combining two of the
specified activities and compensate the non-application of this control mechanism
by another eg rotation of employees rotation of duties or additional management
checks Thus the risk of a single person dealing with more than one key aspect of an
operation process or activity for an unjustifiably long period of time could be
reduced
53 Double signature system
The double signature system is a procedure to ensure the accuracy of the
data included in the document The method is applied in non-financial processes
such as provision of information to the top management (reports information notes
statistics etc) and appointment orders and before financial obligations such as
signing of contracts and making payments (payment order etc) This makes it
Which unitWho will conduct the activities
Deadlines of the activities
Necessary resources for the activities to be conducted
Critical achievement factors
How to document the activities
Monitoring processes for the activities
77
possible that especially in financial transactions the person responsible for the
accounting entries knows about pending obligations or payments and performs due
accounting procedures The double signature system gives assurance that the
procedures are carried out by authorised staff
54 Reconciliation of data
Procedures should also guarantee that data from different documents and
sources are matched for ascertainment of consistency For example accounting
entries relating to bank accounts are reconciled with corresponding bank
statements invoice data are matched with those in the warehouse receipt etc
55 Supervision procedures
Supervision procedures should be carried out on a daily basis by line
managers on assignment of work and its performance Assignment of work by the line
managers does not reduce their own responsibility for the performance of the work
Line managers should give staff the necessary directions and instructions in order to
ensure understanding and avoid errors and frauds in the discharge of their duties
Line managers should also apply these procedures to assure themselves that the tasks
assigned are carried out correctly
56 Ex-ante financial controls
Ex-ante financial control is a control performed to check the compliance of
the financial decisions and operations of administrations regarding their incomes
expenditures assets and liabilities with the budget of the administration Further
checks are carried out with the available appropriation amount expenditures
programme financing programme and the provisions of central government budget
law and other financial legislation It is also checked whether resources are used
effectively economically and efficiently The purpose of ex-ante control is for the
managers to obtain reasonable assurance of the compliance of such
decisionsactions with the legislation and the performance programme2
57 Procedures for accounting operations
Procedures should ensure that accounting for all financial transactions on a
given date is complete true accurate and timely Their purpose is to support the
taking of correct decisions from which financial consequences arise These
procedures should be developed in accordance with the relevant legislation and
public accounting standards
2 Please see regulation on procedures and principles on internal control and ex-ante financial control for
further details
78
58 Anti-corruption
There should be rules and procedures for warning examination detection
and reporting of administrative weakness discrepancies and violations which create
conditions for corruption frauds and irregularities
Anti-corruption procedures include
preventive controls
a system for checking detecting and reporting early indications of corruption
frauds and irregularities
whistleblowing procedures (for more information please refer to Information
and communication section) and
a set of procedures for reporting irregular activities to the external competent
authorities such as the Prosecutorrsquos Office
59 Access to assets and information
Managers must ensure that only authorised persons responsible for the
safeguarding andor use of assets and information have access to them The
restriction of the access to assets reduces the risk of their misuse or their wrongful
utilisation and protects the organisation from losses The degree of the restriction
depends on the vulnerability of the assets and information and the risks of loss or
misuse When determining the vulnerability of assets the manager shall consider their
value transportability and the possibility for them to be exchanged for cash
510 Documentation archiving and storing of information
Procedures for documentation archiving and storing of information shall be
introduced to support the performance of operations taking of correct managerial
decisions and control of the processes in an organisation Documentation involves
developing written evidence of decisions made events occurred actions and
transactions performed etc The documentation must be complete accurate and
timely
The documentation procedures include those for document circulation
describing the order for circulation and use of documents produced and received
The documentation procedures must allow tracing of every document action
process in the organisation stating precisely who performed what how and when
the purpose and type of actdocument issued as a result thereof
According to the terminology adopted by the European Commission this
comprises an audit trail Its establishment helps achieve
transparency
tracing of the processes in the organisation from their initiation till completion
and
tracing the segregation of functions by decision-making performance
accounting and control
The audit trail shall state what procedures and transactions exist who the
responsible persons are what documents are drawn up what systems for
management and control of data flows exist and what the form of presentation of
the results is
Archiving procedures must ensure chronological and systematic filing of
documents about past events decisions and actions concerning the organisation
There should be specific guidelines describing in detail the procedures for archive
establishment completion use and destruction
79
The procedures for storage of information shall ensure physical preservation of
the information media (paper andor electronic) as well as preservation of the
content without change so that the information provides a true and fair view of the
facts decisions and actions relating to the organisation
511 Business continuity (or emergency plans)
Adequate measures are in place to ensure continuity of service in case of
business-as-usual interruption Business Continuity Plans are in place to ensure that
the entity is able to continue operating to the extent possible whatever the nature of
a major disruption
512 Control activities related to Information Technology (IT)
IT systems entail specific types of control activities which should be introduced
in organisations by their managers These mechanisms for information systems control
consist of two major groups general control mechanisms and applications control
mechanisms (applications controls)
General control mechanisms are applicable to all operations and contribute
to their proper implementation The applications control mechanisms include both
procedures programmed in the software product itself and procedures that must be
carried out manually in order to exercise control over the processing of different
operations The general control mechanisms are needed for the functioning of the
applications control mechanisms Absence of sufficient general controls cannot be
offset by applications controls
Usually general control mechanisms are used in information analysis and
processing centres for installation and maintenance of software products for
definition of access to information
controls for information analysis and processing centres ndash they include the
organisation and planning of worksthe intervention of the respective
administratorsoperators procedures for saving and subsequent use of
information back-up and contingency plans
software controls ndash these refer to the acquisition installation and maintenance
of software products necessary for the maintenance of the entire system and
for processing of software applications
access definition controls ndash these ensure protection against unauthorised
access Access definition restricts users by allowing them to use and perform
operations only with particular software products thus ensuring segregation of
responsibilities
General software controls built during the development of the system entail
detailed application tests and allow checking of the appropriateness of the rationale
of the program and whether all errors will be detected After the system is built the
controls for access and maintenance of the system give assurance that nobody can
use or make changes in the applications without the appropriate authorisation and
that all the necessary changes are made in accordance with the established
procedure for authorisation and approval
The applications control mechanisms support internal control preventing entry
of wrong data in the system detecting and correcting errors based on automated
procedures for control over data form and content The prevention and detection of
these errors is programmed in the respective application The applications control
mechanisms analyse the data on-line (simultaneously with their entry in the system)
80
provide ongoing information in case of detected error and ensure immediate
correction
The use of both types of controls provides assurance that the information is
analysed and processed completely correctly and accurately
513 Assessing costs and benefits of control activities
After initial selection of control activities to reduce the impact of risks risk
owners should evaluate the costs and expected benefits of the control activity If the
costs of the control activity exceed the expected benefits the control activity should
not be selected
81
6 Practical Stages For Control Activities Practical steps for control activities are briefly indicated in the following table Since control activities are linked to r isks points on risk
management are provided in stages 1 2 and 3 whereas points on control activities are provided in stages 4 and 5 For further details on stages 1 2
and 3 please refer to the risk management chapter
CA Table 1 ndash Stages for control activities
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
Identify objectives
Identify risks to
achieving objectives
Select method of
responding to risks
Accepting
Controlling
Transferring
Avoiding
Taking the
opportunity
Select control
method(s)
Preventative
Detective
Corrective
Directive
Select type of control activities
authorisation and approval
segregation of duties
double signature system
reconciliation of data
supervision
ex-ante controls Checking
compliance with the law
accounting covering all financial
processes
anti-corruption
access to assets and information
documentation archiving and
information storage
business continuity and
information technology
Or
Refer to CA Annex 2 List of common
control activities
82
83
7 Steps to identify and implement control activities
Step 1 Administrations when assessing their risks review their systems and processes to determine
whether they have existing controls to mitigate their risks
(Administrations where risk management will be implemented in the framework of the principles
mentioned in this manual for the first time should list and evaluate all the existing control activities
Those control activities that donrsquot match the objectives and the risks of the administration should be
terminated)
Step 2 Administrations assess whether these existing controls are effectivesufficient in terms of
mitigating risks
Step 3 If there are no existing controls or the existing controls are not effective sufficient new
andor additional control activities are determined (To help you decide which control activities to
select you may refer to the list of control activities at Annex 2) In this steps it will be useful to
consider the following
It may be appropriate to select more than one control activity
Any new control activities you select must be evaluated for cost-effectiveness and
Appropriate control activities should be tested beforehand
Step 4 New control activities are not foreseen for those high risks that are managed
effectivelysufficiently with the existing controls and the existing control activities should continue
Step 5 Risk owners once the risk register has been approved have to put in place the new control
activities and also ensure that monitoring of both new controls and existing controls that are being
continued at the predetermined starting date
Step 6 Stakeholders are notified in writing about the control activities and whether they are
working effectively
Step 7 Risk owner while reporting the risks in the of the Consolidated Risk Report (Risk
Management Annex 4) will notify the manager risk coordinator how well the new control
activities and existing controls that are being continued are working This reporting involves writing
a summary of what has happened identifying the impact of the new control activities and existing
controls that are being continued and attaching any evidence to the report as an annex
84
Control Activities Annexes
Annex 1 ndash Examples of some common risks and controls
Common Risks Possible Control Activities
Risk management
Risks are not being managed effectively
and so the organisationrsquos objectives may
not be achieved
Risk workshops are organised to
determine risks allocate owners
determine controls and how their
operation is monitored - corrective
Cash management
Cash holdings could be stolen Cash is kept locked away and access
to it is strictly controlled - preventive
There is segregation of duties for staff
who have access to cash -
preventive
Cheques and other payment forms
are serially numbered ndash preventive
Asset management
Assets could be stolen Physical controls - for example using a
safe - preventive
separation of duties authorisation
levels passwords - preventive and
tagging of goods reconciliations
stock counts - detective
Document control
Documents received could be lost Keeping a register that shows where
all the received documents are filed -
preventive
Due to document control procedures not
being clear and specific decisions not
being taken on time
The document control procedure defines the
controls needed to
approve documents for adequacy
prior to issue
ensure that changes and the current
revision status of key documents
(strategic plan performance
programmes etc) are identified
ensure that previous versions of
applicable documents are available
at points of use
ensure that distribution of sensitive
and classified documents is
controlled and
identify documents that should be
archived - All preventive
Planning and budgeting
Budget resources may be spent
inappropriately
Effective planningbudgeting process ndash
preventive
85
Common Risks Possible Control Activities
Staff have received training in budget
preparation ndash preventive
Comparison of interim and final
accounts and activity reports with the
strategic plan performance
programme and the budget ndash
detective
Financial information may not be
accurate and complete
Financial information being stored or
reported on the computer -
preventive
Procurement
Error and fraud could occur in the
procurement process
Separation of duties between staff
making decisions staff selected for
the tender commission and staff
involved in payments - preventive
Applying ex-ante controls to the
award decision before the signing of
the contract ndash preventive
Random checks on transactions by
authorised staff ndash detective
Identifying purchasing thresholds -
preventive
Requirement to seek the ex-ante
approval of a senior manager or the
Minister for some high-value
procurements (Double signature
system) - preventive and
Regular rotation of staff who have
critical responsibilities in the
procurement process - preventive
Stores
Unauthorised removal of goods from
store
Physical stock checks to inventory
records ndash detective
Goods ordered but not delivered on time
or partially delivered
Including penal provisions in the
contract regarding any failure to
deliver goods on time ndash corrective
Comparison between invoices goods
delivery notes and the contract ndash
detective
Revenue management
Delays in submitting tax statements on
time and the failure to collect revenues
on a timely basis
Incentives for timely submission of tax
statements (advance warning
posters etc) - directive
Incentives for on-line submission of tax
statements - preventative
Penalties for late submission ndash
preventative
Contingency planning
Major lsquoincidentrsquo destroys important data A Business Contingency Plan exists
86
Common Risks Possible Control Activities
has been tested and kept up to date
- preventive
IT security
Unauthorised staff may obtain access to
computerised data
Personal identifiers and passwords ndash
preventative
Review of on-line access and
transaction logs ndash detective
Master files may be changed
inappropriately
Supervisor authorisation required on
forms indicating data to be changed
- preventive
Supervisor does not have change
access rights - preventive and
Supervisor verifies changes against a
printout of changes - detective
87
Annex 2 List of common control activities
Category Control Activity
Risk management
Appropriate risk
management policies
procedures techniques
and mechanisms exist for
each of the organisationrsquos
activities
Management has ensured that all relevant objectives
and associated risks for each significant activity have
been identified in conjunction with conducting the
risk assessment and analysis function
Management has identified the actions and control
activities needed to address the risks and directed
their implementation
Implementing control activities
The control activities
identified as necessary are
in place and being
applied
Management has ensured that
Control activities described in policy and procedures
manuals are actually applied and applied properly
Managers and employees understand the purpose of
internal control activities
Nominated staff review the functioning of established
control activities and remain alert for instances in
which excessive control activities should be
minimised
For existing control activities look out for
Guidance ndash it is likely that there will be official
guidance about how to carry out your work
Documentation ndash there may be standard document
control procedures to ensure that new documents
are registered and filed changes to documents are
recorded and documents no longer in use are
archived
Checking the work of others ndash this is a basic control
activity that can involve a supervisor or manager
checking the work of staff staff in one section
checking the work of staff in another section or
computer checks There may also be a requirement
for transactions to be checked by the SDU under the
ex ante control regulation
Security ndash protecting documents cash and assets
and
Contingency arrangements - ensuring the
continuation of essential services in the event of a
service failure
Performance monitoring
Senior management track
outturn in relation to its
operational and
performance plans
Top management are involved in developing annual
performance plans and targets and measuring and
reporting results against those plans and targets
Top management regularly review actual
performance against budgets forecasts and prior
period results
Top management take appropriate corrective action
88
Category Control Activity
when progress reports indicate that performance is
significantly out of line with plans
Operational managers
review actual
performance against
targets
Managers at all activity levels review performance
reports analyse trends and measure results against
targets
Managers review and compare financial budgetary
and operational performance to planned or
expected results
Appropriate control activities are employed such as
reconciliations of summary information to supporting
detail checking the accuracy of summarisations of
operations and checking the reliability of data
sources and data systems
Comparisons are made relating different sets of data
to one another so that analyses of the relationships
can be made and corrective actions can be taken if
necessary
Investigation of unexpected results or unusual trends
leads to identification of circumstances in which the
achievement of goals and objectives may be
threatened and corrective action is taken
Analysis and review of performance indicators and
results are used for both operational and financial
reporting control purposes
Quality of performance measures and indicators
The organisation monitors
the quality of
performance measures
and indicators
The organisation periodically reviews and validates
the propriety and integrity of performance measures
and indicators
Performance measurement assessment factors are
evaluated to ensure they are linked to mission goals
and objectives and are balanced and set
appropriate incentives for achieving goals while
complying with law regulations and ethical
standards
Actual performance data is continually compared
against planned goals and differences are analysed
to establish whether the right things are being
measured in the right way
Human resource management
The organisation
effectively manages its
workforce to achieve
results
A clear and coherent shared vision of organisationrsquos
mission goals values and strategies is explicitly
identified in the strategic plan annual performance
plan and other guiding documents and that view
has been clearly and consistently communicated to
all employees
The organisation has a coherent overall manpower
planning strategy as evidenced in its strategic plan
performance plan or separate manpower planning
document and that strategy encompasses
manpower planning policies programs and
practices to guide the organisation
The organisation has a specific and explicit workforce
89
Category Control Activity
planning strategy linked to the overall strategic plan
and that allows for identification of current and future
manpower planning needs
Senior leaders and managers support teamwork
reinforce the shared vision of the organisation and
encourage feedback from employees as evidenced
by actions taken to communicate this to all
employees and the existence of opportunities for
management to obtain feedback
The organisationrsquos performance management system
is given a high priority by top-level officials and it is
designed to guide the workforce to achieve the
organisationrsquos shared visionmission
Procedures are in place to ensure that staff with
appropriate competencies are recruited and
retained for the work of the organisation including a
formal recruiting and hiring plan with explicit links to
skill needs the organisation has identified
Employees are provided with information training
and tools to perform their duties and responsibilities
improve performance enhance their capabilities
and meet the demands of changing organisational
needs
Qualified and continuous training is provided to
ensure that internal control objectives are being met
Meaningful honest constructive performance
evaluation and feedback are provided to help
employees understand the connection between their
performance and the achievement of the
organisationrsquos goals
Information processing
The organisation uses a
variety of control activities
suited to information
processing systems to
ensure accuracy and
completeness
Edit checks are used in controlling data entry
Accounting for transactions is performed in numerical
sequences
File totals are compared with control accounts
Exceptions or violations indicated by other control
activities are examined and acted upon
Access to data files and programs is appropriately
controlled
Physical Control Over Vulnerable Assets
The organisation uses
physical controls to secure
and safeguard vulnerable
assets
Physical safeguarding policies and procedures have
been developed implemented and communicated
to all staff
The organisation has developed a disaster recovery
plan which is regularly tested updated and
communicated to staff
The organisation has developed a plan for the
identification and protection of any critical
infrastructure assets
Assets that are particularly vulnerable to loss theft
90
Category Control Activity
damage or unauthorised use such as cash
securities supplies inventories and equipment are
physically secured and access to them controlled
Assets such as cash securities supplies inventories
and equipment are periodically counted and
compared to control records and exceptions
examined
Cash and negotiable securities are maintained under
lock and key and access to them strictly controlled
Forms such as blank checks and purchase orders are
sequentially pre-numbered and physically secured
and access to them strictly controlled
Mechanical check signers and signature plates are
physically protected and access to them strictly
controlled
Equipment vulnerable to theft is securely fastened or
protected in some other manner
Identification plates and numbers are attached to
office furniture and fixtures equipment and other
portable assets
Inventories supplies and finished itemsgoods are
stored in physically secured areas and protected from
damage
Facilities are protected from fire by fire alarms and
sprinkler systems
Access to premises and facilities is controlled by
fences guards andor other physical controls
Access to facilities is restricted and controlled during
nonworking hours (alarms CCTV etc)
Separation of duties
Key high risk and sensitive
duties and responsibilities
are divided or segregated
among different people
to reduce the risk of error
waste or fraud
No one individual is allowed to control all key aspects
of a transaction or event
Responsibilities and duties involving transactions and
events are separated among different employees
with respect to authorisation approval processing
and recording making payments or collection of
income review and auditing and the custodial
functions and handling of related assets
Duties are assigned systematically to a number of
individuals to ensure that effective checks and
balances exist
Where feasible no one individual is allowed to work
alone with cash securities or other assets
The responsibility for opening mail which contains
cash is assigned to individuals who have no
responsibilities for or access to files or documents
pertaining to accounts receivable or cash accounts
Bank accounts are reconciled by staff who have no
responsibilities for cash receipts disbursements or
custody
91
Category Control Activity
Authorisation for transactions or events
Appropriate staff is
authorised for transactions
and other significant
events
Controls ensure that only valid transactions and other
events are initiated or entered into in accordance
with management decisions and directives
Controls exist to ensure that all transactions and other
significant events are authorised and executed only
by employees acting within the scope of their
authority
Authorisations are clearly communicated to
managers and employees and include the specific
conditions and terms under which authorisations are
to be made
The terms of authorisations are in accordance with
directives and within limitations established by law
regulation and management
Recording transactions and events
Transactions and other
significant events are
properly classified and
promptly recorded
Transactions and events are appropriately classified
and promptly recorded so that they maintain their
relevance value and usefulness to management in
controlling operations and making decisions
Proper classification and recording take place for
each transaction or event
Accountability for and access restrictions to resources and records
Access to resources and
records is limited and
accountability for their
custody is clearly
allocated
The risk of unauthorised use or loss is controlled by
restricting access to resources and records only to
authorised staff
Accountability for resources and records custody and
use is assigned to specific individuals
Access restrictions and accountability assignments for
custody are recorded and periodically reviewed
Periodic comparison of resources with the recorded
accountability is made to determine if the two agree
and differences are examined
How frequently actual resources are compared to
records and the degree of access restrictions are
functions of the vulnerability of the resource to the risk
of errors fraud waste misuse theft or unauthorised
alteration
Management considers such factors as asset value
portability and exchangeability when determining
the appropriate degree of access restrictions
As a part of assigning and maintaining accountability
for resources and records management inform and
communicate those responsibilities to specific
individuals within the organisation and ensure that
those people are aware of their duties for appropriate
custody and use of those resources
Documentation
Internal control Written documentation exists covering the
92
Category Control Activity
transactions and other
significant events are
clearly documented
organisationrsquos internal control structure and for all
significant transactions and events
The documentation is readily available for
examination
The documentation for internal control includes
identification of the organisationrsquos activity-level
functions and related objectives and control activities
and appears in management directives
administrative policies manuals and other guidance
Documentation for internal control includes
documentation describing and covering
management information systems data collection
and handling and the specifics of general and
application control related to such systems
Documentation of transactions and other significant
events is complete and accurate and facilitates
tracing the transaction or event and related
information from authorisation and initiation through
its processing to after it is completed
Documentation whether in paper or electronic form
is useful to those involved in controlling evaluating or
analysing operations
All documentation and records are properly
managed maintained and periodically updated
General computer controls
The organisation
periodically performs a
comprehensive high-level
assessment of risks to its
information systems
Risk assessments are performed and documented
regularly and whenever systems facilities or other
conditions change
Risk assessments consider data sensitivity and
consistency
Effective computer
security controls are in
operation and are
monitored
The organisation has developed a plan that clearly
describes the organisation-wide security plan and
policies and procedures that support it
Senior management have established a structure to
implement and manage the IT security program
throughout the agency and security responsibilities
are clearly defined
The organisation monitors the security planrsquos
effectiveness and makes changes as needed
- Corrective actions are promptly and effectively
implemented and tested and they are continually
monitored
Effective computer
access controls are in
place and are monitored
Information resources are classified according to their
criticality and sensitivity
Resource classifications and related criteria have
been established and communicated to resource
owners
Resource owners have classified their information
resources based on approved criteria and with
regard to risk determinations and assessments and
have documented those classifications
93
Category Control Activity
Resource owners have identified authorised users
and their access to the information has been formally
authorised
The organisation monitors information systems access
investigates apparent violations and takes
appropriate remedial action
The organisation has established physical and logical
controls to prevent or detect unauthorised access
Application software
development and
change controls are in
place and are monitored
Application software modifications are properly
authorised
All new or revised software is thoroughly tested and
approved
The organisation has established procedures to ensure
control of its software libraries including labelling
access restrictions and use of inventories and
separate libraries
All key activities are monitored
Effective system software
controls are in place and
are monitored
The organisation limits access to system software
based on job responsibilities and access authorisation
is documented
Access to and use of system software are controlled
and monitored
The organisation controls changes made to system
software
There is effective
separation of duties for IT
operations
Incompatible duties have been identified and policies
implemented to segregate those duties
Access controls have been established to enforce
segregation of duties
Controls ensure the
continuity of IT services
The criticality and sensitivity of computerised
operations have been assessed and prioritised and
supporting resources have been identified
The organisation has taken steps to prevent and
minimise potential damage and interruption through
the use of data and program backup procedures
including offsite storage of backup data as well as
environmental controls staff training and hardware
maintenance and management
Management have developed and documented a
comprehensive IT service contingency plan
The organisation periodically tests the contingency
plan and adjusts it as appropriate
Computer application controls
Source documents are
controlled and require
authorisation
Access to blank source documents is restricted
Source documents are pre-numbered sequentially
Key source documents require authorising signatures
For batch application systems batch control sheets
are used providing information such as date control
number number of documents and control totals for
key fields
94
Category Control Activity
Senior management or independent review of data
occurs before it is entered into the application system
Data entry terminals have restricted access
Master files and exception reporting are used to
ensure that all data processed are authorised
Completeness controls All authorised transactions are entered into and
processed by the computer
Reconciliations are performed to verify data
completeness
Accuracy controls The organisationrsquos data entry design features
contribute to data accuracy
Data validation and editing are performed to identify
erroneous data
Erroneous data is captured reported investigated
and promptly corrected
Output reports are reviewed to help maintain data
accuracy and validity
Control Over Integrity of
Processing and Data Files
Procedures ensure that the current version of
programs and data files are used during processing
Programs include routines to verify that the proper
version of the computer file is used during processing
Programs include routines for checking internal file
header labels before processing
The application protects against concurrent file
updates
95
Annex 3 - Illustrations for cost benefit analysis
Example 1
You are considering hiring a junior clerk to carry out a 100 per cent check on all payments
your spending unit makes (checking each agrees to the supporting documents) to ensure the
correct amount is paid This is an ex-ante control as the check is made prior to the payment
You estimate that this task will occupy the junior clerk for 100 per cent of their working time
Cost of the junior clerk 2500 YTL a month (1200 salary plus 1300 contribution to overheads
eg heating the building)
Scenario A
Benefit your experience of such a checking control is that it will find on average errors of
overpayment of 3000 YTL a month
Decision ndash this control activity is cost effective and the junior clerk should be employed to
do this checking
Scenario B
Cost same as above
Benefit your experience of such a checking control is that it will find on average errors of
overpayment of 2000 YTL a month
Decision ndash this control activity is not cost effective and the junior clerk should not be
employed on a full time basis to do this checking You can rely on other controls instead
Possibilities
Focus checking on only the highest value or riskiest payments ndash this will only employ the clerk
for 50 per cent of their time If you estimate that it will find on average errors of
overpayment of 1600 YTL a month (ie over 50 per cent of the clerkrsquos cost) this is a better
alternative control or
Donrsquot do any checking ndash rely on separation of duties control (different clerk raises payment
to the one that enacts the payment) to prevent fraudulent overpayments
Example 2
You do not currently employ any public relations expert
In the absence of any control on dealings with the press you assess the risk of reputational
damage as being high likelihood and high impact
Cost of the expert in public relations 4500 YTL a month (2500 salary plus 2000 contribution
to overheads eg heating the building)
Scenario 1
96
You have a low risk appetite in terms of reputational damage and consider that the benefit
of all dealings with the press going through the expert in public relations will successfully mitigate
the risk to within your risk appetite (by considerably reducing the likelihood of reputational damage
through ill-advised comments being given to the press) You consider that this risk mitigation is so
important to your administration that it justifies the employment of the expert in public relations
Decision you employ the expert in public relations
Scenario 2
You have a high risk appetite in terms of reputational damage and consider that the risk of
reputational damage through ill-advised comments being given to the press without employing the
expert in public relations is equal to or less than your risk appetite for this risk You thus consider that
the benefit of employing the expert is outweighed by the cost You therefore consider that it is not
cost-effective to employ the expert in public relations
Decision you do not employ the expert in public relations
Action as you are equal to or less than your risk appetite for the reputational risk you need
not select an alternative control activity but you should continue to review in the future as the
decision may be changed if your risk appetite reduces or your assessment of the likelihood andor
impact of the risk increases
97
INFORMATION AND COMMUNICATION
1 INTRODUCTION Information and communication as the fourth component of the five components of COSO
internal control model ensures the relation between control environment risk assessment and
control activities through sharing information and communication and has an important role in
increasing the functionality and operational competence of internal control system which is
regarded as a tool for attaining organisational objectives and aims as it regulates information flow
within the administration
Aim of this chapter of the manual is to give information within the framework of internal
control standards about structures and practices related to use of information and communication
mechanisms and to provide guidance for users about reporting registry and filing systems and
methods to be used in notifying faults irregularities and corruptions with a view to ensuring that
administrations carry out their activities in line with their objectives as well as accounting for their
activities
Communication refers to transformation and conveyance of information within the organisation
vertically and horizontally and externally via proper mechanisms to relevant people
administrations and bodies Administrations must aim to establish an effectively managed and well
coordinated communication system for the information that meets the information needs of
managers staff and the public
In the event that information and communication systems do not function as expected
managers and staff may came up against the risk of not being able make timely and right
decisions not being able to implement those decisions and ultimately not being able to achieve
the objectives In this regard information should be accessible useful timely accurate complete
and up-to-date
2 Information and Communication Standards Information and communication includes the information communication record system which will
ensure transfer of required information to the person personnel and the administrator who need
the information in determined format and in a time period which enable the concerned to fulfil
internal control and their other responsibilities
IC Box 1 Information and Communication Standards
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Environment
Standard 13 Information and communication
The administrations shall have a suitable information and communication system with a view to ensuring that the
performance of the units and the personnel is monitored decision making processes operate soundly and
efficiency and satisfaction in providing service
Standard 14 Reporting
Goals objectives indicators and activities of the administration and the results of them shall be reported in
accordance with the principles of transparency and accountability
Standard 15 Record and filing system
The administrations shall have a comprehensive and up-to-date system where the works and transactions
including incoming and outgoing documents are recorded classified and filed
Standard 16 Notification of faults irregularities and corruptions
The administrations shall develop methods which will ensure that the faults irregularities and corruptions are
notified in a specific order
98
3 ROLES AND RESPONSIBILITIES IN INFORMATION AND COMMUNICATION
Minister
Ensures coordination and cooperation with other ministries and informs the public opinion and
the TGNA about the annual performance programme and activity report submitted to him by the
administration
Head of Administration
The Head of Administration (Head of Administration) must publish an announcement via the
internal communication network or an official letter on what to do before the preparation of such
documents as strategic plan performance program activity report Risk Strategy and Policy Paper
which need to be prepared in way which will ensure attainment of pre-identified objectives in the
fields the administration is responsible for
Another duty of the Head of Administration is to sign the internal control assurance declaration
and inform the public opinion and the Minister
As the quality of the information exchange and communication between the Head of
Administration and the other actors has a direct effect on the accountability of the Head of
Administration the Head of Administration must guide the relevant units about the frequency and
methods of feedback he prefers
The Head of Administration must take notice whether the current information system meets the
needs during the set up and integration of new information systems If a new system is to be set up
it must be designed by taking integration with the other information systems into consideration
Internal Auditor
As prescribed by the Law no 5018 the internal auditors work to assess the internal control system
under the head of administration In this regard internal auditors report whether internal control
system functions properly or not to the Head of Administration Therefore to be able carry out their
duties internal auditors should be given unlimited access to every kind of information they need
Setting up of such a mechanism is up to the robust communication and flow of information
between the internal auditors and Head of Administrations
The Head of Administration is entitled to take preventive or corrective actions and develop new
control activities based on the report submitted by the internal auditor or request additional reports
Authorising Officer
Authorising Officers must ensure that tasks powers and responsibilities of staff are defined
clearly and in writing and communicated to all staff In this framework a chart of duties which
demonstrate the functional reporting network must be produced and communicated to the staff
A communication network that ensures quick and timely access by the staff and managers to the
activities and the results must be used In this regard the organisational chart of the administration
can also include a diagram which shows the tasks of the sub-units and the responsible and
authorised staff on the intranet and internet Authorising Officer must ensure that sub-units are
informed about the activities of each other
Authorising officers
must ensure that an electronic communication and archiving system is used effectively for
the accurate and reliable acquisition storage and communication of the information
needed regarding the objectives activities and indicators that are relevant to their
respective units from among those included in the strategic plan and performance
program of the administration
must provide for the regular announcement of the status of realisation regarding the
performance objectives and indicators related to their respective units and the grounds for
the data on the webpage of the unit and
must provide information for periodical reporting to the SDUs that will be carried out by
authorising officers (information about objectives and risks of the unit status of realisation
etc)
99
should transfer timely complete and accurate information and documents regarding
financial transaction processes to the Accounting Officer and set up mechanisms to store
records and statistics
Realisation Officer
Realisation officers who are responsible for issuing spending orders must periodically brief the
authorising officer of the spending process In this regard information on the spending order being
complete accurate understandable and reliable plays a significant role in realisation officers
fulfilling their tasks as requested from them
Accounting Officer
The Accounting Officer is responsible for performing accounting services and keeping accounting
records in a regular transparent and accessible way Accounting Officers must regularly report to
the authorising officer on the accounting records
Strategy Development Units
SDU managers must review the information included in the activity reports performance
programmes and strategic plans by holding periodic meetings with the authorising officers of other
units Personnel of SDUs must obtain the information that is needed in the field of financial
management and control through these persons
Necessary coordination for the formation of the team to carry out the studies on the
establishment and development of Information Management Systems within the administration is
provided by the SDU
In fulfilment of the coordination duties of SDUs which are defined by laws Principles and
Procedures of Internal Control and Ex-ante Financial Control Strategy Planning Guideline
Legislation and Manual on Performance Programs to be Prepared in Public Administrations and
secondary and tertiary regulations such as Budget Preparation Manual must be taken into
consideration
SDUs must have webpage where they have forums good practice examples frequently asked
questions to ensure communication with internal and external stakeholders in order to carry out
their tasks more effectively
Central Harmonisation Unit
While carrying out its tasks in the filed of information and communication
CHU sets up a common (web-based) network where information can be shared
They organise trainings panels and conferences for the actors that take part in the field of
internal control
CHU members are assigned to be responsible for particular administrations to enhance
information and communication with SDUs of administrations They communicate SDUs and
provide them with information and guidance via official letters call centres telephone
forums etc
Please refer to the CHU Handbook for further details on the roles and responsibilities of CHU
Besides practices and methods in the area of information and communication given this
manual public administrations must also take into consideration those regulations in the legislation
which are directly related to the area of information and communication These basic regulations
are contained in IC Annex I
4 INFORMATION The prerequisite for reliable and proper information is immediate recording and suitable
classification of all operations and transactions Internal control includes obtaining classifying
recording utilising and reporting both financial and non-financial information
41 Characteristics of Information
Characteristics that the information which is used in public administrations must have are given
below
100
Timely Information should be obtained and transferred in the right time by the right
personnel
Related Information should be related to every activity work or action
Available Information holdings should be available to those who require them the moment
they need it and also later Technology should be available to users in order to facilitate
obtaining storing transferring and using information
Comprehensible The description of information holdings must have the same meaning for
users at all levels of the administration In addition information that is shared with external
stakeholders must be clear and meaningful for the users
Usable Information must meet the needs of its users in relation to the purposes for which it
was received
Complete Both the content and form of information should be complete in order to
provide for efficient and effective use of information holdings
Accurate Information must be able to reflect the points regarding the aims objectives and
activities it is related to accurately and correctly
Up-to-date Information must be up dated and related to the needs A lack of up-to-date
information can impair decision making and program delivery Managers and personnel
should take necessary actions to keep information up-to-date
42 Information Management
Information management is a process where information is planned and obtained from any
kind of source internally or externally classified stored communicated to relevant bodies in a
timely manner for interpretation reviewed for updating and destroyed The stages of this process
are complementary to each other In any stage there may occur a need to take into consideration
the phases of the previous or next stage
101
IC Figure Information Management Process
421 Planning Information Need
Planning stage starts with identifying strategic aims and objectives and performance
objectives as well as identifying information needs to achieve these objectives This stage includes
the assessment on who needs what information when and why how they can acquire it at all level
from the operational to the strategic activity level in order for the administration to maintain its
operations effectively
In the planning stage the following factors must be taken into consideration
Internal and external information users must be defined and classified Information
needs of users must be determined Information holdings must be examined to see
whether the current information need of the users can be met using them
While novel databases and information systems are designed the risk for the information
to be disseminated to the public must be considered
The benefit and cost of information in terms of the users must be analysed
The information need for new legislative strategic and operational aims must be
defined along with the relevant information system requirements furthermore the
person and the time to do this work must be set out
Emerging information needs must be compared to the present information and
information systems within and outside the administration
For increasing the value or productivity or decreasing the cost of the systems in use
such methods as combining information systems using novel technologies and standard
practices can be referred to
Value of information is not only about how it is used and kept but also about how and when
it is going to be destroyed Many factors such as legislation information policies and needs may
Planning
information need
Organising
information
Creating and
collecting
information
Reviewing and
keeping
information
Utilising and sharing
information
INFORMATION
MANAGEMENT PROCESS
102
have an impact on how long to keep that information Information which is being kept should be
destroyed in accordance with the relevant legislation after necessary approvals have been
received
422 Creating and Collecting Information
While producing and collecting information first of all the value of the information for the
administration must be set out and it should be made sure that the people in need of information
do have access to it on time
Information collection and creation process should focus on the followings and information
collected or created must have the capacity to meet the needs of the administration To this end
The holdings must be periodically reviewed in order to determine if the information that is
created or collected continues to meet the identified needs and it must be followed up
whether users really use the information Great deal of information can still be
unnecessarily collected for a reason that was identified in previous periods If the
administration decides to stop collecting that information firstly it must set out whether
any individual or program would be affected
Quality and scope of information as well as its relation to the defined needs and whether
it meets the needs or not should be understood in regular reviews In addition implicit
information of the staff must be turned into explicit information and incorporated into the
information inventory The information produced as a result of the process studies must be
classified starting from the most frequently used to the least
Information must be compiled in information pools to be created This information must be
clear and understandable The information in the pool must be open to access upon
being classified in accordance with the information hierarchy such as strategic and
operational Management of the information pool must be carried out by a team who
are competent in the processes to be formed within the administration
Legislation or policies may demand that certain information be collected by an
administration Therefore information that is collected must meet legislative and
institution-specific policy requirements
Information collection must be coordinated To this end
all information collection activities must be accounted for including all regions and
organisational units and information collected must be accessible
the administration must ensure that information collection conforms to the applicable
standards
information must be periodically reviewed in order to ensure that the requirements of the
relevant legislation are respected This might be done during the annual update of
personal information and
before information is created or collected existing information holdings must be reviewed
to determine if the information needs can be satisfied by existing holdings or readily
accessible external information sources
The following are the leading sources of information
instructions approvals invoices transaction orders petitions
interactions between clients vendors or other the ministries and agencies
planning documents-budgets forecasts work plans blueprints (technical or
engineering designs)
drafts schemes of information architecture
reports policy briefing notes other documents supporting the activities and
justifications
meeting documents-agendas records of decision
commission documents job descriptions member lists
requests for information and the responses emails forms used to collect responses
templates related instructions responses in every format
103
client records applications evaluations emails phone calls
every kind of data in electronic medium and
information resources which could provide additional information
Collecting Information from PublicPrivate Sector
The response burden should be minimised to the lowest level possible in this process To this end
the administration should determine from whom it will receive information at what
frequency and in what detail as well as what burden this process will create upon
respondents and
there should be cooperation with other administrations in such issues as undertaking joint
collection or information sharing
The forms should meet all statutory and policy requirements To this end
all the forms in both paper and electronic media must be reviewed before they are put
into use to ensure that applicable requirements are met Furthermore the responsible
person must be assigned
423 Organising Information
The aim of organising information is to establish a link between the operations of the
administration and usage sharing retrieving archiving and destroying of information and facilitate
the process for administrations and the other stakeholders
The following steps must be taken for an efficient information organisation
it must be ensured that users both internal and external to the administration are satisfied
with their access to information Methods should be established to measure user satisfaction
(such as user surveys and questionnaires applied after completion of certain services as well
as periodically applied questionnaires)
the custodians of information holdings (eg Data Processing Departments Library Services
etc) must identify the information needs of users and improve their services to better meet
the needs of users for quick and easy access eg shortening response time using efficient
and effective technology for transmission designing a user-friendly system
information must be available for public dissemination and communicated to the public
where and when appropriate For instance establishing such structures as e-libraries to
facilitate public access
information available for use by the other administrations must be checked to see whether
they are subject to any legal or policy constraints
administrations must have an up-to-date publications catalogue which must be deposited
in the administrationrsquos library Published material must be catalogued according to
established standards and
all the documents published by the administration must be accessible on webpage of the
administration
Registering Filing and Archiving of Information
Registry and Filing
To ensure an effective management any kind of document including electronic ones internal
communications operations and transactions must be recorded classified filed and archived
there must be a comprehensive and up-to-date system for this
If meaningful and valuable information for the control of activities and decision making is
desired all the operations and transaction must be instantly recorded
In order to ensure the quality of information and reporting fulfilment of internal control activities
and responsibilities and effective and efficient monitoring activities all transactions need to be
completely and clearly documented
These documents should be easily accessible where needed
104
The documents of the internal control system should include structure and policies of the
administration types of activities related objectives and control procedures
The process of registry should be applied in a way that it will cover all the stages of a
transaction including the start and approval stages until their final classification This is also the case
for the regular updating of documents
Regardless of the media they are received in (such as paper fax e-mail or electronic)
documents should be recorded and kept within the framework of a registry plan which is suitable
at least to one official file
Registry procedures must be communicated to staff in writing
In this context Standard Filing Plan no 20057 issued on the Official Gazette no 25766 dated 24
March 2005 prepared under the coordination by the Prime Ministry General Directorate of State
Archives must be taken as the basis to establish a common method for all public administrations to
file all the documents including electronic ones and ensure fast and easy access to them where
necessary
Ensuring standardisation in the filing system would help achieve harmony within the institution
and if it can be disseminated among all organisations it would form a basis for an efficient and
effective communication system across the country
Standardisation of Filing services would
ensure that documents about same issues are codified using same numbers in all
organisations
facilitate easy and fast access to the right information and documents requested and
make sorting classifying keeping the documents and putting them into service easier as
standard file numbers will refer to the same issues in all organisations
ensure integrity and easiness in the establishment of a tidy fast effective and efficient
system of document and file and communication
provide infrastructure for the automation of documents and correspondences and
establishment of information networks among organisations and
facilitate internal and inter-organisational file and operation tracking The document or
information looked for would be easily found in a short period of time
The task of carrying out studies on the registry usage and archiving of electronic documents
has been assigned to the General directorate of State Archives upon Decision no 7 dated 9
September 2004 of the e-Transformation Executive board in accordance with the Prime Ministry
Circular number 200816 on Electronic Document Standards published in the Official Gazette
number 26938 and dated 16 July 2008 and TSE Standard number 13298 has been published This
Standard is a main source for electronic document management systems to be used by all public
organisations
Electronic document management systems to be established by the administrations will comply
with the TSE Standard no 13298 and furthermore inter-organisational sharing of electronic
documents produced will be carried out by the criteria on electronic document sharing services as
set out on the web address wwwdevletarsivlerigovtr
Archiving Services
Archiving services include identification of the materials the administrations and the staff have
that will become archive materials in the future their protection against any losses preservation
under proper conditions utilisation in accordance with national interests cropping and disposal if
not deemed necessary to maintain Principles and procedures on archiving services have been set
out in the Regulation on State Archiving Services published in the Official Gazette number 19816
and dated 16 May 1988 and amended by the Official Gazette number 25735 and dated 22
February 2005
As per this regulation administrations have to take necessary precautions to protect
information and documents against disasters theft fire etc set out the procedures for the
preservation of confidential documents take the measures to ensure that the documents remain
legible in the future inform the managers and the staff about the proper periods of preservation for
the documents
105
424 Using and Sharing Information
Using and sharing information is crucial in terms of accountability and transparency for those
who take part in the activities of the administration and other stakeholders
Information is an asset which renews itself turns into a new form and becomes more valuable
as it is communicated and shared Therefore regular communication and circulation of
information within an administration is a principle of information management Sharing
administrative information reflects a cycle in which the information is communicated to the
relevant persons administrative works are notified reactions of the personnel is received reactions
are assessed evaluated and communicated back to the relevant persons
The following must be considered while using and sharing information
Comply with privacy security and legal restrictions
Whenever possible use electronic media to share information resources (email repositories
websites and so on)
Ensure that information remains complete accurate up-to-date relevant and
understandable
Verify the accuracy and reliability of information (especially when conducting web-related
research)
Take advantage of administrative investments in information resources (magazine and
journal subscriptions databases online library services and so on) while respecting
copyright licensing and intellectual property rights
When retaining information that has been lsquocopiedrsquo indicate the source whether it is from
an information resource already saved in organisation repository from a publication or
from a website
Furthermore transferring information from those who leave their jobs to those starting a new job
is crucial to the continuity of the activity in an administration In this context the following should be
taken into consideration
106
IC Table 1 what to do when leaving and starting a job
When leaving a job When starting a new job
Discussing your responsibilities with your manager
when leaving the job and determining and
monitoring the internal policies for the administrative
closure of your business processes
Providing pertinent information about everything
you leave for your successor explaining why it will
be needed
Backing up all the information in the electronic
medium related to job and transferring it to
information pool
Transferring the documents under your responsibility
to the relevant successor
Creating a list of job-related website addresses a
summary of ongoing projects and related contact
information and an inventory of information
resources (including file numbers) that will help your
successor get used to his or her new job
Returning or extending the deadline of the material
that was borrowed from the library
Removing former employeersquos name from distribution
lists
See if any electronic and
paper information resources
of business value have been
transferred to your custody
Take note of any instructions
or messages you receive
regarding access to
electronic tools such as a
shared drive business system
or repositories
Familiarise yourself with your
information management
responsibilities and practices
Take part in training sessions
on information management
and recording
Add new employeersquos name
on the distribution list
425 Reviewing and Protecting Information
Organisations must periodically review such main processes of information management as
planning producing collecting defining accessing and using information and share the results
with managers
Therefore attention must be paid to the following
Store the information in a manner that preserves its form and status keeping its structure
context and content intact
Mark each information resource according to its proper security classification either on the
paper or electronic document
Protect classified and protected information by ensuring it isnt left in waste or recycle
containers and by storing it in locked desks or cabinets after work hours and during
extended periods of absence
Implement effective access control procedures ensuring that classified and protected
information is only made available on a need-to-know basis to those who are authorised to
access it
The level of protection must be consistent with the level of risk
Take the requests for access and usage from other users into consideration and assess their
compliance with the legislation
Periodically back up the information for protection purposes
43 Information Security
Information can be stored on paper it can be kept in the electronic format or transferred
verbally as well Regardless of its form information must be properly recorded and protected
Information security means safeguarding valuable assets in an administration against loss misuse or
damage
The aim of information security is to ensure the following
Safeguarding data integrity
Preventing unauthorised access
Respecting privacy and secrecy
107
Continuity of the system
431 Information Security Management System
Information security management system is a systematic approach adopted for the organisationrsquos
sensitive information that needs protection to be managed properly and the main objective of this
system is the safeguarding storing and making the sensitive and critical information available
where necessary
Setting Up an Information Security Management System
In order to establish an information security management system
Primarily the decision must be taken on whether the system will cover the entire
organisation or a part of it
Secondly a policy that sets out the objectives must be introduced
Finally a systematic risk assessment approach must be adopted and potential risks
must be identified mitigated as appropriate
Requirements of an Information Security Management System
The following are the requirements for an efficiently operating Information Security
Management System
Support and ownership by top management and managers of the administration must be
ensured
Information management should not be regarded as merely a technical issue and a job
only for the Data Processing Department The system must have the potential to reach its
objectives with active participation by all staff of the administration
Establishment of an information security management system must not be regarded as en
extra burden and waste of time
ElementsPrinciples of Security
The risks of compromise to information security for example hacking need to be defined and
controls to mitigate those risks should be introduced If these controls are absent or ineffective that
will considerably decrease the efficiency of the information security system
The main principles of security are confidentiality integrity availability authentication non-
repudiation responsibility and Access control For more detailed information see Turkish Standards
Institute TSE-17799 ldquoInformation Security Management Standardrdquo document Furthermore there are
other international models aiming to ensure the security of electronically produced information
such as COBIT e-SAC (Electronic System Audit and Control) and System Trust while you can also
explore the standards ISOIEC 27001 and ISOIEC 27002 (International Organisation for
Standardisation)
Also please refer to ldquoRegulation on the Principles and Procedures Regarding the Implementation
of the Law on Electronic Signaturerdquo based on the Law on Electronic Signature number 5070 and e-
Transformation Turkey 2005 Action Plan ( Action 5 Current systems at public institutions particularly
central institutions using critical information will be analysed and information security policies and
measures will be developed accordingly and (Action 33 The needs of disaster management of
public information system will be identified and recommendations will be developed )
For preserving and storing documents that are kept in written environment please refer to the
section lsquo423 on organisation of Information Registry Filing and Archiving System
432 Information Security Control Activities
In order to set the level of importance of an item of information the degree of the effect on
the administration that stems from the risk of harm made on the ldquoconfidentiality integrity and
availabilityrdquo of the item of information must be defined in the first place The harm that can be
made on these three security features of information systems may have different degrees of effect
For instance disclosure of top secret information can cause serious harm on an administration while
it may not be that harmful if that information becomes unavailable
108
The risks to information security identified must be analysed and ranked and the cost of the
control activities to be established and operated to mitigate those risks must be in proportion to the
value of the information protected and the risk identified after examining potential threats For
some ideas of suitable control activities see the Control Activities chapter
IC Figure 1 Process of Control Activities for Information Security
The image above is an example of security related control activities It demonstrates 4 different
attacks As can be told from the image attack [1] is immediately prevented at the stage of
prevention while attacks [2] [3] and [4] are not Of the attacks that manage to survive the
prevention process attack [2] is identified at the stage of detection and eliminated Attacks [3]
and [4] manage to pass the detection stage At the stage of response which is the final stage that
has been designed in accordance with the level of tolerance decided attack [3] is eliminated
while attack [4] which survives all stages damages the system passing through all security
processes
5 MANAGEMENT INFORMATION SYSTEMS (MIS) Management information systems are computer-assisted systems (consisting of
computer hardware and software) which should ideally provide timely strategic information
needed by managers in the form they demand it so they can make the right decisions on an
informed basis
The aim is the transmission of the right and complete information to the right people in the
proper format (form report table graphics etc) A labour force is needed to run update and
maintain the systems MIS give information on how the administration is performing in terms of
financial information information regarding the staff information of the movableimmovable
assets performance information information from the organisationrsquos document archive etc
against key performance indicators MIS may also give information on risk management
Information should be registered classified calculated summarised reported stored Back up
copies of the system should be kept in case the system crashes If these processes are not done
systematically managers may have incorrect information and thus make the wrong decisions While designing MIS first the civil servants must understand the importance of acquiring and
recording reliable and accurate information and be aware of their responsibilities in this regard
then business processes related to the production of information must be defined completely and
clearly and finally support from IT must be obtained
Some organisations have dispersed information systems however the existence of such structure
does not necessarily mean they have MIS In some cases information is not related and integrated
with all the actions and units of an administration Data recorded by different units in different
Response Identification Prevention
109
systems is stored independently of the other units Duplication of information in different units of the
administration is an inefficient use of resources Data being entered into a central computerised
system ensures that managers should have access to information which covers all the
administration
The resistance to information sharing in administrations is a significant problem It is not possible to
transmit the accurate and timely information which management needs in the administrations
where information is not shared which is an obstacle for MIS Hence a culture of information
sharing should be encouraged
51 Stages of Establishing MIS
In the development of management information systems SDUs undertake the task of
coordination and provide technical assistance to the spending units The following process can be
followed by the SDUs and the spending units in establishing MIS
511 Establishment of the MIS Working Group
A participative method should be adopted in the establishment of MIS in administrations and the
work programme should be produced for a working group to be formed with the participation of
representatives from all the spending units under the coordination of the SDU and tasks should be
distributed
512 Preparation of the MIS Working Plan
In the working plan
To begin with a comprehensive need analysis should be carried out to identify which type
of information the management may need
Upon the completion of the need analysis data provider units for the MIS should be
identified This will provide a significant infrastructure for the information map to be
produced
The properties the current information system of the administration and related problems
and solution recommendations should be disclosed what needs to be done to solve the
problems and what is aimed should be determined and structures should be set up in the
administrations to support production and sharing of information
Cost and benefit aspects of the system planned to be established should be considered
The potential risks relating to MIS should be identified and a risk management process
should be carried out The control activities to be applied for the risks with high significance
and likelihood should be determined
A good MIS must be flexible enough to keep up with the changes occurring inside and
outside the administration Besides success criteria of the system such as inclusion of early
warning mechanisms should be determined
In the medium term a corporate information map must be prepared that will cover the
entire organisation Preparation of a corporate information map would ensure quick access
to the information and expertise needed Information map must be produced primarily at
unit level and then at individual level considering their level of expertise and experience
While forming such a structure organisational charts or documents for distribution of tasks
within the units at a more special level can be made use of Production of the corporate
information map and its proper operation would ensure that the following question is
responded easily
ldquoWho knows whatrdquo
For instance quick identification of who (which department which employee etc) has
information about staff budget or archives and of the relation among this information will
be ensured
Establishment of MIS can be initiated by pilot implementations in the units Using pilot
implementations as a starting point and ascertaining how the system works will ensure
economy both in terms of time and cost and labour force Potential mistakes to be made in
110
the further stages of the process can be prevented by eliminating the shortcomings and
correcting the mistakes observed during the pilot implementations
513 MonitoringAssessment
Periodic reports must be produced and presented to the top management during the
establishment of MIS to show the progress in the development of the system Action must be
taken against the problems identified at this stage to ensure performance of the activities as
planned
Studies about the fulfilment of MIS services in administrations must be carried out upon the
approval and under the supervision of head of administration Furthermore the head of
administration must inform the related units on the working method adopted
An MIS needs to be dynamic to keep pace with changes in technology or in the demands
for information by management
514 Related Legislation
Law no 5436 which amends Law no 5018 prescribes the establishment of SDUs and assigns them
with the task of providing the services related to MIS
In the Regulation on the Working Principles and Procedures of SDUs providing the services
regarding MIS and carrying out studies for the establishment of the system are listed among the
tasks of the SDUs
6 COMMUNICATION Communication is the exchange of information among individuals andor organisations to support
service delivery decision making and sharing carrying out and coordinating activities It plays a
central role in the development of a robust internal control system and helps management to
make decisions by providing feedback on how all the components of internal control are working
An administration needs information at all levels to achieve its objectives and manage risks
In this context information flows can take place both horizontally and vertically as well as from
outside the organisation
Information must be properly communicated within an administration to the managers
andor staff in need of it on a timely basis in order for them to fulfil their responsibilities and ensure
coordination with other units External communication with the beneficiaries suppliers and
stakeholders such as other public administrations is also essential for effective internal control
Communication can be verbal written or electronic or a combination of the three Where
verbal communication is deemed sufficient documenting only the important verbally
communicated information would be useful so records of key information are kept and can be
subsequently referred to by those who are given access to it
IC Box 2 Communication Channels
Management should establish communication channels that
provide accurate information at the right time
meet individual demands
inform employees of their roles and responsibilities
support reporting
allow employees to make recommendations for improvement
give messages that top management can understand enabling them to
make decisions
inform employees of the importance of internal control and of decisions
taken
are both internal and external and
have the right target group
111
61 Internal and External Communication
Administrations should consider the following general issues regarding their internal and external
communication
The public should be provided with timely accurate clear objective and complete
information about policies programmes services and activities
The language used should be comprehensible and plain Turkish
Administrations should be visible accessible and accountable to the public for the services
they provide
Various means and methods should be utilised in communication and information from a
variety of sources should be engaged to meet different needs
Communication needs should be regularly identified
Administrations should receive opinions from internal and external stakeholders while setting
out objectives and aims and formulating processes and should establish mechanisms to
assess these
Public administrations should work cooperatively with stakeholders when necessary in order to
ensure efficient communication
Services should be provided in a fair quick and responsive manner
Administrations should have the capacity and equipment to follow up innovations in
technology in the field of communication and allocate necessary resources to do so In this
context activities carried out should be proportionate to resources allocated and results
expected
IC Table 2 Communication Principles and Procedures
Internal
Communication Principles Method
Top management and employees should
understand the internal communication
system and be well aware of their
responsibilities
Internal communication activities and
processes should be reviewed regularly and
revised where necessary New
communication methods should be adopted
to stay in line with the changing
administrative structure
It must be ensured that staff
communicate their considerations
recommendations and questions to top
management
Staff should be regularly informed about
the operation of the internal communication
system what to do and the responsibilities in
writing or electronically (including
information and communication system for
risks)
Necessary mechanisms (Intranet
internet announcement boards compliant
and suggestion boxes top manager briefings
etc) should be established to inform the
employees about the mission vision and the
objectives of the administration
Communication between managers and
employees should be clear and cooperative
in order to achieve the goals and mission of
the administration
Staff objectives should be made
consistent with those of the administration
A more effective communication should
be ensured between Senior management
and personnel
Regular meetings and an electronic
mechanism that enables the SDUs to
coordinate spending units and produce
statistical data via necessary analysis
Recommendations and ideas of
personnel should be heard and action taken
to address them when appropriate
To this effect in-house communication
seminars and training programs should be
organised
Vertical communication A reporting system should be established
112
Personnel should convey the necessary
timely complete and accurate information
to their managers in time for the managers to
make decisions and achieve objectives
Personnel should notified by their
managers when in which scope in what
way and from which unit the information is
demanded
Managers should inform the staff about
the policies goal and objectives of the
administration
within the administration which flows from
staff to managers (minutes of meetings unit
activity reports exchange of information on
a weekly or daily basis in person or
electronically a reporting system that
enables the managers to monitor daily
activities etc)
Regular meetings between management
and internal auditors timely submission of
internal audit reports to top management
Horizontal Communication
Refers to the effective sharing of
information among employees of the same
hierarchical level in order to carry out the
tasks and activities in the administrations
Personnel and units to share
information should be announced to staff
and the duty to share information should be
included in the job descriptions of the
relevant personnel and units
Managers should hold regular meetings
to exchange ideas on their respective fields
of competence and the problems and
suggestions regarding management
Establishment of a system to monitor
meetings and activities of people of the
same level
Creation of an e-mail group for the
people from the same hierarchical level
Strengthening data processing
infrastructure and ensuring active operation
of units
Ensuring that top management have
more effective communication with
employees
Internal communication seminars and
training programmes should be organised
EXTERNAL
Communication Principles Method
The accessibility of the citizens to the
information and services of the
administrations should be enhanced
Services delivered by administrations within
the framework of ldquoe-staterdquo should be shared
with the other relevant administrations and
citizens (MERNIS UYAP etc)
The administrationrsquos website which provides
the necessary documents should be
established and some services should be
provided via this website 247
Documents and services provided online
should be updated regularly and the
administration should assign certain people
to manage the design and content of the
website
Furthermore English broadcast for the
access of foreign users to information will be
useful
Mechanisms should be set up to enable
citizens to express their complaints and
suggestions (forum frequently asked
questions activation of use of Information
Acquisition System and BIMER etc)
Administrations should inform the press
about issues deemed important for decision
The press should be invited to important
conferences and seminars
113
makers and the public
Services provided by the administration
should be advertised on TV or the internet
The head of administration should inform
the public annually about the performance
programme and activity report of the
administration and these should be
published on the administrationrsquos website
Active operation of the press and public
relations units should be ensured
62 Communication Methods
A communication system is made up of methods and records produced to determine
acquire change and transfer useful information Staff must be able to communicate with all the
units in the organisation including sharing risky information
With the advancements in technology numerous and various communication means are
now available in public administrations The most widely used means of communication are
detailed in IC Annex 2
621 Reporting
Reports are crucial tools for the establishment of an effective internal control system as they
facilitate the monitoring of control effectiveness
Managers should take reports submitted to them into consideration when making decisions
In this context accurate and succinct reports that have been prepared on time would help the
managers Furthermore communication and reporting is an important element of risk
management (see Risk Management Chapter)
Administrations should communicate financial and non-financial information and results
regarding their policies programs activities and projects to the relevant persons and bodies in
writing or verbally at particular times Within this framework vertical and horizontal reporting lines
within the administration should be determined in writing Furthermore each administration should
also take into consideration external reporting mechanisms
IC Figure 3 shows the mechanism of vertical reporting among the hierarchical stages
regarding the decisions and works at the strategic programming and operational levels and the
mechanism of horizontal reporting among the personnel of the same level Vertical reporting is the
reporting of personnel to managers Horizontal reporting on the other hand is the necessary flow
of information among the people and units that are on the same level
IC Figure 3 Reporting Lines
ObjectiveActivity
Other staff
Medium-
level managers
VERTICAL
REPORTING
Strategic
Operational
Top
Management
114
Examples of horizontal reporting within an administration
Staff attending a training program sharing with colleagues the report they prepare
about training results and
Minutes of Meeting shared with other units
Examples of vertical reporting within an administration
Consolidated Risk Report submitted to senior management
Minutes of Meeting copied to a senior manager for their information
Internal Audit Reports submitted to senior management and
Quarterly Reports Semi-Annual Reports submitted to senior management
Examples of reporting outside the administration
Internal Control System Evaluation Report prepared by the SDU and submitted to the
CHU and
Annual activity report for an administration prepared by the Head of Administration
published to the public and copied to the Turkish Court of Accounts and Ministry of
Finance
IC Box 3 Basic Principles for Effective Reporting
IC Annex 3 details the reports prescribed to be prepared as per the Public Financial
Management and Control Law No 5018 and the applicable regulations in the framework of the
principles of financial transparency and accountability
7 WHISTLEBLOWING OF FAILURES IRREGULARITIES AND FRAUD One of the most important elements of accountability and transparency is the existence of
a mechanism that ensures that staff and stakeholders are able to effectively express their concerns
Article 279 of Turkish Penal Code states that if a civil servant learns by means of the position
he holds that a crime which necessitates investigation and prosecution was committed and
neglects or delays notifying the competent authorities of this crime he will have committed a crime
It should be explicitly determined and announced to staff which reports will be
prepared by whom at what frequency and when they will be prepared and who
they will be submitted to and who will control them Reports must be in compliance
with tasks responsibilities and the principles of financial transparency and
accountability
The information included in the reports must be accurate up-to-date succinct
objective complete relevant and sufficient
Reports should use a common and clear language that everyone can understand
Reports must be produced at certain periods and on a consistent basis so that
comparisons can be made between years
Reports should attract the attention of readers be easy-to-read-and-understand
and include sufficient and appropriate visual material
All reports should have a conclusion and evaluation section
Desired format for the report should be determined in advance by
administrationunit requesting the report and notified to the relevant
administrationunit
HORIZONTAL
REPORTING
115
himself
71 Concepts of Failure Irregularity Fraud and Whistleblowing
Failure refers to an unintentional action against the legislation
Irregularity and fraud on the other hand refer to the behaviours of the administrationrsquos staff
or third parties on purpose against the present rules in order to achieve unfair or unlawful gain
Whistleblowing is the notification of illegal and unethical behaviours and actions to top
management third parties outside the management or authorised bodies or persons (who can be
inside or outside the administration) by the persons with information (employees or stakeholders)
Failure to blow the whistle can cause damage to the administration
In line with the above given information administrations must determine distinct methods for
evaluating irregularities fraud and failures they have been notified about
It should be borne in mind that person who makes the notification may be left alone
isolated his or her career may be undermined or he may not be taken seriously Therefore any kind
of biased or discriminative conduct against the personnel or third parties that blow the whistle
should be prevented
72 Scope of Notifications
There are three basic types of whistleblowing and complaints in public administrations
Those regarding the violation of ethical values
Those regarding faults irregularities and fraud
Complaints by civil servants regarding administrative actions and processes
implemented against them by managers or administrations
721 Whistleblowing and complaint in cases of violation of ethical values
Whistle blowing mechanisms are defined in the No 5176 Law on Establishment of Civil Servants
Ethical Board and Making Amendments on Some Laws and Legislation on Ethical Behaviour
Principles and Procedures for Civil Servants
Under this legislation cases of ethical behaviour violation by the director general and by those
who have a title at this level are notified to Ethical Board while cases of violation by the other
employees are notified to the relevant administrative manager to be directed to the
administrationrsquos disciplinary board Within this framework administrations carry out the process to
ensure compliance with the law
A flowchart showing the detailed process for whistleblowing and complaint in cases of violation
of ethical values is at Annex 4a
722 Whistleblowing and complaint regarding irregularities and fraud
Law no 4483 defines the procedures to be followed in cases of crimes committed by civil
servants by means which are in relation to their duties Accordingly cases of whistleblowing or
complaint about civil servants are filed processed and concluded under this Law
In cases when a complaint by a person is not processed he can appeal to administrative
court if he wishes The administration has to record all the cases of whistleblowing or complaint
processed or not
A flowchart showing the detailed process for whistleblowing and complaint in regarding
irregularities and fraud is at Annex 4b
723 Complaints by civil servants
Proceedings relating to complaints by civil servants regarding administrative actions and
processes implemented against them by their managers or administrations are carried out within
the framework of Article 21 of Law No 657 and Legislation on Complaint and Application Rights of
Civil Servants
116
73 The Responsibility for Detecting Faults Irregularities and Fraud
The responsibility for identifying and preventing failures irregularities and fraud rests with
management and all employees Under the ethical behaviour culture of the administration the
necessary actions should be taken to prevent failures irregularities and fraud under the supervision
of the responsible managers
74 Whistleblowing System
For employees to communicate their concerns and for these concerns to be taken seriously
administrations should have the related regulations that comply with their structures as well as
reporting mechanisms In these regulations the following should be included
the subject-matter of a whistleblowing
how to protect the confidentially of and provide security for a whistleblower who has good
faith
the stages of the whistleblowing procedure (first to manager then head of unit head of
internal audit head of human resources unit or head of financial services unit head of
administration)
how cases of whistleblowing are evaluated by the administration and what actions are
taken (examination inside the administration or official investigation etc)
information given with a view to informing the whistleblower about who the subject matter
concerns whether he can contact that person as well as about evaluation progress andor
results
Within this framework administrations should announce to the personnel all the ways of
whistleblowing and complaint
In cases of whistleblowing and complaint the identity of the whistleblower should be kept
confidential so that they are not exposed to discrimination
Administrations should receive cases of whistleblowing and complaint in the electronic
format via their web sites as well as in writing Besides administration should set up mechanisms to
facilitate it for the external stakeholders to whistleblow or complain and announce it on their
billboards and websites
Administration should not set up different mechanisms other than the preliminary
examination procedures that are determined in Law no 4483 for cases of whistleblowing and
complaint regarding corruptions and irregularities As a result of the preliminary examination the
situation whether investigation permit is given or not should be notified both to the Chief Public
Prosecutorrsquos Office and the whistleblower with a detailed justification and the letters regarding
these notifications should be kept in the whistleblowing files
For an effective whistleblowing system following basic requirements are taken into
consideration
117
IC Box 4 Basic requirements for Whistleblowing
IC Box 5 Issues to consider while evaluating whistleblowing notifications
Are the behaviours or actions in the administration unlawful
Are the behaviours or events taking place in the administration against the ethical
values (morals professional ethics etc)
When the whistleblowing is not in compliance with the procedure it must still be
definitely evaluated as long as it is based on concrete evidence
Seriousness and importance of the issues put forward should be taken into
consideration
There should be good will and public benefit
There should be a reasonable belief that the information and the allegations the
information includes are completely true and may uncover malpractice
Top management should announce the procedures for dealing with whistleblowing
and complaint from inside and outside the administration
Administrations should determine for central and local units who notifications will be
referred to
Methods must be developed for anonymous notifications from staff and third
persons (Telephone in a way that ensures evidenced delivery internet application
provided that forms given are completed anonymous letter suggestion boxes
etc)
Written spoken or electronic cases of whistleblowing should be recorded in a
separate folder by the authorised unit or person regardless of whether they are
based on enough evidence or not
Discriminative treatment towards whistleblower should be prevented
Periodical meetings should be held with staff in which their views should be heard
and their trust should be won in regard to reporting malpractices within the
administration
All the communication channels should be left open to ensure that personnel can
blow the whistle
In the event that the personnel that are proved right after examination and
evaluation process of the whistleblowing they should be rewarded by means of
secret methods to be determined by the administration
118
IC Figure 4 Whistleblowing Process
Whistle blower
Is it illegal
Is it unethical and immoral
Is it based on concrete evidence
Do I have good will
Do I draw benefit
from this
sec
ure
co
mm
un
ica
tion
ch
an
ne
ls (e-m
ail
ad
dre
sses te
leo
ph
on
e
nu
mb
ers
sec
ure
co
mm
un
ica
tion
ch
an
ne
ls (e-m
ail
ad
dre
sses te
leo
ph
on
e
nu
mb
ers
Unitperson to evaluate the case of
whistle blowing
Evaluation Criteria
Disciplinary Board Inspection BoardAudit
Unit
Chief Public Prosecuter
(investigation request is
from outside the
administration)
Authorising officer
119
IC Box 6 Current Legislation relating to whistleblowing and complaint
Law No 5651 on Publications on the Internet and Suppression of Crimes Committed by
means of Such Publication
Law No 4982 on the Right to Information
Law No 3628 on Declaration of properties bribes and combating fraud
Law No 3071 on Official Letters
Ethics Law Regulation and Prime Ministry Circular
Principles and Procedures on the Complaint and application rights of Civil Servants
Compliant regulation under Public Procurement Law No 4734
8 RELATIONS AMONG UNITS
81 Information and Communication between the CHU and SDUs
The extent to which the tasks the CHU carries out are effective and efficient depends on the level
of communication it achieves with SDUs
The CHU must develop organisational communication mechanisms to ensure transfer of information
to the SDUs This could either be done via a call centre to be established within the CHU or
particular CHU staff (client representatives) can be matched with particular SDUs This would
enable CHU staff to better know the unit they are responsible for and therefore make evaluations
and problem solving easier This would also improve the influence of the CHU on other units
Furthermore ensuring face-to-face communication between CHU and SDU staff and organising
periodic meetings andor conference calls to review the internal control system can be another
method of information transfer
The CHU must set out the critical arrangements that are relevant to the SDUs using participative
methods where the participation of SDUs must be ensured Furthermore the level of participation
by the SDUs will enhance the level of communication
82 Information and Communication between SDUs and Spending Units Ensuring coordination with spending units for the adoption of various elements such as preparation
of activity reports and performance programmes and implementation of internal control which are
important elements of Public Financial Management is the responsibility of SDUs An effective and
efficient organisational communication with spending units would also contribute to the smooth
progress of coordination process
SDU staff and spending units must be matched Each member of SDU must be in constant
communication with the spending unit they are responsible for and transfer the necessary
information to the spending units periodically Spending units must also assign the
departmentbranchunit staff to be in continuous communication with Strategy SDU Such
matching plays a crucial role in the transfer of consistent and accurate information both from the
SDUs to the spending units and from the spending units to the SDUs
Furthermore these information flows must also be reviewed in the meetings to be held regularly
(advised frequency minimum monthly maximum quarterly) by the spending unit officials and SDU
managers and the actions to be taken and required development must be discussed in these
meetings
In the event that it is necessary for the SDUs to make decisions which would affect the spending
units officials from spending units must be able to get involved in this process depending on the
level of the decision
120
INFORMATION AND COMMUNICATION ANNEXES
Annex 1 - Legislation on Information and Communication
Regulation on the Principles and Procedures to be applied in Official
Correspondences by the Prime Ministry
Regulation on the Prime Ministry State Archiving Services published in the
Official Gazette number 19816 dated 16 May 1988
Regulation on Public Servants Ethical Behaviour Principles and Principles and
Procedures for Application
Regulation on Declaration of Assets published in the Official Gazette no 20696
dated 15 November 1990
Regulation on the Complaints and Application by Public Servants Assets
published in the Official Gazette no 17926 dated 12 January 1983
Prime Ministry circular on Standard Folder Plan no 20057 dated 24 March
2005
(Manual to be prepared by Central Harmonisation Unit can be included
including the FMC Manual)
Prime Ministry circular dated 19 March 2007 on Civil Servants Ethical Board
Regulation on Complaints under the Scope of the Law no 4734 on Public
Procurement (The arrangements to be made by the CHU including the FMC
Manual can be covered in this part)
Law no 406 Telegraph and Telephone
Radio Law no 2813
Law no 3071 on Official Letters
Law no 4982 on the Right to Information
Law no 5070 Electronic Signature
Law no 5651 on Publications on the Internet and Suppression of Crimes
Committed by means of Such Publication
Law no 5369 on Provision of Universal Service and Amendments to Certain
Laws
Law No 5176 on Establishment of Civil Servants Ethical Board and Making
Amendments on Some Laws
Law No 4483 on Trying cases against Civil Servants
Law No 3628 on Making Declaration of Property and Fight against Bribery and
Corruption
Law no 5809 on Electronic Communication
121
Annex 2 - Widely Used Methods of Communication
Means Objective Advantages Disadvantages
Meetings Informing
Receiving
opinion
Making joint
decisions
Relatively cheap
A method that
people are
accustomed to
Contribute to the
culture of
participation
Open to discussion
and dialogue
Opportunity to come
up with solutions to
problems in the
administration
Difficulty to measure the
success and value of the
method
Possibility that results may not be
useful
Possibility that a minor group
may dominate the meeting in
case of bad management
Reports
Informing
Receiving
opinion
Making
decisions
Evaluation
Informs the target
group about the
subject in a sound
manner
Facilitates decision-
making process of
the manager
Possibility to access
accurate up to date
relevant and
adequately detailed
information
Requirement for qualified staff
Its production is time consuming
Brochures
Periodicals
Informing
Promotion
Opportunity for
creative design
Comprehensible
Particular and wide
target groups
Opportunity to
establish long term
relation with target
group
Opportunity to make
regular up-dates
regarding the subject
Limited feedback
Difficulty to measure the impact
on target group
Questionnaire
Interview
(letter
telephone
face to face)
Receiving
opinion
Evaluation
A method that
people are
accustomed to
Opportunity to reach
a wide group
Opportunity to select
particular target
groups
Scientific methods
can be used
Expensive time consuming
Requirement of in-detail
information to use the method
accurately
Possibility that responding rate
may be low
Possibility that the subject may
not be examined enough
122
Means Objective Advantages Disadvantages
Press releases
and
conferences
Informing
Receiving
opinion
Cheap
Easy to organise
Opportunity to
communicate to
many people
Difficulty to understand whether
the subject reached the target
group or not
Difficulty to measure the success
and value of the method
Difficulty to examine the subject
thoroughly
No feedback or limited
feedback
Brainstorming Exchanging
ideas
Making joint
decisions
Obtaining many
ideas regarding a
subject
Contribution to the
culture of
participation
Cheap flexible easy
to organise
Possibility that results may not be
useful
Possibility that the subject may
not be examined enough
Workshop Informing
Receiving
opinion
Making joint
decisions
Opportunity to set up
new networks
Fun for participants
Chance of finding
solutions to problems
Cheap flexible easy
to organise
Chance of examining
the subject
thoroughly
Opportunity to select
particular target
groups
Easier participation
because of unofficial
atmosphere
Non-scientific
Possibility that results may not
useful
Possibility that a minor group
may dominate the meeting
Possible to receive wrong results
with a small and randomly
selected group
Conference Informing
Receiving
opinion
Making joint
decisions
Opportunity to
become creative
and flexible
Opportunity to work
together with
different groups
Opportunity to set up
new networks
Opportunity to select
particular target
groups
Opportunity to
examine the subject
thoroughly
Opportunity to
discuss different
Expensive time consuming
Possible to receive wrong results
with a small and randomly
selected group
Raising different expectations
Possibility that result may not be
useful
Possibility that a minor group
may dominate the meeting in
case of bad management
123
opinions and ideas
Means Objective Advantages Disadvantages
Focus Group Receiving
grouprsquos
opinion with
the
leadership
of a
moderator
Faster and cheaper
compared to one-to-
one interview
Opportunity to
discuss different
opinions and ideas
Spoken discussion
accelerates the
process that outputs
are reflected in
writing
Possibility that useless information
may emerge in case of bad
moderation
Quality of participators affect
the quality of data
Conference
Call
Making joint
decisions
Finding
common
solutions to
problems
Opportunity to
discuss different
opinions and ideas
Opportunity to
examine the subject
thoroughly
Experienced
decision-makers and
persons with deep
information
accumulation
coming together
Possibility that results may not be
useful in case of bad
management
Expensive time consuming
Possibility that a minor group
may dominate the meeting in
case of bad management
Websites and
intranet
e- mail
Informing
Receiving
opinion
Cheap
Easy to organise
Opportunity to reach
many people
Effective information
sharing
Need for updating
Problem that unfavourable
people may get access
124
Annex 3 Reports Prepared under PFMC Law No 5018
Name of report Responsible unit Submitted to
Unit Activity Report
(Art 41 of Law no 5018)
Spending Units- Authorising
Officers Head of Administration
Local Administrations Activity
Report
Spending Units- Authorising
Officers Head of Administration
Administration Activity Report
(Art 41 of Law no 5018)
Head of Administration
(General budget
administrations special budget
administrations and social
security institutions)
Ministry of Finance Court of
Accounts and Public Opinion
Local Administrations Activity
Report
(Art 41 of Law no 5018)
Head of Administration
(Local Administrations)
Ministry of Interior Court of
Accounts Public Opinion
General Activity Report
(Art 41 of Law no 5018)
Ministry of Finance
(Directorate General for Budget
and Fiscal Control)
Court of Accounts and Public
Opinion
Local Administrations General
Activity Report
(Art 41 of Law no 5018)
Ministry of Interior Court of Accounts Ministry of
Finance and Public opinion
Administration AR General AR
Local Administrations General AR
(Art 41 of Law no 5018)
Court of Accounts (Expressing its
own opinions considering its
external audit results)
TGNA
Draft Law on Final Accounts
(Art 42 of Law no 5018)
Ministry of Finance (DG Public
Accounts) TGNA Court of Accounts
External Audit Overall Assessment
Report
(Art 68 of Law no 5018)
Court of Accounts TGNA
Corporate Financial Status and
Expectations Report
Public Administrations under the
scope of General Management Public Opinion
Central Government Budget
Realisations and Expectations
Report
Ministry of Finance
(Directorate General for Budget
and Fiscal Control)
Public Opinion
Financial Statistics
(Art 52 53 54 of Law No 5018)
Ministry of Finance (DG Public
Accounts) Public Opinion
In the production and submission of the Activity Reports above Law no 5018 and the
principles and procedures set out in the Regulation on Activity Reports Prepared by Public
Administrations are taken into account
In preparation and declaration of the financial statistics of public administrations Law No 5018
and the principles and procedures set out in General Communiqueacute on Financial Statistics of
General Management are taken into consideration
125
Annex 4a Whistle-Blowing Process Related to Ethical Values
Application
Registry (Relevant unitperson)
If related to
EVALUATION
Written petition
electronic mail or oral
application that is
recorded
Registration in the
document registry
system (written
electronic)
a separate folder
system for notification
applications
NOTIFICATION
To the relevant person
(person who whistle-blowing
is about)
To the relevant
administration (conduction
of the work within the
framework of Law No 657)
To whistle-blower
NOTIFICATION
If it is decided that ethical
behavior principles have
been violated
To Prime Ministry
To Public Opinion (Published in official gazette
If it is not detected that
ethical behavior principles
have been violated
- To the Prime Ministry
- To whom it may concern
If related to Director
General and upper
level positions than
Director General
If related lower level
positions than Director
General
Ethical Board Head Office of the
Relevant
Administration
Disciplinary Board
126
Annex 4b Whistleblowing and Evaluation Process for Crimes Committed by Civil Servants
Application
Registry (Relevant unitperson)
Head of the relevant unit
Written petition
(person or a
particular event
serious allegations
name family
name signature
domicile address)
Registration in the
document registry
system (written or
electronic - a
separate folder
system for
notification
applications)
Preparation of preliminary examination report and submission of it to the
body authorised to give the permit
NOTIFICATION
Directly Chief
Public Prosecutor
Other positions or
civil servants
Requesting investigation permit
from body authorised to give
the permit (Article 3 of Law No
4483
Making notification to body
authorised to give the
investigation permit (Article 3 of
Law No 4483
Body authorised to give the
permit starting the preliminary
examination (44835)
Permitting the
investigation about the
complaint whistleblowing
or subject matter of the
allegation
Not permitting the
investigation about the
complaint whistleblowing
or subject matter of
allegation
OBJECTION
(to the Court of Appeals
or regional administrative
court by the civil servant
about whom investigation
is conducted)
to the Chief Public
Prosecutorrsquos Office
to the civil servant
about whom the
investigation is
conducted
to the whistleblower
OBJECTION
(to the Court of Appeals
or regional administrative
court by the Chief Public
Prosecutorrsquos Office or
complainant)
127
MONITORING
1 Introduction
Monitoring is the assessment of the internal control system in terms of harmonisation with the
internal control standards to see whether it makes the expected contribution to the achievement
of goals and objectives of an administration It is the identification of the actions regarding the
aspects open to improvement Within this framework monitoring is an integrated process in which
capacity is assessed in interaction with the other components of internal control system
M Figure 1 COSO Monitoring Process
The main elements of monitoring are formation of a sound infrastructure for monitoring
designing and implementing monitoring procedures assessment and reporting of the results
Monitoring if designed and carried out properly provides the administration with the
reasonable assurance that the internal control system operates efficiently An efficient monitoring
helps
Timely identify and eliminate the problems in the system of internal control
Produce more accurate and reliable information to be used in decision making
Produce correct and timely financial statements
Confirm regularly that the internal control system is effective
Present evidence for the internal control assurance declarations
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Activities
128
Monitoring internal control systems requires participation Question forms internal and
external audit reports and requests and complaints from individuals andor organisations and the
opinions of unit directors must be benefited from during monitoring
2 Monitoring Internal Control Standards Monitoring includes all sorts of monitoring activities performed with the aim of quality
assessment of internal control system
M Box 1 Internal Control Standards
Standard 17 Assessment of internal control
The administrations shall assess their internal control systems at least once a year
Standard 18 Internal audit
The administrations shall ensure a functionally independent internal audit activity
3 Roles And Responsibilities
31 Senior Manager
The main responsibility for monitoring internal control system rests with Senior Manager This is
also emphasized in Article 11 of Law No 5018 and it is stated that Senior Managers are responsible
for observing and monitoring the functioning of financial management and control system
The Senior Manager fulfils this responsibility through internal auditors and Strategy
Development Units (SDU)
Approving the internal control system annual assessment report prepared by his
administration the Senior Manager ensures the submission of it to Central Harmonisation Unit (CHU)
Furthermore the Senior Manager annually states based on evidences that internal control
system gives reasonable assurance for attainment of the objectives and aims of his administration
through internal control assurance statements (Annex 3A)
On the other hand the Senior Manager ensures the implementation of recommendations
put forward as a result of internal and external audits
32 Internal Audit
Internal audit has the functions of providing information making assessments and making
recommendations on the adequacy efficiency and functioning of internal control system Within
this framework the Senior Manager who has the responsibility for a sound functioning of internal
control system receives opinions and support from internal auditors
33 Internal Control and Risk Steering Board (ICRSB)
ICRSB assesses Internal Control System Evaluation Reports prepared by SDU as a result of
annual assessment of internal control system (Annex 2) and following to defining shortcomings of
the report if any submits it with the relevant opinions for the approval of Senior Manager
34 Authorising Officers
Authorising officers have responsibilities regarding internal control and continuous
monitoring Furthermore Authorising Officers provide necessary information for SDUs regarding the
annual assessment of internal control system fill in the internal control question form (Annex 1) and
annually sign the internal control assurance declaration (Annex 3B) to be submitted to Senior
Manager
In addition Authorising Officers have the responsibility for taking relevant actions regarding the
recommendations contained in internal and external audit reports
129
35 Strategy Development Units (SDU)
Have been assigned the function by Law No 5018 and the applicable legislation3 to carry
out studies to establish implement and continuously develop internal control systems and to report
the study results to the Senior Manager
Within this framework SDUs annually assess internal control system on behalf of Senior
Manager Then they report assessment findings gained by means of forming a working group and
using such tools as check lists questionnaires and question forms to the Senior Manager with the
relevant opinions from Internal Control and Risk Steering Board
SDUs sign the declaration on functioning of internal control system with a view to ensure
effective efficient and economical execution of administrationrsquos activities
Personnel of SDUs take active role in the assessment process of internal control systems and
guide the units in filling the reports regarding assessment (Annex 1)
36 Other Managers and Employees
Other managers and employees are responsible for the effective functioning of internal
control system within their own fields Within this framework while carrying out their own duties they
observe the functioning of internal control system and in case of a problem they inform Senior
Manager and contribute to the assessment process of internal control system by providing
information
37 External Audit
External audit is conducted by Court of Accounts Within this framework Court of Accounts
can assess internal control systems in public administrations and can make recommendations
38 Central Harmonisation Unit (CHU)
In accordance with the Article 9 of Principles and Procedures regarding Internal Control
and Ex-ante Financial Control and Article 55 of Public Financial Management and Control Law No
5018 this unit develops standards and methods regarding internal control processes and provides
guidance services in public administrations
Furthermore CHU annually assesses the functioning of internal control systems in public
administrations based on Internal Control Assessment Reports approved and submitted by senior
mangers and submits the assessment report it prepared to the Senior Manager and Minister of
Finance
CHU in necessary cases carries out on-site monitoring activities regarding the factors
contained in reports prepared by public administrations
Within the framework of roles and responsibilities explained above the following scheme
demonstrates the exchange of information and reporting lines envisaged to be realized within the
scope of monitoring activities in the administration
3 Legislation on Principles and Procedures regarding Internal Control and Ex-ante Financial Control and Working
Principles and Procedures of Strategy Development Units
130
M Figure 2 ndash Reporting and information exchange process foreseen under monitoring
CENTRAL HARMONISATION UNIT
SENIOR MANAGER
INTERNAL AUDIT INTERNAL CONTROL RISK STEERING BOARD EXTERNAL AUDIT
(Report) Court of Accounts (Report)
STRATEGY DEVELOPMENT UNIT
AUTHORISING OFFICERS
SUB-UNIT MANAGERS
SUB-UNIT PERSONNEL
1) Straight arrows demonstrate the hierarchy in the reporting process
2) Dotted lines demonstrate the exchange of information
4 Guidance by the CHU4
Article 55 of Public Financial Management and Control Law no 5018 and Article 9 of the
Principles and Procedures on Internal Control and Ex-ante Financial Control prescribe that
standards and methods concerning financial management and control are developed and
harmonised by the Ministry of Finance and guidance is provided to the public administrations
In this context within the scope of its monitoring function the CHU
Monitors whether internal control standards are complied with
Monitors the operation of the systems by receiving information and reports from the
administrations regarding internal control and ex-ante financial control arrangements and
practices
Carries out researches on the national and international good practices and
conducts studies for their implementation
CHU annually assesses the operation of internal control system within the public sector
based on the Internal Control System Evaluation Reports submitted upon the approval by the
4 This part consists of general information on the guidance provided by the CHU detailed information can be found
on the CHU Handbook
131
heads of public administrations and where necessary carries out on-the-spot monitoring on the
issues included in the reports of the administrations
5 Assessment and Reporting Role of SDUs
Assessing internal control periodically and identifying and applying necessary actions are
crucially important to ensure the efficiency of the system In this context each organisation needs
to assess its internal control system Assessment of internal control system means analysing on the
basis of the internal control components whether the system makes the expected contribution to
the achievement of the aims and objectives an administration identifying the aspects open to
improvement and taking corrective actions
Public Internal Control Standards suggests that the internal control systems in the public
administrations must be assessed at least annually using ongoing monitoring or separate
evaluations In the assessment of the internal control system participation of all units is required and
internal and external audit reports and requests and complaints from individuals andor
organisations and the opinions of unit directors must be considered and the assessment process
must be methodological
51 Assessment of Internal Control System by SDUs
Assessment of Internal Control System by SDUs is carried out fundamentally be means of
Internal Control System Question Form Other tools such as checklists and questionnaires can also
be benefited from during the evaluation process Furthermore the opinions of the managers
requests and complaints from organisation andor individuals are taken into consideration in the
evaluations Evaluations are carried out at least annually Quarterly or semi-annual evaluations can
be carried out as well
Coordination of the assessment conveyance of the questionnaires to the relevant units and
consolidation of the responses are tasks of Internal Control sub-units in the SDUs
The staff to be assigned from the SDU must be determined to support the process of filling
the questionnaires and the evaluation process must be planned In the plan a representative must
be appointed for each unit and where the number of staff is insufficient at least one person must
be assigned as responsible and this must be communicated to the relevant units This responsible
person must provide guidance to the units in filling the questionnaires
Spending units are obliged to respond to the questions on Risk Assessment Control Activities
and Information and Communication Responding to the questions in the Control Environment and
Monitoring parts is at the discretion of spending units
SDUs must complete the sections on control environment and monitoring in the internal
control question forms which they will fill in as spending units
The following steps should be followed while evaluating the internal control system
Primarily unit managers should organise an opening meeting for the representatives from
the SDUs In this meeting guidance should be provided for responding the questionnaires
and the deadline for completing the questionnaire should be announced
The time table for the questionnaire SDU representative and their contact details should be
communicated to the unit manager along with the questionnaire itself The units must be
given a reasonable amount of time to complete the questionnaire which should be not less
than one week
The questionnaire should be completed with the participation by sub-unit managers and
staff under the coordination of the unit manager
Completing the questionnaire spending units should bear in mind that this is a kind of self
assessment therefore by means of answers they give to the questions they essentially assess
their own units Within this framework while completing the questionnaire they should make
an in-dept assessment about functioning of internal control in their own units
132
Where necessary support should be received from the SDU representatives
When the questionnaire is received by the SDU representative each question should be
checked and any misunderstanding should be corrected during this process To this end
SDU representative is entitled to get in touch with the unit manager regarding responses to
the questionnaire
Internal audit unitsinternal auditors can be asked for support and recommendation when
there is a need for checking the accuracy of information in the questionnaire
Following the submittal of all questionnaires the SDUs should consolidate the questionnaires
and prepare the evaluation report resorting to the questionnaires primarily and also the
following sources of information
Action plans produced on the basis of internal and external audit reports
Information on budget and ex-ante financial control and
Other sources of information (opinions of the managers requests or complaints by
individuals andor administrations)
Given that evaluation report will be produced using the above mentioned information
sources (questionnaire internal and external audit reports budget ex-ante financial control
information etc) it should be kept in mind that this process would take time
While assessing the results of the questionnaire the points should be added up and converted to a
percentage for each section For example the total number of points that can be scored for the
Control Environment section is 44 If the Unitrsquos score was 22 out of 44 the percentage result is 50
The percentage scores should be recorded for each section and a percentage score for the
whole questionnaire (using the total possible points total of 116)
The percentage scores should be interpreted as follows separately for each category and also for
the overall percentage score
M Table 1 ndash Interpretation of the Results of the Internal Control Question Form
score Interpretation
0-25 Evidence of some awareness and understanding but still in the early
stages of internal control development Direct action needed by SDU
to provide guidance
25-50 Evidence of implementation that is planned and in progress Action
needed by SDU to provide further guidance
50-75 Evidence of implementation in some key areas Further guidance may
be required by the SDU
75-95 Evidence that implementation of internal control is embedded and a
good capability is established SDU may wish to identify the best areas
as examples of best practice and inform CHU
95-100 Evidence of mature internal control system with excellent capability
established CHU will wish to use as example of best practice
52 Reporting of Internal Control System Evaluation Results
The SDU prepares a report regarding the activities carried out for establishing and
developing internal control system and evaluation on functioning effectiveness and efficiency of
the system It will be appropriate to use lsquoInternal Control System Evaluation Reportrsquo template
contained in Annex 2 in making the assessment results into a report
In the preparation of the aforementioned report ldquoInternal Control System Questionnairerdquo is
an important basis The report should include alongside information on the operation of the
internal control system the steps taken for strengthening it Furthermore the areas where the no or
insufficient controls exist where they do not work properly where the controls are excessive or the
plans and tables produced to address the problems identified should also be covered in the report
The report produced is reviewed by the ICRSB if there is one in the administration If not it is
reviewed by a board consisting of authorising officers or their assistants assigned by them chaired
133
by an authorising officer or a Deputy of the Senior Manager After eliminating any shortcomings it is
submitted to the Senior Manager for approval by the board
The annual evaluation report approved by the Senior Manager must be sent to the CHU by
the SDU until the end of the following March
53 Monitoring of Internal Control System Evaluation Reports
The measures and actions to be taken and the arrangements to be made regarding the
aspects identified in the Internal Control System Evaluation Report as requiring development must
be set out within the framework of managerial responsibility In certain areas in order to eliminate
the gaps the unit managers will have to take actions Furthermore if there are horizontal problems
on which most of the units are identified to score low actions for improvement should be initiated
by the Senior Manager
The measures and actions to be taken and arrangements to be made must be
implemented in the context of an action plan in a designated period of time SDUs must monitor
the implementation results of the aforementioned measures actions and arrangements at least
semi-annually and inform the Senior Manager about the implementation results
134
54 Work to be carried out by SDUs concerning Internal Audit Reports
In accordance with Article 64 of Law No 5018 reports submitted by internal auditors to the Senior Manager shall be sent to concerned unit and SDU
following to the assessment by the Senior Manager for taking necessary action It will be convenient that SDUs assess the report sent by the Senior
Manager in light of the following questions
M Table 2 ndash Evaluation of the Internal Audit Reports by the SDUs
Question 1 Question 2 Question 3 Question 4 Question 5 Question 6
What
information is
available in the
report about the
effectiveness of
internal control
system For
example what
information
does internal
audit report
include on risk
management
Are there any
problems
according to
internal audit
report
What are the
problems in
question
What are the works
to be carried out by
spending units for
fixing these
problems
It is possible that
SDUs provide
spending units
with guidance
on actions to be
taken
What are the works to be carried
out by SDU for fixing these
problems
Taking these problems into
consideration SDU identifies
measures to be taken in Internal
Control System Evaluation
Report to be submitted to senior
management
Identifying the training need
within the framework of
shortcomings related to internal
control system SDU can
demand that new training
programs be developed or
available program be revised
Has SDU done what is
necessary for fixing these
problems
It should be found out
whether SDU has done
necessary works
(delivering
trainingsgiving
recommendations) for
fixing the problems
135
136
6 Internal and External Audits
In accordance with the Law No 5018 the audit of our financial management and control
system is divided into two categories internal audit and external audit Internal audit is carried out
by the internal auditors working in the administration within the scope of the general government
with the exception of regulatory and supervisory institutions External audit of the administrations
under the general government on the other hand is carried out by the Turkish Court of Accounts
61 Internal Audit
Articles 63-67 of Law No 5018 sets out the overall scope of the internal audit system and the
professional framework has been established with the secondary and tertiary legislation
Activities and transactions of all the units of public administrations including those abroad
and in the countryside have been undergoing internal audit in line with audit standards within the
scope of risk based audit plans and programmes using a systematic consistent and well-disciplined
approach
The most distinctive difference between the current inspection boards and the internal
audit designed by the aforementioned Law is that internal auditors have a limited authority which
merely enables them to notify the most senior person in the administration when they find out cases
requiring investigation during the course of or following the audit However inspectors have the
authority to initiate investigations and directly submit reports containing findings of the
investigations to legal authorities
611 Definition and Aim of Internal Audit
Internal audit is defined in the Article 63 of Law No 5018 as follows
M Box 2 ndash Article 63 of Law No 5018
ldquo Internal audit is an activity of providing independent and objective assurance
and consultancy performed in order to improve and add value to the activities of
the public administrations by evaluating whether the resources are managed in
conformity with the principles of economy effectiveness and efficiency and by
providing guidance Such activities are performed with a systematic regular and
disciplined approach and in accordance with generally accepted standards
aiming to evaluate and improve the efficiency of risk management and of
management and control processes on the management and control structures
and financial transactions of administrationsrdquo
In the above definition ldquoobjective assurancerdquo refers to providing sufficient assurance within
and outside the organisation that an efficient internal control system exists in the organisation its risk
management internal control system and business processes operates efficiently the information
produced accurate and complete the assets are safeguarded and the activities are carried out
in an efficient economic and productive manner in line with the legislation
Along side the objective assurance it ensures internal audit provides independent and
impartial consultancy to assist the administrations in developing their risk management control and
management processes Consultancy covers providing recommendations to evaluate and
improve the activities and business processes of the administration aimed at the achievement of its
objectives in a systematic and regular manner
Internal auditors get involved neither in the arrangement or implementation of internal
control systems nor in the selection of control actions
137
612 Monitoring within the scope of Internal Audit
Internal auditors submit their reports directly to the Senior Manager of public administration
Following the evaluation of the Senior Manager these reports shall be given to the concerned units
and SDU for taking necessary action Internal audit reports and the actions taken about them shall
be sent by the head of public administration latest in two months to the Internal Audit
Coordination Board
Audit results are monitored within the framework of Public Internal Control Reporting
Standards which has been published by Board The corrective actions and advice recommended
by the internal auditor following the internal audit activity shall be completed by the auditee within
the time period indicated in the relevant report Senior Manager shall follow up whether the
measures stated in the report have been taken or not Senior Manager can fulfil this duty through
internal audit units (through internal auditors in administrations where there is no unit) Internal audit
units (internal auditors in administrations where there is no unit) prepare a follow up system to
monitor the implementation of internal reports
Unit directors the necessary actions regarding the recommendations included in the audit
report about the audited activities In the event that no action could be taken head of internal
audit unit informs the Senior Manager
If the recommendation or corrective measure to be taken will take a certain period of time
this shall be stated in the response to the audit report and the relevant unit shall communicate the
developments to the internal audit unit in the form of six-months periods at least
Actions taken by the audited units upon the report or the justifications for not taking actions
are sent to the internal audit unit to be submitted to the internal auditor
62 External Audit
Another means that contributes into accountability is external audit In this context external
audit has an important role in fulfilment of the legislative bodyrsquos budget right and effective
efficient and economic use of public resources Turkish court of Accounts carries out the audit of
the financial activities and transactions of public administrations in the name of the legislative
body
621 Aim of External Audit
The purpose of the ex post external audit to be performed by the Court of Accounts is to
audit within the framework of the accountability of public administrations within the scope of
general government the financial activities decisions and transactions of management in terms of
their compliance with the laws institutional purposes targets and plans and to report their results to
the Turkish Grand National Assembly
622 Scope of External Audit
External audit is divided into two categories namely regularity audit and performance
audit
Regularity audit is carried out by means of the followings
Detecting whether revenues expenditures and goods of public administrations and related
accounts and proceedings are in compliance with the laws and the other legal regulations
Giving opinions about their accuracy and reliability after assessing financial reports and
statements of public administrations and all those documents produced in relation to these
reports and statements
Assessing financial management and internal control system
Performance audit on the other hand is an act of measuring activity results in light of the
objectives and indicators identified by administrations within the framework of
accountability
623 Functioning of External Audit
External audit makes use of the accounts and other relevant documents of the public
administration In the event the TCA needs reports by the internal auditors can also be requested
138
Reports produced upon the audits are consolidated by the administrations submitted to the Senior
Manager to be responded and finally external audit overall evaluation report produced
considering the external audit reports and the responses to them is submitted to the Turkish Grand
National Assembly It is possible to make external audit results into administration-based or topic-
based reports and submit them to the TGNA as individual reports
624 Coordination between External Audit and Internal Audit
Ensuring coordination and cooperation based upon communication common
understanding and trust between external audit and internal audit assumes importance in
increasing the efficiency of both external audit and internal audit Furthermore such coordination
and communication will ensure effective use of audit resources by preventing unnecessary
repetitions of audit
In accordance with Law No 5018 Court of Accounts can make use of internal audit reports
within the framework of such coordination and communication Moreover it is expressed in internal
audit standards that head of internal audit unit shall share available information with the other
internal and external auditors and conduct his activities in coordination with these people
7 Internal Control Assurance Declarations The new financial management and control understanding brings forward the concepts of
financial transparency and accountability Briefing the public and judicial organ on activities of a
public administration which are carried out in order to attain the objectives and aims and their
results is one of the most important requirements of managerial accountability
This way it is ensured that ones carrying out public services feel more responsible and work
outcome-oriented and beneficiaries of the public services are informed on how they use the taxes
they pay and on the performance of public administrations and it is encouraged that public audit
is strengthened as well as legislative audit To this effect in the new financial management and
control system it is provisioned that authorising officers5 prepare unit activity report Ministry of
Internal Affairs prepare Assessment Report regarding the activities of local administrations Ministry
of Finance prepare Overall Activity Report and it is ensured that the Court of Accounts inform
Turkish Grand National Assembly with its own assessments
In order to deliver the concepts of financial transparency and accountability the actors of
the system Senior Managers and authorising officers allocated with appropriations from the
budget have been commissioned to prepare internal control assurance declarations and attach
these declarations to the activity reports of the administrations and those of the units6
Within this framework those who need to give internal control assurance declaration and
the type of declaration they will give are demonstrated in the following scheme
M Table 3 Types of Internal Control Assurance Declarations
THOSE WHO WILL GIVE INTERNAL
CONTROL ASSURANCE DECLARATION
TYPE OF INTERNAL CONTROL ASSURANCE
DECLARATION
SENIOR MANAGER INTERNAL CONTROL ASSURANCE DECLARATION
(SENIOR MANAGER) (ANNEX-3A)
AUTHORISING OFFICERS INTERNAL CONTROL ASSURANCE DECLARATION
(AUTHORISING OFFICER) (ANNEX-3B)
HEAD OF SDU DECLARATION OF THE HEAD OF SDU (ANNEX-3C)
5 Unit activity report and internal control assurance decalaration are prepared by those authorising officers to whom an
appropriation is allocated to in the budget 6 Art 8 of Principles and Procedures regarding Internal Control and Ex-ante financial Control Art 19 of By-law on the
Preparation of the Activity Reports of Public Administrations Annex234
139
On the other hand every authority signing the internal control assurance declaration should
be sure that the assurance he gave is supported by evaluation reports issued by the SDU internal
and external audit reports other external assessments and similar sound evidences Furthermore
while filling internal control assurance declaration of his administration the Senior Manager should
assess the Assurance Declarations of authorising officers and Head of SDU and should state in the
Internal Control Assurance Declaration that the reasonable assurance these declarations gave to
him formed an important basis for his own declaration
71 How to complete Internal Control Assurance Declarations
Guidance on the internal control assurance declarations to be completed by the Senior
Manager (Annex 3A) Authorising Officer (Annex 3B) and the Head of SDU (Annex 3C) is as follows
711 Guidance on Internal Control Assurance Declarations for Senior Manager
and Authorising Officer
Internal Control Assurance Declaration (ICAD) is comprised of four main parts namely
Responsibility Basis of Internal Control System and Assurance Declaration Risk Management and
Assessment of Internal Control System (Annex 3A and Annex 3B)
In completing the two Annexes 3A and 3B Senior Managers and Authorising Officers should
observe the standard templates and complete the relevant boxes Each box has a cross reference
to where more information can be found in the main body of this chapter
7111 Responsibility
The Senior Manager is responsible for establishing operating and monitoring an effective
financial management and control system which will contribute to the realization of the objectives
and aims of his administration Within this framework he is obliged to take necessary measures in
order to ensure that regulations regarding internal control system are adopted by employees and
that internal control standards are observed Authorising officer is responsible for compliance of
spending orders with the budget principles laws legislations by-laws and regulations as well as for
economical and efficient usage of subsidies and functioning of the internal control within the
framework of his duties and authorities
As the paragraph of ICAD regarding responsibilities is regulated within this framework name
of the relevant administration should be written only in the part written as [administration] other
than this no change should be made on the text
7112 Basis of Internal Control System and Assurance Declaration
Aim of the internal control system is to ensure the followings in order to give a reasonable
assurance on realization of the strategic objectives of administration
Effective efficient and economical management of public revenues expenditures
assets and obligations
Public administrations carrying out their activities in line with the law and the other
applicable regulations
Prevention of corruption and irregularity in every kind of financial decision and
operation
Gaining regular timely and reliable information and reports to make decisions and
to monitor and
Prevention of abuse and waste of assets and protection against losses
However internal control system will not give absolute assurance to administration for
realization of aims mentioned above even in the case that it is designed and operated very well
Because some factors outside the influence and control of administration can affect the capacity
of administration to attain its objectives Therefore we need to admit that internal control system
gives reasonable not absolute assurance to management for realization of objectives
The cost of internal control should not exceed the obtained benefit The management has
to take into consideration the control costs and its benefits while making decisions on regulation of
140
responses to risks and control activities Authorising officer in the same manner has to take into
consideration these factors while identifying and assessing the risks related to his unit
On the other hand while identifying weaknesses in internal control system correcting the
faults and contributing to the development of the system Senior Managerauthorising officer
receives support from internal and external assessments made within the framework of
management information systems evaluation reports issued by the SDU internal and external audit
reports and internal and external assessments Therefore it will be appropriate that such support
provided within this line be explained in ICAD by Senior Managerauthorising officer
7113 Management Information Systems
Managers need financial and non-financial information in order to detect whether the
administration has attained its objectives and aims or not and whether accountability function has
been fulfilled or not for an effective economical and efficient usage of resources Therefore best
fulfilment of such requirements and timely and accurate decisions are possible if there is proper
accurate timely and accessible information
Therefore management information system in the administration should be designed in a
way to produce the necessary information and reports needed by the management and to give
the opportunity to make analysis
Senior mangerauthorising officer should briefly touch upon in ICAD the management
information system that is available in administrationunit and explain what kind of contributions this
system make to functioning of internal control system
7114 Internal Audit
Responsibility for establishing an adequate and effective internal control system rests with
Senior Manager By giving information to the management on effectiveness adequacy and
functioning of internal control system making assessments and recommendations internal audit
takes an important part in helping senior management this responsibility
Within this framework during the audits carried out by internal auditors followings are
realized
It is detected whether internal control system functions in a sound manner and
Success of internal control system in compliance to the legislation and relevant
regulations in the accuracy of accounts and operations and in the reliability of
financial system tables in providing an effective economical and efficient
execution of activities programs and projects of the administration is determined
Senior Manager on the other hand assesses the factors which are envisaged to be
corrected and improved in internal audit reports and takes necessary measures
First of all Senior Manager should state in ICAD whether his administration has an internal
audit unit or not Internal audit unit if any should give a brief summary of what measures they take
regarding the adequacy effectiveness and functioning of internal control system in line with the
recommendations and assessments of internal auditors in this part of the declaration
The Senior Manager can make explanations in ICAD on how action plans that have been
prepared by the audited units regarding the measures to be taken by the administration as a result
of internal audits are monitored and also he can touch upon the support provided by internal
audit unit if provided regarding the monitoring activity in question
Authorising officer on the hand can make explanations in ICAD on action plans prepared
on the measures needed to be taken by his unit as a result of internal audit and their
implementation
7115 External Audit
Senior Managerauthorising officer should include in Internal Control Assurance Declaration
a summary of the relevant findings and assessments if the Court of Accounts has conducted an
external audit as well as of the operations carried out by the administration in response to these
findings and assessments
141
If an operation in relation to external audit reports of the previous years has been carried
out within the year the summary of such operation should be contained in this part of the
declaration
7116 Strategic Development Unit (SDU)
SDU carries out studies in such fields as establishing internal control system implementing
and developing the standards and submits the study results to Senior Manager
Although standard and method setting duty in financial management and internal control
processes is assigned to the Ministry of Finance every kind of method process and standards
regarding special operations which are considered to be necessary are prepared and submitted
for the approval of Senior Manager by the SDU provided that they are not opposed to Law No
5018 and the standards set by Ministry of Finance Authorising Officers bases his activities on the
relevant regulation along with the legislation
Furthermore SDU prepares an annual Internal Control Evaluation Report on functioning of
internal control system and submits them to senior manger Therefore the Senior Manager should
mention in ICAD these regulations and Internal Control Evaluation Reports regarding financial
management and control system prepared by SDU and enforced following to his approval
Within this framework authorising officer should touch upon in ICAD the guidance
provided by SDU for a sound functioning of internal control system in the unit
7117 Risk Management
Administrations introduce their missions and visions as well as their objectives aims and basic
policies in their strategic plans Besides preparing their strategic plans administrations analyse their
institutional strengths weaknesses threats and opportunities
With the help of such techniques as SWOT and PESTLE analyses administrations have the
chance to identify define and assess the risks they can come across in carrying out their activities
Generally risk is an uncertain event that may occur and its unfavourable outcomes and impacts
Risk is generally considered to be the threats which prevent the realization of aims and objectives
however well managed risks paves the way to benefit from probable opportunities
The two most important components of administrative risks are probability and impact
Therefore while addressing risks both the probability to occur and the impact it may create if
occurs are handled The most important feature of the risk concept is that it is inevitable Therefore
administration should prefer managing risks instead of overlooking them and referring to crisis
management in case it occurs It should be emphasized that as time and resources to manage risks
are limited and it is impossible to eliminate risks necessary control activities are conducted to keep
risks at a tolerable level
Risk perception risk awareness and risk appetite can be different according to the
organisational structure human resources and activities of an administration Therefore Senior
Manager should include in ICAD the following elements relating them to the activities and
functioning of administration (Authorising Officers should take into consideration only the parts
included in their own ICADs)
7118 Risk perception of administration
Leadership that Senior Manager has in risk management process
How the risk awareness is raised among the staff and how the staff is encouraged for
practicing risk management
Administrative risk appetite and how it is perceived by the staff
Whether there is a common agreed risk perception among the staff
should be summarized
7119 Capacity to cope with risks
For and effective risk management
How a training is provided and awareness is raised among the staff
142
How the staff is guided in addressing relevant risks in relation to their duties and
responsibilities how and when they will consult with senior management in the field
of risk management
How risk management is internalized within the framework of overall activities of
administrationunit should be explained
71110 Risk identification and assessment
What affects the activities of an administration is not merely financial risks In relation to the
activities of an administrationunit such risks as follows can also be encountered
Risks with outer sources such as political economical social cultural technological
environmental legal and ethical risks
Risks with inner sources such as assets infrastructure labour force and organisational
structure
Assessing the risks with outer sources can be handled within the strategic risks of an administration
Spending units should give more attention to the operational and functional risks related to their
own fields of activity Various risk categories in relation to the activities of administration and how
such risks are assessed should be briefly explained in ICAD (for example whether risk have such
definitions as risks to be eliminated to be transferred to be managed to be tolerated or not)
71111 Addressing controlling monitoring and reporting risks
Responses to be given to identified risks and the method to address risks should be briefly
explained It should be emphasized whether risk register report on risk status consolidated risk
report and similar methodologies are functional in the administration or not
Identifying control environment by defining the followings and reporting after an effective
monitoring will strengthen the effectiveness of internal control
Impact
Probability
Responses to be given measures to be taken
Ownership and
Type and frequency of reporting
Taking into consideration that ICAD is a declaration made within the framework of
accountability that internal control system of administration gives a reasonable assurance
supported with evidence a summary should be made within the above mentioned explanations
regarding risk perception and risk management
71112 Assessment of Internal Control System
While preparing ICAD an assessment related to the effectiveness of internal control system
in the activity period should be included It is quite useful to touch upon especially the specific high
risk areas and positive and negative developments regarding internal system in these areas As
such areas in question can vary according to the organisational structures and activities it is
appropriate to make the assessment according to the following headings
Human resources differences regarding the key personnel of administrationunit
differences regarding the qualities that activities necessitate wage policy working
conditions developments regarding underemployment over-employment
Physical infrastructure and assets developments which can influence the
fundamental activities of administrationunit in physical infrastructure and all the
assets of administrationunit
Information and communication infrastructure information infrastructure software
and hardware park that administrationunit uses important developments regarding
information systems new or updated information systems
Data security assessment of the effectiveness of controls regarding the security of
strategic information of administrationunit which has confidentiality
143
New structures and changing fields of activity how structures that emerged in
administrationunit as a result of changes occurred in the foundation law of
administration or new duty and activity division among administrations reflect in the
internal control system
Problems encountered in main fields of activity or examples of good practice Senior
Managerauthorising officer should include in assurance declaration the problems
which are experienced because of inner and outer factors and rooted in the
weaknesses of internal control system Besides measures to be taken in order to
overcome such problems should be summarized in the declaration Likewise threats
eliminated with the help of an effective internal control system should be touched
upon within the scope of lsquogood practicesrsquo
Developments regarding weaknesses stated in previous years Senior
Managerauthorising officer should include in this part the measures taken and
improvements experienced regarding the weaknesses and problems contained in
the assurance declarations of previous years and
Other developments Senior Managerauthorising officer should include in this part
important developments if any which are not within the scope of the above
mentioned headings
Senior Managerauthorising officer may not feel comfortable touching upon the
weaknesses and problems listed above in ICAD However it is clear that no assurance declaration
which does not mention any thread problem and weakness will be convincing and meet the
requirements of transparency and accountability principles What is important is to emphasize that
controls are developed and internal control system is strengthened for the identified problems and
weaknesses
Proceedings which are not found to be appropriate following to ex-ante financial control
authorising officer should include in this part the proceedings performed which are found to be
inappropriate by financial services if any Supporting opinion report and evidence of authorising
officer despite the negative opinion should be summarized to contribute to accountability 7 If
there is not such a proceeding as mentioned above then the expression ldquothere is not such a
proceeding I performed that is not found to be appropriate by SDUrdquo should be available in the
assurance declaration
On the other hand Senior Manager should state while filling Internal Control Assurance
Declaration that he evaluated the Assurance Declarations of Authorising Officers and the head of
SDU and that reasonable assurance provided by these declarations formed an important basis for
his own declaration
In case that Senior Manager received support from support and consultation boardsBoards
established officially and unofficially (ad hoc) such support should be explained in ICAD It is
possible that these boardsBoards prepare reports regarding the assessment of internal control
system emphasizing risk strategy and risk management to be submitted to Senior Manager In the
case that a similar supportconsultation unit to those which are called Consultation Board Audit
Board Risk Board or Steering Board and show differences among countriesadministrations in terms
of composition and working style is established the support received from such a Board should be
summarized which will strengthen the assurance that declaration provides
712 Guidance for Internal Control Assurance Declaration of Head of SDU
7 Regulation on Principles and Procedures regarding Internal Control and Ex-Ante Financial Control ndash Article 28
Financial services unit keeps a record of transactions carried out by the authorising officers despite the fact that ex-ante
financial control declared them inappropriate and these records are submitted to the Senior Manager monthly The said
records are also provided to auditors during internal and external audit
144
The Declaration by the Head of SDU (DHSDU) is a very important element which lays the
groundwork for the assurance that the Senior Manager needs to provide regarding the internal
control system in their administration(ANNEX 3C)
In completing Annex 3C Head of SDUs should observe the standard templates and
complete the relevant boxes Each box has a cross reference to where more information can be
found in the main body of this chapter
Head of SDU is responsible to ensure that the internal control system is implemented
monitored and their opinions and recommendations are reported to the Senior Manager to take
the necessary actions in time in order to ensure that the activities in the administration are carried
out in accordance with the financial management and control legislation and other legislation
and public resources are utilised in an efficient effective and economic manner
As the Field of Competence part of the DHSDU is based on this framework this part should
not be changed either except for writing the name of the administration in the brackets
(administration)
Furthermore if the declaration is supported by the explanations under the following
headings it will be the basis for the reasonable assurance that the Senior Manager has to provide
to the public opinion
7121 Management Information Systems
The Head of SDU financial and non-financial information is needed to identify whether the
aims and objectives of the administration are reached resources are used effectively effectively
and economically accountability purposes are met Meeting these requirements and ensuring
timely and right decision making by the administrationrsquos management is only possible with the
existence of proper accurate timely up-to-date and accessible information
Therefore the management information system within the administration must be designed
in a manner to produce the information and reports needed buy the management and provide
them with the chance to make analysis
The Head of SDU in the declaration should included the explanations that the activities in
the administration have been carried out in compliance with the legislation and in line with the
budgets prepared according to the strategic plan and annual performance programmes and
provide supportive evidence They should explain the contribution made by the management
information systems utilised in the administration to the legality of the activities
7122 Development of Internal Control System
SDUs are responsible for the establishment internal control systems in the administrations and
carry out studies regarding the implementation and development of the standards Head of SDU
should mention the studies carried out to ensure that the internal control system of the
administration is harmonised with the Public Internal Control standards and briefly describe the
process for the design of job descriptions formation of business processes and preparation and
implementation of action plans in this part of the declaration
7123 Monitoring and Review
Head of SDU should include the supportive evidence regarding the ex-ante financial control
activities carried out in line with the legislation and approval form the Senior Manager and the
monitoring of the due process control In addition it should be suggested that the transactions
carried out by the authorising officers despite the negative opinion upon ex-ante financial control
are recorded and submitted to the Senior Manager on a monthly basis for information purposes
On the other hand it should be stated that financial decisions and transactions to be
subject to the ex-ante financial control by the SDU are grouped according to their type cost and
subject considering the risky areas and reviewed at least once a year
Among the duties of SDU are establishing performance and quality criteria in issues within
the duty field of administration collecting analysing and interpreting the data and information on
management of administration improvement of the services and performance in issues within the
145
duty field of the administration analysing the external factors which will affect services conducting
capacity research within the institution analysing the effectiveness of the services and level of
satisfaction by these services and doing a general research in that sense
In this context the Head of SDU should include the studies carried out to increase the quality
of the services provided by the administration and studies for analysing the external factors which
will affect services the capacity research within the institution to analyse the effectiveness of the
services and the conclusions of these evaluations in the declaration
In this part of the declaration Head of SDU should provide explanations about the
arrangements prepared by their unit and put into effect upon the approval form the Senior
Manager
Finally the studies regarding the establishment of the internal control system in the
administration implementation and development of the standards and the process where the
financial management and control system of the organisation is reviewed on an annual basis and
reported to the Senior Manager should be described
7124 Briefing and Advising
Providing necessary information and consultancy to the Senior Manager and Authorising
Officers regarding the implementation of financial laws and other related legislation are also
among the duties of SDUs
In this part of the DHSDU it should be underlined that coordination has been ensured while working
with the spending units regarding the establishment of internal control system and the
implementation and development of the standards A brief explanation that information and
consultancy to the Senior Manager and Authorising Officers has been provided regarding the
implementation of financial laws and other related legislation should be included
7125 Financial Information
The Heads of SDU should themselves be convinced that the information included in the
section IIIA-Financial Information of the Activity Report is reliable complete and accurate
depending on the supportive evidence
146
MONITORING ANNEXES
Annex 1 Internal Control System Question Form
INTERNAL CONTROL SYSTEM QUESTION FORM
This questionnaire is designed for the public administrations to see whether the internal
control system complies with the internal control standards Furthermore it will provide the
opportunity to identify to what extent the internal control system facilitates the achievement of risks
considering the changing conditions resources and risks It is of crucial importance that those
responding to this questionnaire give factual answers to the questions as the questionnaire will be
used to identify the level of advancement of the internal control system in the administration
Heads of units are responsible for making an in-dept assessment about the functioning of
internal control in their respective units and completing the internal control questionnaire Within
this framework the questionnaires completed by heads of units under the guidance by SDUs are
sent back to SDUs to be consolidated and formed into an overall evaluation report for the entire
administration SDUs submit the report produced using these questionnaires to the CHU following
the approval by the Senior Manager
Completing the questionnaire
This questionnaire is made up of five parts each of which is based on the components of Internal
Control
Control Environment
Risk Assessment
Control Activities
Information and Communication and
Monitoring
Each part includes questions regarding functioning of internal control system in the context
of the aforementioned components It should be paid attention that responses to the questionnaire
should be consistent with the administration action plans produced to achieve compliance with
the Public Internal Control Standards
Spending units are obliged to respond to the questions about Risk Assessment control
Activities and Information and Communication Responding to the questions about Control
Environment and Monitoring is at spending unitrsquos discretion
The response part is made up of three options YES NO and IN DEVELOPMENT There is also a
forth column titled EXPLANATION YES means that the issues included in the question are properly
understood and implemented within the administrationunit NO means that the issues included in
the question are not understood or implemented within the unit overall administration IN
DEVELOPMENT means that the issues included in the question are partially understood or
implemented in unitsome divisions of administration In explanations part evidence and
recommendations should be written if any Guidance is given following the questions with a view
to helping better understand the questions
The questionnaire will be evaluated by means of scores assigned to answers to each
question The answer ldquoYesrdquo will correspond to score ldquo2rdquo while the answer ldquoIn Developmentrdquo to
score ldquo1rdquo and the answer ldquoNordquo to score ldquo0rdquo For each chapter of the questionnaire there will be a
total score calculated Besides there will be a total score for the whole questionnaire
If answer ldquoNordquo is given in response to a question steps should be taken to improve the
relevant areas by Head of UnitSenior Manager
If answer ldquoIn Developmentrdquo is given in response to a question head of unitSenior Manager
should assess what can be done to achieve progress in the relevant area
147
If answer ldquoYesrdquo is given in response to a question then it means that there is no factor in that
area which needs improvement
Taking into consideration that this questionnaire is a kind of self-assessment and internal
control system is a new practice for administrations please give realistic and reliable answers
In the event that you have some hesitations in completing the questionnaire please refer to
the SDU
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
1 Are the public internal control standards
well known in your administration It will
be convenient to deliver trainings and
hold meetings with a view to raising
awareness in this subject
CONTROL ENVIRONMENT
CONTROL ENVIRONMENT Control environment provides a general framework that is the
basis for the other components of the internal control system and it is concept used to
describe the setting out of the goals and objectives of the administration their
communication to the staff and creation of a due organisational structure and culture
Great influence on the control environment have personal and professional integrity ethic
values of the employees and the management supportive attitude towards internal
control written procedures and the practices for human resources management
organisational structure management philosophy and the operating style
2 Are there mechanisms in your
administration that ensure familiarization
of all employees with the code of
ethics
For example are trainings provided or
meetings organised to adapt the public
code of ethics to your administration
and to adopt them are leaflets
produced in this regard
3 Are there any codes of conductethics
available in addition to public codes of
ethics produced for your
administration
4 Has any standard been developed in
your administration in terms of duration
and method for services directly
delivered to citizens
8 If the response is ldquoYesrdquo evidence (details of the activities carried out etc) must be provided in the ldquoExplanationsrdquo column
9 If the response is ldquoIn Developmentrdquo necessary information (details of the activities carried out etc) must be provided in
the ldquoExplanationsrdquo column
148
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
5 Is it ensured that authorised bodies and
staff have access to outputs related to
all the works and transactions
6 Are there mechanisms available in your
administration for staff and the other
people who are delivered service by
the administration to submit their
recommendations assessments and
questions (questionnaires face-to-face
meetings group meetings electronic
applications etc)
It is recommended that questionnaires
to be developed be based upon the
principle of confidentiality
7 Is your administrationrsquos mission written
down and announced Mission can be
announced to the staff via bulletin
boards intranet or e-mail
Production of a strategic plan indicates
that the mission has been set out
8 Are there any directives circulars or
approvals in your administration
regarding job descriptions of units sub-
units and staff
Job descriptions for the units and sub-
units as well as for staff must be written
down and announced in order to
ensure that your administrationrsquos mission
is being carried out
If the response is ldquoNordquo when this is going
to be done must be stated
9 Does organisational chart of your
administration demonstrate key areas of
authority and responsibility reporting
lines which are appropriate to
accountability and coordination and
integration points
If the response is ldquoYesrdquo roles and
responsibilities regarding each objective
must be set our clearly
Organisational chart for units must be
produced
149
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
10 Have procedures regarding sensitive
tasks been set out in your
administration
It is recommended that procedures in
question be defined in writing and
announced to staff and that rotation
policy regarding sensitive duties be set
out
For detailed information on sensitive
duties refer to Control Environment
Chapter of the Manual
11 Do mechanisms available in your
administration to enable managers from
each level to monitor the results of tasks
assigned
If the response is ldquoYesrdquo these
mechanisms (reports work plans
regular meetings automation programs
etc) must be stated
12 Have competence skill and knowledge
each task entails been identified in your
administration
Answering this question it must be
assessed whether factors mentioned
above are taken into consideration or
not while recruiting staff
13 Have promotion procedures been
defined in writing in your administration
Factors mentioned above must be
defined taking into consideration staff
performance and these factors must
be announced to staff
14 In your administration is there a unit
responsible for trainings which identifies
training needs for each task identified
and ensures that training activities to
satisfy the needs are planned and
carried out each year
15 Do managers of your administration
share results of assessments they make
on staff competence and performance
with the staff
It is recommended that that the Senior
Managers share the results of the
150
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
assessments with the staff
16 Is action taken to increase the
performance of the staff whose
performance is deemed unsatisfactory
upon the performance assessment For
example is any action such as
providing private training for that
person discussing the areas where their
performance is deemed unsatisfactory
assigning them under the supervision of
more experienced staff taken
17 Are there rewarding mechanisms in your
administration geared towards those
staff who give a high performance and
are these mechanisms applied
It is recommended that rewarding
mechanisms be developed for staff who
give a high performance (picking
employee of the month abroad
assignments etc) and that these criteria
be announced to all the staff
18 Have procedures regarding human
resources (staff employment
replacement promotion training
performance appraisal personal rights
etc) been documented
If so examples must be provided
Procedures mentioned above must also
be announced to staff
19 Are the bodies of signature and
approval set out in the flowcharts
If the response is ldquoNordquo it is
recommended that these business flow
processes are defined bodies of
signature and approval are identified
and communicated
20 In your administration have delegations
been defined in writing
Delegations must include the
information on its scope quantity
duration and whether the authority
delegated can be delegated to
another person
Furthermore striking a balance
151
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
between authority and responsibility
should be paid attention in delegation
of power
21 Have minimum requirements
(knowledge skill and experience) been
identified in your administration for staff
to be delegated authority
Please explain how you define these
knowledge skills and experience and
how you ensure that the person to
whom the authority is delegated have
them
22 Does the employee who receives the
authority report information to the
delegator on a certain basis about the
utilisation of the authority
Reporting period must be proportionate
to the duration of the delegation
TOTAL POINTS - CONTROL ENVIRONMENT
RISK ASSESSMENT
RISK ASSESSMENT RISK ASSESSMENT is the process where the risks that might prevent the
achievement of the administrationrsquos objectives are defined analysed and necessary
actions are taken In this section the risk perception and risk handling capacity of the
administration must be self-assessed using the following questions
1 Have methodologies and responsibilities
as well as reporting procedures for
monitoring and assessing the
performance given in achievement of
objectives been identified in strategic
plans
If answer is ldquoYesrdquo how monitoring and
assessment processes work in practice
must be explained briefly
2 Have strategic plan and performance
programs been taken into consideration
in budget preparations
The activities and projects carried out to
reach the aims and objectives set out in
the strategic plan the indicators to be
followed and the resource needs for
these activates and projects must be
shown in the performance programmes
There these strategic plans and
152
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
performance programmes must be
taken into consideration during the
budget preparations fort he
administrations
3 Do activates carried out in your
administrationunit comply with the aims
and objectives set out in the strategic
plans and performance programmes
Administrations must focus on the aims
and objectives set out in the strategic
plans and performance programmes for
effective efficient and economic use of
resources
4 While setting out the objectives of your
administration and units has it been
ensured that they are SMART
5 Have your units set out within their area
of competency specific objectives in
accordance with the objectives of the
administration
Responses to this question by the units
that are unable to set out specific
objectives (such as support services)
must be considered during the
evaluation
Furthermore specific objectives that
have been set out must be announced
to staff
6 Does your administration have a risk
strategy and policy document which is
approved b Senior Manager and
accessible to all the staff
Administrationrsquos risk strategy must be
reviewed at least once every year and
updated when deemed necessary
7 Are contributions from employees
received in risk management process
Employees feeling a sense of ownership
for risk management (identifying
handling responding to reviewing and
monitoring risks) and regarding risk
management as a part of their works
will produce a strong corporate reflex
against risks
153
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
If answer to this question is ldquoYesrdquo please
explain how you ensure this
contribution
8 Is risk management which covers
identifying assessing responding to and
reviewing risks for your objectives and
aims implemented in your
administration
While identifying the risks on the
achievement of aims and objectives a
methodology and a certain process
must be adopted and it must definitely
be documented (risk register risk
progress report consolidated risk report
and so on)
Measures to mitigate risks taken by the
administrations must be applied within
the framework of action plans
9 Are annual Internal Control Evaluation
Reports prepared in your administration
about how effectively risk management
process works in your administration
These reports must cover information
about what has been done throughout
the year to mitigate risks
TOTAL POINTS - RISK ASSESSMENT
CONTROL ACTIVITIES
CONTROL ACTIVITIES Control activates are the policies and procedures produced to
ensure that the administrationrsquos aims and objectives are achieved and the risks identified
are managed
1 In your administration are efficient
control strategies and methods set out
and practised for each activity and risk
Defined controls must comply with the
risks different control methods must be
applied for different types of risks
Control strategies and methods must be
set out and applied in the form of
periodical reviews control by sampling
comparison approval reporting
coordination confirmation analysis
authorisation supervision review
154
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
monitoring periodical check and
security of assets etc
The controls within the administration
must also cover ex-ante process and
ex-post controls where necessary
2 Is cost-effectiveness analysis made in
your administration in identifying control
activities
The expected benefit and the cost of
the set out control activity must
compared controls with costs
exceeding the benefits must be
identified and less costly alternative
controls must be selected
3 Are there written procedures regarding
your administrationrsquos activities financial
decisions and transactions
There must be written procedures
regarding your administrationrsquos
activities financial decisions and
transactions These procedures and
relevant documents must cover the
initiation implementation and
conclusion phases of the activity
financial decision or transaction
Procedures and relevant documents
must be up-to-date comprehensive in
compliance with the legislation
understandable by and accessible to
the relevant staff
4 Do managers of your administration
carry out necessary controls for
effective and continuous
implementation of procedures
Activities and transactions of the
administration must be carried out in
accordance with the regulations
developed in this area Managers must
systematically check whether these
regulations are complied with or not (in
this regard such control processes as
initials assent control lists and physical
counts can be defined) Within this
framework managers should monitor
whether works carried out by staff are in
155
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
compliance with the regulations or not
Manager instructions must be produced
about how to remedy faults and
irregularities detected
5 Is the principle lsquosegregation of dutiesrsquo
practised in your administration
The tasks of approving implementing
recording and controlling each activity
or financial decision must be carried out
by different people and that the
principle of segregation duties is
complied with must be supported by
written documents
Where segregation of duties is not
possible due to insufficient number staff
the managers must be aware of the risks
and take necessary precautions In such
cases other control procedures must be
established to manager the risk
6 Are necessary measures taken against
the factors that affect the continuity of
operation in your administration
Necessary measures must be taken
against the factors that affect the
continuity of operation such as
insufficient number of staff temporary or
permanent leaves adoption of new
information systems changes to the
methods or the legislation and
emergencies
If the response is ldquoYesrdquo efficient written
procedures trainings guidance and
planning can be provided as evidence
7 Is the system of deputation applied
efficiently in your administration
Where necessary deputies must be
assigned in accordance with the
relevant procedures The person
assigned as a deputy must have the
necessary qualifications Detailed
internal arrangements must be carried
out regarding the deputation
procedures included in the personnel
laws and the qualification required from
the deputies must be defined in detail
156
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
8 Do the staff leaving their positions report
to their successors about status of works
and transactions they have
conducted
Managers must ensure that the staff
leaving their positions prepare a report
on the status of the task and the
operations along with the necessary
documents and submit it to their
recently assigned successors The report
must include the list of the important
tasks being carried out the risks to be
considered as priority list of periodic
tasks and so on
9 Are there defined authorisations for
data and information input and access
to the information system in the
administration
Information system must only be
accessible to authorised staff To this
end regularly updated information
security softwarersquos must be used for
Access to the computer programmes
Arrangements regarding the
designated level of security must be
complied with while working on
documents
10 Are there sufficient back-up
mechanisms and tested disaster
recovery plansaction plans for the
information system
TOTAL POINTS - CONTROL ACTIVITIES
INFORMATION AND COMMUNICATION
INFORMATION AND COMMUNICATION Information and communication includes a proper
system of information communication and registry that ensures necessary information is
communicated to the person employee or manager who needs it in a certain format and
in a timely manner that the objectives are reached and that enables the relevant people
fulfil their internal control responsibilities
1 In your administration is there an
efficient written electronic or verbal
internal communication system that
covers both horizontal and vertical
communication
The response to this question should
157
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
include the meansmethods (in person
via telephone e-mail in writing etc) the
staff use to communicate with each
other or their managers and the
consideration on whether these are
appropriate andor efficient
In order for the employees receive the
information they need to carry out their
uninterruptedly it must be ensured that
they are in touch with managers from all
levels including top management
2 Is there an external communication
system to ensure efficient
communication with external
stakeholders
This system monitors communication and
checks whether the questions can be
answered or not
3 Do the present internal and external
communication systems ensure that the
staff or external stakeholders can
communicate their expectations
recommendations and complaints
For example whether the Law no 4982
on right to Information is efficiently
executed within the administration
requests and complaints are responded
in time should be considered
4 Is it ensured that all the information and
documents regarding the activities of
your administration are accurate
complete reliable useful and
understandable
Information systems must ensure timely
Access to the accurate complete
reliable and understandable
information required while carrying out
the operations
The response to this question must
include a statement whether
mechanisms (decision support systems
archive and document management
systems etc) for ensuring the
aforementioned principles exist
158
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
5 Do the present information systems
ensure that the objectives set by the
administration are monitored and
activities regarding these objectives are
efficiently supervised and assessed
Management Information
System must be designed in a way that
it produces the information and reports
that the managers need during decision
making processes and provide them
with the chance to make analysis
6 Are there reporting mechanisms with
rules and standards set out in line with
the monitoring of objectives supervision
of activities and accountability
purposes
The performance programmes
published financial progress reports that
include the expectations and objectives
and the content of the activity reports
must be in line with the requirements of
the relevant legislation
7 Is there a documentation and archiving
system that complies with certain
standards for the record classification
protection of and access to the
operations and transactions of the
administration
While responding to this question
Standard 15 of Public Internal Control
Standards and the legislation on
archiving and documentation must be
considered
8 Are there available tools to report from
inside and outside the administration
faults irregularities and possible or
ongoing problems
Employees and outer stakeholders must
be informed enough about these tools
There must be a whistle-blowing process
and a procedure for protecting
personnel and they must be informed
about these
Managers must take necessary actions
to prevent discrimination and ill
159
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
treatment against whistle-blowers
TOTAL POINTS- INFORMATION AND COMMUNICATION
MONITORING
MONITORING Internal control system is a dynamic process where the administration has
to continuously adapt to the risks and changes it faces Therefore the internal control
system needs to be monitored in order to ensure that it adapts to the changing objectives
environment resources and risks as necessary The basis for an effective and efficient
monitoring is the design and implementation of monitoring procedures that are relevant to
the administrationrsquos objectives and that assess the important controls regarding
meaningful risks
When monitoring is designed and implemented properly it provides correct and
convincing information on the efficiency of the internal control system identifies internal
control failures on time and notifies the people responsible for taking action and the top
management where necessary This will ensure that the problems faced are corrected
before they harm the objectives of the administration Monitoring is carried out by the
management and internal and external audit
1 Is the internal control system monitored
and assesses at least once a year
Please explain at what intervals the
internal control system in your
administration is assessed and the
methods used
Internal control system must be assessed
via ongoing evaluations or separate
evaluations It is recommended that
these two methods are applied at the
same time(Separate evaluation of the
internal control system can be carried
out by setting up working groups or via
questionnaires)
2 Are processes and methods set out in
your administration to identify and
disclose the shortcomings of internal
control and improper control methods
and to take the necessary actions
If the response is ldquoYesrdquo please briefly
mention the process and method
adopted in your administration It is
recommended that the processes and
methods are put into practice upon the
approval by the Senior Manager Please
give brief information on the responsible
staff notified in the event of an
incomplete or improper control method
160
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
the time limit set for taking action and
how these procedures are monitored
Management fulfils this responsibility via
SDUs and internal auditors
3 Are trainings plenary sessions and
meetings held which will create the
atmosphere in which managers will be
provided with feedback about whether
internal control functions effectively or
not
4 Are the units of the administration
involved in the evaluation of internal
control
If answer is ldquoYesrdquo please explain how
participation is ensured It must be
ensured that units take active part in the
process and the task of evaluating
internal control system must not be
perceived as the responsibility of only
the Senior Manager internal auditor
and SDU
5 Is there internal audit unitinternal
auditor in your administration
6 Is there efficient cooperation among
internal audit unit management and
staff
What has been done to increase the
level of awareness of the manager and
the staff on internal audit activities
What has been done to see the
relations with the internal audit unit and
the expectations Please explain briefly
7 While evaluating internal control are
the opinions of the managers requests
and complaints by
peopleorganisations and the reports
produced upon internal and external
audit taken into consideration
The method to adopt for the collection
assessment and reporting of the
information required for the evaluation
of internal control must be set out
Please refer to the staff responsible for
161
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
assessing the internal and external audit
findings and recommendations for the
evaluation of internal control the time
limits for these assessments and the
management level to which this
information is communicated
Compare the internal and external
audit reports with the results of the
internal control system evaluation by
the SDU for consistency In the event
that any inconsistency is identified the
reasons for this must be questioned
8 Are recommendations from internal
audit and SDU about how to improve
internal control taken into consideration
by management
9 Are action plan(s) where internal control
evaluation results and
recommendations made upon internal
and external audit produced and
implemented Are they followed-up
If the timing is appropriate action plans
can be combined Please give brief
information on the staff responsible for
following-up the action plans and the
method used Furthermore please
provide information on the method
used fort he follow-up of internal audit
reports if there is any With which level
of management are the results of the
follow-up shared and how often Please
explain
TOTAL POINTS ndash MONITORING
GRAND TOTAL
162
Annex 2 Internal Control System Evaluation Report
helliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphellip(NAME OF ADMINISTRATION)
INTERNAL CONTROL SYSTEM EVALUATION REPORT
I INTRODUCTION
11 Mission
12 Aims and Objectives
13 Organisational Structure
II INTERNAL CONTROL QUESTIONNAIRE RESULTS
II1 Consolidated Summary on strengths and aspects open to improvement regarding the entire
organisation relevant to each COSO component
- Control Environment
- Risk Management
- Control Activities
- Information and Communication and
- Monitoring
III OTHER INFORMATION
III1 Internal Audit Reports
III2 External Audit Reports
III3 Other Information Sources
III31 Budget Information
III32 Data on Ex-ante Financial Control
III33 Requests by Individuals andor Administrations
III34 Other Information
IV CHANGE SINCE THE LAST REPORT
IV1 For each COSO component has the position got better or worse and why
V CONCLUSION
V1 Strengths
V2 Aspects Open to Improvement
V3 Recommendations for action
163
Annex 3a Internal Control Assurance Declarations Senior Manager
I RESPONSIBILITY
As the Senior Manager I am responsible for ensuring the establishment delivery and
oversight of an efficient financial management and control system that will contribute to the
achievement of the policies goals and objectives of [the administration] In this regard I declare
that I have taken the necessary measures to make sure that the arrangements of internal control
are adopted by the staff and that the internal control standards are practised
II PILLARS OF INTERNAL CONTROL SYSTEM AND ASSURANCE DECLARATION
I declare that my administrationrsquos budget has been prepared and implemented in line with
the development plan annual programmes strategic plan performance objectives and service
requirements resources allocated from the budget for the achievement of aims and objectives are
utilised in compliance with the planned targets and in accordance with good financial
management principles
In this context I announce that the internal control system provides sufficient and
reasonable assurance that my administrationrsquos revenues expenditures assets and liabilities are
managed effectively economically and efficiently my administration operates in line with the laws
and other regulations irregularities and fraud are prevented in each financial decision and
transaction regular timely and reliable reports and information are acquired for decision making
and monitoring assets are safeguarded against abuse waste and losses
This assurance is based on my knowledge and considerations as the Senior Manager
management information systems internal and external evaluations carried out within the context
of quality assurance development programme studies of the SDU internal and external audit
reports (if available)
In the following part the Senior Manager must explain the support by the management
information systems internal and external evaluations within the framework of the quality assurance
development programme internal and external audit and SDU
Management Information Systems
Please read section no 6113 before completing this part
Internal Audit
Please read section no 6114 before completing this part
External Audit
Please read section no 6115 before completing this part
SDU
Please read section no 6116 before completing this part
164
III RISK MANAGEMENT10
As the Senior Manager I have a key role and responsibility in the development of a risk
strategy in my administration production of a common corporate risk perception adopted by all
employees Recognising that risk management is the most important element of the internal control
system creation of the necessary organisational capacity and embedding risk management into
the general activities is valued
In the following part the authorising officer should address the risk perception of the
administration and its capacity to deal with risk
Risk perception of the administration should summarise
Please read section no 6117 and 6118 before completing this part
Capacity to handle risk
Please read section no 6119 before completing this part
My administration faces a wide range of risks during the course of its activities These risks are
considered in accordance with the principle that the cost of the internal controls to be developed
with control purposes do not exceed the benefit received from the controls A systematic
approach has been adopted in levels of management for the identification assessment
addressing monitoring and reporting of the relevant risks
In the following part the Senior Manager should set out the issues related to the
identification assessment addressing control environment monitoring and reporting of the
administrationrsquos risks
Identification and assessment of the risks
Please read section no 61110 before completing this part
Addressing control environment monitoring and reporting of the risks
Please read section no 61111 before completing this part
IV APPRAISAL OF THE INTERNAL CONTROL SYSTEM
As the Senior Manager during the preparation of the foregoing declaration I also
considered the assurance declarations by the Authorising Officers and Head of SDU The
10 This part must be completed when risk management process starts to function in the administration
165
information and evaluations I have received from these declarations pose an important basis
regarding the assurance I have to provide on the internal control system in my administration
Furthermore [advisory audit risk steering] boardscommittees have been set up within
[the administration] to provide support and guidance for the evaluation of the internal control
system in terms of particularly risk strategy and management Reports prepared by these boards
have made a great contribution to the evaluation on the internal control system
Regarding the main activities of my administration the most distinctive developments that
took place within this reporting term and how these developments have been handled are
summarised below
Please read section no 61112 before completing these parts
Human Resources
Physical infrastructure and assets
IT and communication infrastructure
Data security
New structures and changing fields of activity
Problems faced in the main fields of activity or examples of best practice
Developments regarding weaknesses stated in previous years
166
Other developments
(Date)
Signature
Name
Title
167
Annex 3B Internal Control Assurance Declaration Authorising Officer INTERNAL CONTROL ASSURANCE DECLARATION11
I RESPONSIBILITY
As the authorising officer within my field of competence I am responsible to ensure that my
expenditure orders are in line with the fundamentals and principles of the budget the laws rules
and regulations and other legislation the appropriations are utilised in an efficient effective and
economic manner and that the internal control operates properly
II PILLARS OF INTERNAL CONTROL SYSTEM AND ASSURANCE DECLARATION
I declare that the operations and transactions carried out by my spending unit comply with
the aims and objectives of the administration high financial management principles control
arrangements and the legislation resources allocated with the administration budget to the
spending unit has been utilised in line with the planned objectives and the internal control system
within my unit provides the sufficient and reasonable assurance
This declaration of assurance is based on my own information and evaluations as the
authorising officer and on the management information systems internal and external evaluations
carried out within the context of the quality assurance development programmes studies by the
SDU internal and external audit reports
In the following part the support provided by the management information systems the
internal and external evaluations carried out within the context of the quality assurance
development programmes studies by the SDU should be elaborated by the authorising officer
Management Information Systems
Please read section no 6113 before completing this part
Internal Audit
Please read section no 6114 before completing this part
External Audit
Please read section no 6115 before completing this part
SDU
Please read section no 6116 before completing this part
11 Please read section no 611 before completing this part
168
III RISK MANAGEMENT12
Within the framework of the overall risk perception strategy and awareness of the
administration the capacity to handle risk has been determined for the activities specific to my unit
and the necessary importance has been attached to embedding risk management in its activities
In the following part the authorising officer should address the capacity to handle risk
Capacity to handle risk
Please read section no 6119 before completing this part
My spending unit faces various risks during the course of its activities These risks are
considered in line with the principle where the cost of internal controls to be developed do not
exceed the benefit planned to be gained from them A systematic approach has been adopted in
the spending unit for the identification addressing assessment monitoring and reporting of the risks
faced
In the following part the authorising officer should set out the issues related to the
identification assessment addressing control environment monitoring and reporting of the
administrationrsquos risks
Identification and assessment of the risks
Please read section no 61110 before completing this part
Addressing control environment monitoring and reporting of the risks
Please read section no 61111 before completing this part
IV EVALUATION OF THE INTERNAL CONTROL SYSTEM
The following is the summary of the most significant developments experienced in the
activities of my unit within the period covered by the foregoing report and how these
developments have been addressed by the internal control system
Please read section no 61112 before completing these parts
Human Resources
IT and communication infrastructure
Data security
12 This part must be completed when risk management process starts to function in the administration
169
New structures and changing fields of activity
Problems faced in the main fields of activity or examples of best practice
Developments regarding weaknesses stated in previous years
Other developments
As the authorising officer I hereby declare that we have also carried out some transactions
overriding the opinion of the SDU Information and justifications for these transactions are as follows
There is no such a work I carried out that is not found to be appropriate by SDU
(In this part transactions if any carried out by the authorising officers despite the
negative opinion provided upon the ex-ante financial control If there is no such a
work as mentioned above then expression ldquothere is no such a work I carried out that
is not found to be appropriate by SDUrdquo should be included)
(Date)
Signature
Name
Title
170
Annex 3b Internal Control Assurance Declaration Head Of SDU INTERNAL CONTROL ASSURANCE DECLARATION
As the Head of SDU I declare that the internal control system has been implemented
monitored and my opinions and recommendations have been reported to the Senior Manager to
take the necessary actions in time in order to ensure that the activities in [the administration] are
carried out in accordance with the financial management and control legislation and other
legislation public resources are utilised in an efficient effective and economic manner
Please read section no 612 before completing this part
In the following part the studies should be explained regarding the management
information systems development of internal control system monitoring and review and briefing
and advising by the Head of SDU
Management Information Systems
Please read section no 6121 before completing this part
Development of Internal Control System
Please read section no 6122 before completing this part
Monitoring and Review
Please read section no 6123 before completing this part
Briefing and Advising
Please read section no 6124 before completing this part
Financial Information
Please read section no 6125 before completing this part
I confirm that the information included in the section IIIA-Financial Information of
the Activity Report (year) is reliable complete and accurate
(Date)
Signature
171
Annex 4 Example Of A Complete Declaration INTERNAL CONTROL ASSURANCE DECLARATION
(SENIOR MANAGER)
Name-Surname
Title
I RESPONSIBILITY
As the Senior Manager I am responsible for ensuring the establishment delivery and
oversight of an efficient financial management and control system that will contribute to the
achievement of the policies goals and objectives of the Ministry of Space Exploration In this
regard I declare that I have taken the necessary measures to make sure that the arrangements of
internal control are adopted by the staff and that the internal control standards are practised
II AIMS AND PILLARS OF INTERNAL CONTROL SYSTEM
I declare that my administrationrsquos budget has been prepared and implemented in line with
the development plan annual programmes strategic plan performance objectives and service
requirements resources allocated from the budget for the achievement of aims and objectives are
utilised in compliance with the planned targets and in accordance with good financial
management principles
In this context I announce that the internal control system provides sufficient and
reasonable assurance that my administrationrsquos revenues expenditures assets and liabilities are
managed effectively economically and efficiently my administration operates in line with the laws
and other regulations irregularities and fraud are prevented in each financial decision and
transaction regular timely and reliable reports and information are acquired for decision making
and monitoring assets are safeguarded against abuse waste and losses
This assurance is based on my knowledge and considerations as the Senior Manager
management information systems internal and external evaluations carried out within the context
of quality assurance development programme studies of the SDU internal and external audit
reports (if available)
Management Information Systems
Management information systems has been established in all General Directorates in order
to provide information for managers that enables effective decisions to be made and for
information on changing risks to be monitored in our Ministry However not all of our legacy IT
systems have been fully assessed for security risks As part of the measures being taken to
strengthen data security governance we will ensure that the IT systems supporting our most time
critical business processes are reviewed to establish a known risk position by December 2010 We
will carry out a review of our remaining systems during 2011
Internal and External Evaluations Carried Out Within The Context Of Quality Assurance Development
Programme
Presidency of Strategy Development has carried out one internal evaluation of the effectiveness of
internal control within the context of the quality assurance and development programme The
main findings of this evaluation are
That compliance with internal control standards was good in terms of effective control
activities in order to minimise risk
Internal Control and Risk Steering Board has been set up within the Ministry to contribute to
the evaluation of the internal control system
Unit managers needed to develop their skills regarding ongoing monitoring of internal
control systems
Based on the evaluation findings the Ministry has produced an action plan which is planned to
put into practice as of June 2010
There were no external evaluations carried out within the context of the quality assurance
and development programme but the CHU has declared that this is scheduled for 2013
172
Internal Audit
Our Ministryrsquos Internal Audit Unit continues to operate within the framework of a three-year audit
plan Internal Audit operated to requirements defined in the Public Internal Audit Standards Their
audit programme was focused around the Ministryrsquos key risks of internal control together with
recommendations for improvement The Director of Internal Audit Unit provided me with an annual
Internal Control Evaluation Report which contained an independent opinion on the adequacy
and effectiveness of internal control The conclusion of the Director of Internal Audit Unit was that
the following aspects of internal control should be improved
Awareness of the Deputy Undersecretaries and General Directors on internal control
responsibilities and risk management
Improvement of the present arrangements regarding promotion assignment and
appointment system to make it transparent and competence based
Improvement of communication between the central and provincial organisations of our
ministry
Review of management information systems to update old systems
Improvement of allowances and supplementary payments for personnel going to the
space
It has been decided that a working group consisting of managers from the SDU General
Directorate of Personnel and other relevant units to put these recommendations into an action
plan
External Audit
The TCA has approved the annual accounts of the Ministry
SDU
An evaluation on the internal control system has been carried out with the full participation
from the SDU Spending Unit managers and the staff and a report has been produced and
submitted to the CHU on 30th March 2010 The main findings of the review are listed above under
the heading ldquoInternal and External Evaluations Carried Out Within the Context of Quality Assurance
Development Programmerdquo in this document SDU staff also underwent training in risk management
during this year
III RISK MANAGEMENT
As the Senior Manager I have a key role and responsibility in the development of a risk
strategy in my administration production of a common corporate risk perception adopted by all
employees Recognising that risk management is the most important element of the internal control
system creation of the necessary organisational capacity and embedding risk management into
the general activities is valued
The SDU took the lead in embedding risk management in the organisation by reviewing and
updating the key corporate external and internal risks facing the Ministry each month The SDU also
began an exercise to identify long term risks that may have posed a significant threat to the Ministry
in the future These risks were recorded on a long term risk register and the intention is that they will
be reviewed every six months Should the threat increase then these risks will either be escalated to
my part for appropriate action to be taken
The Internal Control and Risk Steering Board also endorsed an action plan to further embed
good risk management practice within the Ministryrsquos processes and systems and to support
Innovation through well managed risk taking Work to establish this position will continue and focus
on those areas identified as still most in need of improvement This will include giving further
consideration to risk appetite where the focus will be on practical examples of how it can be
applied in practice thus making it easier to communicate its awareness among staff
Guidance was available to all staff on risk management through the risk management
intranet site In addition to a risk management policy specific guidance was available on
undertaking risk self assessment which includes guidance on applying risk management as an
integral part of the Ministryrsquos business planning process Risk management workshops were
available to all staff and practical guidance on its application had been incorporated into a wide
173
range of training courses These courses covered all ranges of staff and were tailored to be
appropriate to their authority and duties
My administration faces a wide range of risks while carrying out its activities These risks are
assessed in accordance with the principle that the const of the internal controls to be developed
with control purposes do not exceed the benefit received from the controls A systematic
approach has been adopted in levels of management for the identification assessment
addressing monitoring and reporting of the relevant risks
The risk management framework for our Ministry operated through the initial identification of
risks as part of the business planning process which threatened achievement of the Ministryrsquos
objectives These risks were then evaluated in terms of impact and probability This process
established the level of residual risk against which the Ministry was exposed and which was
monitored over time as part of performance management Ownership for each risk was assigned
to a named individual Reasonable assurance that risk mitigation activities were appropriate was
obtained through regular management reviews and internal audits of the key activities undertaken
in the Ministry
In order to further embed best practice in risk handling and to ensure a consistent
interpretation of the acceptable extent of residual risk our Ministry will review its risk appetite and
communicate it more effectively across the organisation
IV APPRAISAL OF THE INTERNAL CONTROL SYSTEM
As the Senior Manager during the preparation of the foregoing declaration I also
considered the assurance declarations by the Authorising Officers and Head of SDU The
information and evaluations I have received from these declarations pose an important basis
regarding the assurance I have to provide on the internal control system in my administration
Furthermore Internal Control and Risk Steering Board has been set up within the Ministry of
Space Research to provide support and guidance for the evaluation of the internal control system
in terms of particularly risk strategy and management Reports prepared by this Board have made
a great contribution to the evaluation on the internal control system
Regarding the main activities of my administration the most distinctive developments that
took place within this reporting term and how these developments have been handled are
summarised below
In our investment programmes the underspend reported last year in the spacecraft
development programme has been managed There is now less than 2 slippage in that
programme Underspends have arisen this year in other areas for example
The satellite programme TL 121 m Internal Audit Unit has reviewed the Investment Budget
management and an action plan is being developed to address the audit findings
Astronauts training programme TL 113m due to slower than expected take-up Processes
will be streamlined to reduce barriers and it is expected the budget will be fully used in the
next year
Renovation of launching stations programme TL 16m arising mainly from slippage in
international cooperation projects affecting the expected refurbishment programme
together with some incorrect historical data for tracking capital allocation New systems will
prevent the reoccurrence of this problem
Whilst recognising the above summarised issues good progress has been made in resolving them
and there are plans in place to further enhance internal control system and improve practice As
Senior Manager I provide reasonable assurance that the above issues do not represent a material
threat to operational effectiveness and that the our Ministry complies with the public internal
control standards on risk management internal control and governance
(Date)
Signature
Name
Title
174
GLOSSARY
CONCEPT DEFINITION
Explicit information is the information which can be created expressed obtained and
transferred in accordance with a specific system Aim is the concept which refers to the objectives contained in the strategic
plan that administration aims to attain Information Financial and non-financial data related to internal and external events
and activities which is created obtained and communicated in a
particular form and at a particular time to ensure that people carry out
their duties Information security refers to safeguarding valuable assets in an administration against loss
misuse or damage Information map is demonstration of information kept in units or their systems which can be
shared and expertise and experience of personnel and demonstration of
them on an organisational scheme or map in accordance with
organisational structure Information pool is the accessible area where information obtained in hard form or soft
form is stored and kept ready for re-use Information
architecture Organisation of information with a view to make it accessible
manageable and useful form infrastructure level to end-user level Information stock Financial and non-financial information available in administration at a
particular time Information
technology is a system that controls all activities including communication and
computers which are used for the purposes of collecting storing and
processing of information its transmission from one point to another
through communication systems and computers and to the service of
users Information technology is a concept that is used to refer to all
information services which can be connected through communication
and computer systems Information
management
is a process where information is planned and obtained from any kind of
source internally or externally classified stored communicated to
relevant bodies in a timely manner for interpretation reviewed for
updating and disposed External audit Within the framework of accountability responsibility of public
administrations within the scope of general management it is the activity
of examining the compliance of financial activities decisions and
procedures of the administration with laws administrative objectives aims
and plans and reporting the results to TGNA by Turkish Court Accounts Audit trail It requires the maintenance of records giving the full documentation and
justification at all stages of the life of a transaction together with the ability
to trace transactions from summarized totals down to the individual
details and to trace all reporting stages Inherent risk refers to those risks whose probability and impact cannot be changed
unless particular precautions are taken by administration When risks are
identified for the first time they are at inherent risk level Ethics Ethics is a body of moral principles values and standards which forms the
basis for the behaviours of a person and guides them on how to do works Cost-Benefit Analysis It is the identification and comparison of the costs and benefits regarding
the implementation of a planned work or activity In cases when benefits
outweigh costs the work or activity is considered to be cost-effective SWOT Analysis
is a method in which the administration systematically examine itself and
the conditions having an impact the administration In this framework
strengths and weaknesses of the administration as well as the threats and
opportunities that may occur outside the administration are identified This
is an analysis which forms the basis for strategic planning process Segregation of duties covers the duty of approval implementation recording and control of
175
each activity or financial decision and transaction shall be assigned to
different people Objective These are the specific and measurable sub-aims geared towards
attaining the aims contained in the strategic plan
Performance objectives are out-come oriented objectives administrations
plan to attain in a program period with a view to attaining the aims and
objectives contained in the strategic plan Internal audit is an independent and objective activity of giving assurance and
providing counselling with a view to providing guidance and assessing
whether resources are managed in compliance with principles of
effectiveness and efficiency in order to improve and add value to the
activities of the public administration Internal control is the body of financial and the other controls covering the organisation
method process and internal audit in an administration carried out with a
view to ensuring that activities are conducted effectively efficiently and
economically in line with the administrationrsquos aims its identified policies
and legislation assets and resources are protected accounting records
are kept accurately and completely and financial information and
managerial information is produced in a reliable and timely manner Internal control
assurance declaration is the declaration annually signed by senior managers authorising officers
and heads of strategy development units within the framework of
accountability and transparency to state that processes and transactions
are conducted in line with the principles of good financial management
control regulations and the legislation Internal Control and
Risk Steering Board The Board makes assessments concerning development of process and
methods related to internal control system such as determination of
policies about monitoring internal control practices and introduction of
risk in the administration Whistleblowing is the notification of illegal and unethical behaviours and actions to
internal and external authorities that have the power and authority to
solve the problem by persons with information (employees or
stakeholders) therefore administrations or third persons inside or outside
the administration are not affected Business continuity The plans that aim at ensuring continuity for the activities of the
administration or ensure continuity without any interruption after any
extra-ordinary situations Ex-post controls Are the controls applied by management to administrationrsquos activities
after they have been carried out using pre-identified methods Monitoring Monitoring is the activity of assessing within the framework of compliance
with internal control standards whether internal control system provides
the expected contribution to attaining objectives and aims of the
administration and determining the activities to be carried out in fields
that are open to improvement Residual risk refers to risks remaining after management has taken precautions to
reduce their probability and impact Control activities are actions aimed at reducing the impact andor the likelihood of a risk
occurring and thus increase the probability of attaining the goals and
objectives of the organisation or part of the organisation Financial
Management and
Control
is the development implementation monitoring and improvement of
suitable organisations methods and processes within the of managerial
responsibility to ensure effectiveness efficiency and economy in
obtaining and using resources as well as compliance with the identified
aims and objectives and the legislation Central Harmonisation
Unit is affiliated to the Ministry of Finance The unit develops and harmonises
methods and standards concerning financial and internal control
processes and provided related guidance for public administrations Mission mission is the cause of existence of an administration and its place within
176
the state structure In other words mission is the answer to such questions
as what the public administration does and how and for whom it does
what it does Focus group These are such meetings that are held among a target group composed
of 6-8 people to receive their thoughts and reactions in a detailed and
elaborate manner They are managed by a moderated within the
framework of a flow plan Probability refers to the likelihood that an event may occur Organisational
structure is general system covering all the activities and procedures undertaken to
attain the aims and objectives of the administration Ex-ante financial
control Ex-ante financial control is a control performed to check the compliance
of the financial decisions and operations of administrations regarding their
incomes expenditures assets and liabilities with the budget of the
administration Further checks are carried out with the available
appropriation amount expenditures programme financing programme
and the provisions of central government budget law and other financial
legislation It is also checked whether resources are used effectively
economically and efficiently Implicit information is the information in peoplersquos minds which is not regulated in accordance
with a particular system therefore not easy to transfer and circulate and
the registered information which is not accessible to employees Stakeholders are the people groups and administrations which are relevant to the
administrationrsquos products and services and can directly or indirectly
positively or negatively affect or be affected by the administration Risk can generally be defined as uncertainty of events that may occur in
future or undesirable outcomes and impacts of an event For
administrations risk can be defined as negative or positive effects of
internal and external factors that may occur in future on attaining the
objectives and aims of administrations In risk terminology positive aspects
of risk and wins it may bring along are referred to as opportunity and
negative aspects and losses it may cause are referred to as threat Risk assessment is analysing those factors which can have an impact on attaining the
objectives of administration Transferring risk is the response to the risks by taking some of them away from the
responsibility of the administration and transferring it to others Handling risks is the identification of responses to risks identified and assessed (within the
framework of risk appetite) by public administrations and reducing the
expected threats and benefiting from the opportunities that may emerge
within this context Impact of risk refers to outcomes or effects that risk posing event can produce once it
occurs Risk appetite is the amount of risk an administration is ready to accept (toleratebe
exposed to) at any time before deciding on the need to take any
relevant precautions in line with its strategic objectives mission and vision
In terms of threats it refers to exposure level which can be tolerated and
justified and in terms of opportunities it refers to how a person is ready to
actively take the risk to gain benefits of the opportunity Tolerating risks is a passive method of response given to risks which public administrations
are comfortable to undertake Avoiding risks is a response to risks by removing the activities in which risks are probable
to occur thus eliminating the risks that are probable to occur together
with the activities Controlling risks is a method of response to risks by means of control activities carried out
to keep tolerable risks at a certain level in public administrations
Preventive Controls These are controls carried out to prevent threats that
risk may pose and undesirable outcomes risk may produce once it occurs
Corrective Controls These are controls aiming at reducing the impact of
undesirable outcomes that arise from threats risk poses once it occurs
177
Directive Controls These are controls carried out to prevent the occurrence of
risk or avoid the impact it may produce once it occurs
Detective Controls These are controls applied to identify damages and
losses experienced once the risk is realised Risk profile documented and prioritised overall assessment of the range of specific
risks faced by the administration Risk management is a management tool and all the mechanisms related to identify and
assess risks that may have an impact on attaining aims and objectives of
administration identify responses to risks regularly review and update risks
and responses and monitor the whole process Corporate risk
management is a process which covers the entire administration and
ensures that risk management processes are considered and handled as
a whole Risk strategy the overall organisational approach to risk management as defined by
the Accounting Officer andor the Board This should be documented
and easily available throughout the organisation
Risk Strategy and
Policy Document
(RSPD)
corporate approach to risk management identified by Head of
Administration and senior level policies are called risk strategy and the
document in which this approach and policies are set down in writing is
called Risk Strategy and Policy Document (RSPB) Risk identification is the process of identifying ascertaining categorising and updating risks
that prevent or limit the achievement of administrationrsquos strategic
objectives using previously defined methods
Strategy Development
Unit refers to presidencies of strategy development units departments of
strategy development and directorates where strategy development and
financial services are undertaken They carry out studies to establish
implement and continuously develop internal control systems and report
the study results to the Head of Administration Irregularity Faults errors and negligence stemming from violation of regulations and
provisions related to financial management Delegation of authority is delegation of the responsibility and authority for making decisions to
another authority in writing in the way envisaged in the legislation Fraud Is misuse or insufficient use of documents and declarations for monetary
purposes or non-monetary private purposes as well as hiding information
or deliberate acts performed to abuse the benefit legally obtained and
negligence and illegal use of public power Management
Information system supporting systems which provide proper data for managers and
decision-makers for taking decisions and implementing them with a view
to more effectively attaining the previously identified objectives of the
administration by operating and communicating the information used in
administration
Managerial refers to management being accountable for the decisions they have
made regarding duties assigned as well as for effective use of public
resources to the Parliament Government and public opinion Governance Governance is the way in which organisations are directed and
controlled It defines the distribution of rights and responsibilities among
the different stakeholders and participants in the organisation determines
the rules and procedures for making decisions on corporate affairs
including the process through which the organisationrsquos objectives are set
and provides the means of attaining those objectives and monitoring
performance
Conference call A system of telecommunications technology that enables a number of
people in different locations to hold a discussion using the telephone
3
72 Risk Assessment 45
73 Responding to Risks 49
74 Reviewing Risks 54
75 Communication and Reporting 55
76 Learning 57
RISK MANAGEMENT ANNEXES 59 ANNEX 1 Using the brainstorming method to identify assess and record risks 59
ANNEX 2 Risk Voting Form 61
ANNEX 3 Risk Register 61
ANNEX 3 Risk Register 62
ANNEX 4 Consolidated Risk Report 64
ANNEX 5 Risk Assessment Criteria Table 66
ANNEX 6 Case Study Example of Inherent and Residual Risk 68
ANNEX 7 Case Study Example of completed Risk Voting Form Risk Register and
Consolidated Risk Report 69
CONTROL ACTIVITIES 72 1 Introduction 72
2 Control Activities Standards 72
3 Planning Process of Control Activities 73
4 Classification of control activities 73
4 1 Preventive controls 73
42 Corrective Controls 74
43 Directive Controls 74
44 Detective Controls 74
5 Methods of control activities 75
51 Authorisation and approval 76
52 Segregation of duties 76
53 Double signature system 76
54 Reconciliation of data 77
55 Supervision procedures 77
56 Ex-ante financial controls 77
57 Procedures for accounting operations 77
58 Anti-corruption 78
59 Access to assets and information 78
510 Documentation archiving and storing of information 78
511 Business continuity (or emergency plans) 79
512 Control activities related to Information Technology (IT) 79
513 Assessing costs and benefits of control activities 80
6 Practıcal Stages For Control Actıvıtıes 81
7 Steps to identify and implement control activities 83
Control Activities Annexes 84 Annex 1 ndash Examples of some common risks and controls 84
Annex 2 List of common control activities 87
Annex 3 - Illustrations for cost benefit analysis 95
INFORMATION AND COMMUNICATION 97 1 INTRODUCTION 97
2 Information and Communication Standards 97
3 ROLES AND RESPONSIBILITIES IN INFORMATION AND COMMUNICATION 98
Minister 98
Head of Administration 98
4
Internal Auditor 98
Authorising Officer 98
Realisation Officer 99
Accounting Officer 99
Strategy Development Units 99
Central Harmonisation Unit 99
4 INFORMATION 99
41 Characteristics of Information 99
42 Information Management 100
43 Information Security 106
5 MANAGEMENT INFORMATION SYSTEMS (MIS) 108
51 Stages of Establishing MIS 109
6 COMMUNICATION 110
61 Internal and External Communication 111
62 Communication Methods 113
7 WHISTLEBLOWING OF FAILURES IRREGULARITIES AND FRAUD 114
71 Concepts of Failure Irregularity Fraud and Whistleblowing 115
72 Scope of Notifications 115
73 The Responsibility for Detecting Faults Irregularities and Fraud 116
74 Whistleblowing System 116
8 RELATIONS AMONG UNITS 119
81 Information and Communication between the CHU and SDUs 119
82 Information and Communication between SDUs and Spending Units 119
INFORMATION AND COMMUNICATION ANNEXES 120
Annex 1 - Legislation on Information and Communication 120
Annex 2 - Widely Used Methods of Communication 121
Annex 3 Reports Prepared under PFMC Law No 5018 124
Annex 4a Whistle-Blowing Process Related to Ethical Values 125
Annex 4b Whistleblowing and Evaluation Process for Crimes Committed by Civil Servants
126
MONITORING 127 1 Introduction 127
2 Monitoring Internal Control Standards 128
3 Roles And Responsibilities 128
31 Senior Manager 128
32 Internal Audit 128
33 Internal Control and Risk Steering Board (ICRSB) 128
34 Authorising Officers 128
35 Strategy Development Units (SDU) 129
36 Other Managers and Employees 129
37 External Audit 129
38 Central Harmonisation Unit (CHU) 129
4 Guidance by the CHU 130
5 Assessment and Reporting Role of SDUs 131
51 Assessment of Internal Control System by SDUs 131
52 Reporting of Internal Control System Evaluation Results 132
53 Monitoring of Internal Control System Evaluation Reports 133
54 Work to be carried out by SDUs concerning Internal Audit Reports 134
6 Internal and External Audits 136
61 Internal Audit 136
5
62 External Audit 137
7 Internal Control Assurance Declarations 138
71 How to complete Internal Control Assurance Declarations 139
MONITORING ANNEXES 146 Annex 1 Internal Control System Question Form 146
Annex 2 Internal Control System Evaluation Report 162
Annex 3a Internal Control Assurance Declarations Senior Manager 163
Annex 3B Internal Control Assurance Declaration Authorising Officer 167
Annex 3b Internal Control Assurance Declaration Head Of SDU 170
Annex 4 Example Of A Complete Declaration 171
GLOSSARY 174
6
LIST OF ABBREVIATIONS
ARC Administrative risk coordinator
BiMER Prime Ministry Communication Centre
CHU Central Harmonisation Unit
COBIT Control Objectives for Information and Related Technology
COSO Committee of Sponsoring Organisations of the Treadway Commission
DHSDU Declaration by Head of Strategy Development Unit
e- SAC Electronic System Audit and Control
FMC Financial Management and Control
HRM Human Resources Management
ICAD Internal control assurance declaration
ICRSB Internal Control and Risk Steering Board
INTOSAI International Organisation of Supreme Audit Institutions
ISOIEC International Organisation for Standardization International Electrotechnical
Commission
IT Information Technology
MERNIS Central Civil Registration System
MIS Management Information System
PESTLE Political Economic Social Technological Legal and Environmental
RSPD Risk Strategy and Policy Document
SDU Strategy Development Unit
SMART Specific Measurable Achievable Relevant Time-related
SURC Sub-unit Risk Coordinator
SWOT Strengths Weaknesses Opportunities and Threats
TGNA Turkish Grand National Assembly
TSE Turkish Standards Institute
URC Unit Risk Coordinator
UYAP National Judicial Information System
7
INTRODUCTION
From the late 20th century onwards the focal point of governments in the whole world
has been to establish mechanisms to increase performance ldquoGood governancerdquo put
forward to serve this end has recently come to be a guiding principle both for the private
sector and the public sector Within the framework of the principle of good governance such
factors as ensuring accountability for the provision of better quality public services
improvement of transparency delegation of authorities and responsibilities by means of
managerial flexibility outcome-oriented management and budgeting understanding and
meeting the expectations of citizens have come to the foreground
On the other hand provision of quality public services has brought along the need for
the public resources to be used effectively efficiently and economically thus necessitating
the usage of effective tools in public administrations in many areas from organisational
structure to information and monitoring which are related to financial management and
control The most important tool for accountability adopted in this reform process is internal
control
Internal Control Internal control which is internationally used is a system designed to give reasonable
assurance to attain the objectives of a given administration Within the framework of
Committee of Sponsoring Organisation (COSO) which is the mostly widely-known system
among the others internal control aims to ensure compliance of actions and works with the
legislation as well as the reliability of financial and managerial reporting and effective and
efficient asset protection COSO which is made up of control environment risk management
control activities information and communication and monitoring components is such an
internal control model which is also accepted as a reference point by such institutions as the
International Organisation of Supreme Audit Institutions (INTOSAI) and the European
Commission The following figure shows the components of COSO
IN Figure 1 The COSO Cube
8
Our country on the other hand which has been carrying on membership negotiations
with the EU has been going through a reform process since the early 2000rsquos with a view to
strengthen its public internal control system The basic factors of the internal control system
which is recommended by the European Commission to all the candidate countries and is in
compliance with COSO can be summarized as financial management and control (FMC)
system based on managerial responsibility and accountability functionally independent
internal audit activity and Central Harmonisation Unit (CHU) responsible for the harmonisation
of these two areas in the whole public sector
FMC refers in the most general terms to the management and control processes
related to public revenues expenditures assets and obligations In this context public
managers of every level are responsible for the establishment and sustainability of a sound
FMC system to ensure resource-based planning programming budgeting accounting
controlling reporting archiving and monitoring Internal audit on the other hand which
assists the manager in assuming this responsibility and attaining the objectives gives based
on risk management objective assurance and provides guidance regarding the compliance
of the current FMC system with the identified rules and standards Furthermore a full capacity
and quality central harmonisation activity is required in order to identify and develop
methodologies legislation and standards in the areas of FMC and internal audit in public
administrations as well as to coordinate and monitor them and provide the training needed
In the light of the best practice examples our country has taken important steps in
strengthening transparency and accountability in public financial management and ensuring
an effective internal control function Public Financial Management and Control Law No
5018 which is the most important step among the others and adopted in 2003 defines the
functioning of internal control system and the roles and responsibilities of the actors involved
in the system and assigns the Ministry of Finance (MoF) the duty of identifying standards and
methods as well as ensuring coordination and providing guidance in this area As per this
duty the MoF published a Public Internal Control Standards Communiqueacute in 2007 which was
in compliance of the international standards
Financial Management and Control Manual which is an extension of all these works
has been prepared with a view to supporting decision-making and implementation
processes for a better management and thus contributing to the rational usage of public
resources The Manual which has been started to be prepared in 2010 and completed in the
first quarter of 2011 is the outcome of a painstaking work carried out by the Experts both from
the United Kingdom and our country within the framework a twinning project financed by the
European Union
FMC Manual has been designed with a view to ensure the implementation of internal
control standards as a guideline which explains all the basic factors of internal control by
means of methods tools and examples which can be used by all the stakeholders In
addition it is also possible for administrations to use according to their own needs other tools
than this Manual which can be modified and revised in time in line with the changing
circumstances and needs in public administrations however it is foreseen than tools
adopted should not be in conflict with the basic requirements contained in the Manual
This Manual is made up of five main parts based on Internal Control Standards
Following this introduction there is a table showing the main responsibilities of the major actors
in financial management and control
In the first part conceptual explanations regarding ethical values and integrity
mission organisational structure and duties competence and performance of personnel and
delegation of authority which are the milestones of the control environment as well as
information on the legislation and implementing tools are given
In the second part information on the importance and aim of risk management
stages of risk management process and roles and responsibilities of the actors involved in the
process Risk Strategy and Policy Document and communication and reporting tools that can
be used is given
9
In the third part control strategies and methods identifying and documenting
procedure principle of separation of authorities hierarchical controls sustainability of
activities and information processing controls are explained within the framework of control
activities which is closely related to risk management and a set of control activities (approval
authorisation verification reconciliation of accounts etc) are dealt with
In the fourth part the concept of information and its management functioning of
Management Information Systems internal and external communication tools and reporting
mechanisms are handled within the framework of information and communication
component
In the fifth part information on the roles and responsibilities of Financial Management
and Control Central Harmonisation Unit (FMC CHU) in the overall public sector and of
Strategy Development Units (SDU)Financial Services Units in each public administration as
well as the tools used internal control system quality assurance development program roles
of internal and external audit content of Internal Control Assurance Declaration and
guidance on how to fill the Declaration is given within the framework of regular monitoring
and assessment of internal control system
In the last part of the manual a glossary of the concepts used in the manual is given
Users of the Manual Besides for the relevant stakeholders and users it is believed that this Manual will be a
reference document for the followings
Senior mangers responsible for establishing an effective and adequate FMC system as
well as observing and monitoring it
Authorising officers who have responsibility within the scope of their duties and
authorities to ensure the functionality of the internal control regarding administrative and
financial decisions and proceedings
Relevant managers and employees of the Ministry of Finance who carry out the
central harmonisation duty in the area of FMC
Managers of SDUs and financial services experts who have responsibility concerning
the development of internal control system and implementation of the standards
Realization officers and accounting officers who are involved in the financial
processes and accountable to authorising officers
The other public managers who have responsibilities arising from the activities
conducted in the area of FMC in units
All the employees working in public administration
Internal auditors who have the responsibility to assess and report to the Head of
Administration the effectiveness of FMC system
External auditors who responsible for examining the accounts financial transactions
and activities and internal control systems of public administrations as well as whether
resources are used effectively efficiently and economically as well as in compliance with
laws and reporting the results to the TGNA
10
TABLE OF ROLES AND RESPONSIBILITIES
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
MINISTER
Within the framework of the
responsibility for ensuring
effective economic and efficient
utilisation of public resources the
Minister should be aware of the
potential risks to the
administrationrsquos objectives
He ensures coordination and
cooperation with the other
ministries and informs the public
opinion and the TGNA about the
annual performance programme
and activity report of the
administration
Within the framework of the
responsibility for ensuring
effective economic and efficient
utilisation of public resources the
Minister is responsible for ensuring
effective monitoring of the
internal control system
HEAD OF ADMINISTRATION
He defines strategies and policies
for an effectively functioning risk
management system in
accordance with the aims and
objectives of his administration
He explicitly defines tasks roles
and responsibilities He ensures the
participation of the stakeholders
and the public opinion
As the quality of the information
exchange and communication
between the head of
administration and the other
actors has a direct effect on the
accountability of the head of
administration he must inform the
relevant units about the
frequency and methods of
feedback he prefers
He ensures effective
communication among spending
units SDUs and internal audit
He is responsible for observing
and monitoring the functioning of
financial management and
control system
He approves annual internal
control system evaluation reports
and signs the Internal Control
Assurance Declaration
INTERNAL CONTROL AND
RISK STEERING BOARD
The Board develops policies for
improvement of risk management
in the administration and submits
them for the approval of the
Head of Administration The Board
notifies the unit of the policies and
procedures for coordination
purposes ICRSB determines a
particular number of risks which it
deems significant as the key risks
It provides the Head of
Administration with timely and
accurate information about the
effectiveness of internal control
and risk management
It assesses internal control system
evaluation reports prepared by
the strategy development unit as
a result of annual evaluation of
internal control system and
following to defining shortcomings
of the report if any submits it with
the relevant opinions for the
approval of Head of
Administration
11
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
among those risks that are
submitted to itself and reports
whether these key risks function
well or not to the Head of
Administration in regular periods
or whenever it deems necessary
AUTHORISING OFFICER
He acts as the unit risk
coordinator or assigns someone
to act so URC coordinates the
management of the unitrsquos risks
that may have an impact on
objectives of the administration
and provides guidance to this
end
He ensures that tasks authorities
and responsibilities of staff are
defined clearly and in writing and
communicated to all the staff
He ensures that sub-units are
informed about the activities of
each other
He ensures that an effective
communication and archiving
system is established for the
information related to the
objectives and activities of the
unit
He has responsibility for
continuously monitoring internal
control system
He provides necessary
information for strategy
development units regarding the
annual evaluation of internal
control system completes internal
control questionnaire and
annually signs internal control
assurance declaration to be
submitted to the Head of
Administration
HEAD OF DEPARTMENTUNIT
He is responsible for the
coordination of risk management
activities within sub-units (if having
such units or their management
at this level is deemed
appropriate) of the spending units
in administrations He is directly
accountable to URC regarding
risk management
He ensures that an effective
communication and archiving
system within the sub-unit is
established for the information
related to the objectives and
activities
He ensures that tasks authorities
and responsibilities of staff are
defined clearly and in writing and
communicated to all the staff
He is accountable to the
authorising officer
He has responsibility for
continuously monitoring internal
control system
He supports the authorising officer
in providing SDUs with information
Every employee is directly Every employee is responsible for They observe the functioning of
12
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
EMPLOYEES responsible for managing risks in
their fields of duty (identifying
assessing responding to
reviewing and reporting risks
delivering accurate and timely
information to managers
colleagues and stakeholders by
using right communication
means
internal control system and in
case of a problem they inform
senior management and
contribute to the evaluation
process of internal control system
by providing information
STRATEGY DEVELOPMENT
UNIT
It organises trainings on risk
management in the
administration and provides
guidance in this respect
It is responsible for providing the
Head of Administration and the
units with accurate and timely
information In addition it is
responsible for providing the unit
with guidance and trainings on
the area of internal control
It annually assesses internal
control system on behalf of the
Head of Administration It signs
the declaration on functioning of
internal control system with a view
to ensuring effective efficient
and economical execution of
administrationrsquos activities Staff of
Strategy Development Units take
active role in the evaluation
process of internal control systems
and guide the units in completing
the reports regarding evaluation
ACCOUNTING OFFICER
Within the scope of his duty the
Accounting Officer should identify
and manage the financial risks
The Accounting Officer is
responsible for performing
accounting services and keeping
accounting records in a regular
transparent and accessible way
Accounting Officers must
regularly report to the authorising
officer on the accounting
records
CENTRAL HARMONISATION
UNIT
It is responsible for such activities
as making regulations and
chances when necessary
carrying out developmental
activities as well as ensuring
guidance harmonisation inter-
administrational coordination and
reporting
It is responsible for making
arrangements setting out
standards providing guidance
and advice ensuring
harmonisation and coordination
among administrations
monitoring and reviewing the
implementation in the fields of
financial management and
It annually assesses the
functioning of internal control
systems in public administrations
based on Internal Control
Evaluation Reports approved and
submitted by senior managers
and submits the evaluation report
it prepared to the Head of
Administration and the Minister of
13
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
control and internal audit Finance
INTERNAL AUDIT
Internal auditor provides the
Head of Administration with
advice regarding risk
management by making
evaluations on whether risk
management process is effective
and risks are managed in the right
way or not
He examines the functioning of
information and communication
system in the administration and
reports the results to the Head of
Administration There must be an
effective communication system
between
Head of Administration and
internal audit
It has the function to provide the
management with information
about the sufficiency
effectiveness and functioning of
internal control system as well as
making evaluations and giving
recommendations
EXTERNAL AUDIT
Within the framework of
performance management it
can audit the functioning of risk
management processes in
administrations
Within the framework of
performance management it
can audit the functioning of
information and communication
systems in administrations
Court of Accounts can assess
internal control systems in
administrations during the audits it
conducts and give
recommendations
14
15
CONTROL ENVIRONMENT
1 INTRODUCTION
According to the COSO model control environment is creation of the basic
infrastructure for the other components of internal control by providing internal control
awareness for employees working in a particular administration Control environment
generally includes internal control awareness values working styles and procedures of the
administration Basic factors of control environment are summarized below
CE Box 1 Basic Factors of control Environment
Creation and sustainability of a positive and supportive environment for internal
control by the management is of great importance As employees also have their relevant
roles in carrying out internal control all the individuals within the administration need to know
hisher responsibilities and authorities very well Employees need to uphold personal and
professional integrity and ethical values and comply with the current behavioural norms In a
well-functioning control environment the public administration should previously determine its
mission organisational structure and terms of reference and should regularly assess the
performance of personnel
2 Internal Control Standards
Four standards were determined regarding control environment among Public
Internal Control Standards
CE Box 2 Control Environment Standards
Standard 1 Ethical values and integrity
It should be ensured that rules which regulate how personnel behave are known by the
personnel
Standard 2 Mission organisational structure and duties
Mission of the administration and job descriptions for units and personnel should be set out
Risk Management
Control Environment
Control Activities
Info amp Communicattion
Monitoring
Principles of personal and professional integrity
Adoption of ethical values by management and personnel
Supportive attitude of senior management towards internal control
Organisational structure
Professional competence and performance of personnel
Human resources policies and practices
Management philosophy and working style
16
in writing and announced to the personnel and a suitable organisational structure should
be established in the administration
Standard 3 Competence and performance of personnel
Administrations should ensure the compatibility between the competence and duties of
personnel and take actions about performance appraisal and improvement
Standard 4 Delegation of authority
Administration should explicitly identify authorities and limits of delegation of authority and
announce them in writing Authority should be delegated by taking the importance and
risk of authority to be delegated into consideration
This part gives explanations regarding the relevant legislation and standards with a
view to rendering Public Internal Control Standards more comprehensible and to guide the
practices Besides it stresses upon the methods to be applied for ethical values and integrity
principles to be owned by senior management and adopted by personnel which is very
important for a well-functioning control environment Besides criteria are determined for the
assessment of competence and performance of personnel as well as giving explanations on
determination of mission organisational structure and duties Moreover the part explains how
the delegation of authority which is a priority for accountability needs to be conducted
3 LEGISLATION
31 Legal Basis
In utilising of public resources or in providing effective and efficient public services the
principles and procedures of a work financial or non-financial are determined by the
regulations made by laws or the central administration
Internal Control standards provide the minimum and overall framework for managers
for giving an assurance on the provision and sustainability of services In the following
diagram the international and national standards and legislation relating to Control
Environment are given
17
CE Figure 1 Legal Basis Framework regarding Control Environment
Part Five of Law No 5018 regulates lsquointernal control systemrsquo Within this framework in
order to establish an effective and sufficient internal control system the top manager and
the other managers should take necessary action to ensure that the following factors are
implemented
bull Having professional values and an integral management understanding
bull Assignment of financial authorities and responsibilities to informed and competent
managers and personnel
bull Compliance with the standards set
bull Prevention of actions that are opposed to the Legislation
bull Provision of a proper working environment and transparency with a comprehensive
management understanding
The main legislation related to control environment is given below
CE Table 1 Main Legislation on the Control Environment Standards
CONTROL
ENVIRONMENT
STANDARD
RELATED LEGISLATION
1 Ethical Values
and Integrity
Behaviour Principles and Application Principles Law No 5176 on
the Establishment of Civil Servants Ethical Board and Making
Amendments on Some Laws
Legislation on Ethical and Procedures of Civil Servants
2 Mission
organisational
structure and Tasks
Law No 3046
Decree of Law No 217 on the Establishment and Duty Principles
of State Personnel Presidency
Strategic Planning Guideline for Public Administrations
3 Competence
and Performance
of Personnel
Turkish Constitution
Law No 657 on Civil Servants Law No 2802 on Judges and
Public Prosecutors Law No 2914 on High Education Staff Law No
926 on Turkish Armed Forces Personnel Law No 3269 on
18
CONTROL
ENVIRONMENT
STANDARD
RELATED LEGISLATION
Specialized Sergeants Law No 3466 on Specialized Gendarmerie
Law No 4678 on Contracted Officers and Petty Officers to be
Recruited into Turkish Armed Forces
Regulation on Examinations for Those to be Appointed for Public
Duties for the First Time
Regulation on Appointment Conditions for Public Services of
Disabled Persons and Competition Examinations to be Conducted
Special Regulations Prepared by Administrations (expert
coordinator inspector etc)
General Regulation on Training of Candidate Civil Servants
Registry Regulation for Civil Servants
Regulation on Civil Servants to be Sent Abroad for Training
Purposes
General Regulation on the Principles of Promotion and Title
Change in Public Administrations and Entities
Regulation on Promotion and Title Change in Supreme Institutions
and Agencies of High Education
4 Delegation of
Authority
Law No 3046
Law No 2547 on High Education
Law No 5393
Organisational Laws
Communiqueacute Serial No 1 on Authorising Officers
19
4 ETHICAL VALUES AND INTEGRITY
41 What is Ethics
Ethics is a body of moral principles which forms the basis for the behaviours of a
person In other words ethics is the guidelines values principles and standards which help
people determine lsquohow to do worksrsquo Ethics is at the same time a process In this process while
making and implementing decisions actions are carried out upholding particular values
The aim of observing ethical behaviour principles is to prevent corruption and
upholding integrity in a state and community
42 Current Legislation on Ethics
Law No 5176
The Law determines the establishment duty and working principles and procedures for
Civil Servant Ethical Board to determine and monitor the implementation of such ethical
values that civil servants must observe as transparency impartiality accountability and
observing public interests However scope of the law is too narrow that it diverges from its
original aim (Provisions of the Law on President Members of TGNA Members of Council of
Ministers officials of Turkish Armed Forces and officials of jurisdiction are not enforced)
Civil Servants Ethical Board is authorised and responsible for determination of ethical
behaviour principles through the legislations it will prepare conduction of the relevant ex-
officio examinations and investigations as well as conduction of examinations and
investigations upon applications on ethical behaviour violations and notification of the results
to the relevant authorities carrying out studies to settle ethical behaviours in a community
and supporting studies to be carried out in this field
Within the framework of laws the Board can be applied to with allegations of violation
of ethical behaviour principles about the civil servants of at least director general or
equivalent positions in a public administration and institution
Applications to be made with allegations of violation of ethical principles about the
other civil servants are evaluated by the concerned boards of the relevant administrations to
see whether there is a condition that is opposed to ethical value principles or not Results of
the evaluations are communicated to the applicant and to whom it may concern
The Board conducts its examinations and investigations regarding the applications
referred to itself to see whether ethical value principles are violated or not The Board has to
conclude the examinations and investigations to be conducted upon the whistle blowing or
complaint applications in three months at most Results of the examinations and
investigations are communicated to the relevant authorities and to the Prime Ministry in
writing (For further information please refer to ldquoInformation and Communicationrdquo chapter
Legislation on Civil Servants Ethical Behaviour Principles and Application Procedures
Civil servants are liable to observe ethical behaviour principles while fulfilling their duties and
sign the Ethical Contract document Authorised appraisal managers in administrations and
institutions assess the performance and employment records of personnel in terms of
compliance to ethical values
CE Figure 2 demonstrates ethical behaviour principles determined in the Legislation
20
CE Figure 2 Ethical Behaviour Principles
Granting
decleration
of property
Relations with
the previous
civil servants
Accountability
requirement for
managers
Informing
transparency
and
participation
Binding
explanations
and unreal
declerations
Being
economic
Utilisation
of public
properties
and
resources
Prohibiton
of giving
presents and
drawing
benefits
Not abusing
duties and
authorities to
draw benefits
Avoiding
conflict of
interest
Notification
of authorised
bodies
Courtesy
and
respect
Esteem
and trust
Integrity and
Impartiality
Commit
ment to
aims and
mission
Compliance
with service
standards
Service
awareness
for public
Public service
awareness in
fullfilment of
duties
ETHICAL
BEHAVIOR
PRINCIPLES
21
43 Main Ethical Behaviours that are Expected from Civil Servants
Observing all the time high ethical standards and working to increase public belief in
the state and civil servants for public benefit
Behaving in compliance with the ethical values and principles when fulfilling duties
obtaining and using public resources and purchasing goods and services from
outside
Showing respect for colleagues and users of services exhibiting impartial and fair
behaviours
Having a participatory decision-making process by taking the views of colleagues
and users of the services into consideration
Appreciation and announcement of good works colleagues do
Not abusing public authorities and resources for personal benefits and not favouring
relatives or friends in using public services
Being careful about the possible and real conflict of interests
Assuming responsibility for decisions and behaviours
Filling in the property declaration forms in time accurately and without any reserve
Not working in a second job that is prohibited by the Legislation other than his public
service
Not establishing private relationships with the persons and firms that are in connection
with the administration that civil servant works in
Warning other civil servants whose behaviours are not in compliance with the ethical
principles and notifying authorities in case that warning turns out fruitless
44 Ethical Behaviours That are Expected from Public Managers
While fulfilling their duties managers should
Inform all the civil servants of the overall aims main objectives and values of the
administration
Create a positive working environment where behaviour expectations are clearly
defined and violations are identified and corrected if any
Assume all the responsibility for the activities of administration
Take into consideration the merits current behaviours and developmental potential of
personnel while appointing for a position
Behave in a fair equal and impartial way towards all the personnel
Solve the problems and conflicts in a quick and fair manner
Be consistent reliable predictable fair and objective in decisions and behaviours
Set a personal example in terms of ethical principles and values
Maintain the highest standards possible to be followed in the field of efficiency and
effectiveness at work
45 Ethics Training
One of the most important prerequisites of establishing a culture in the administration that
is based on ethical values and principles is ethics training All the personnel of every level that
are employed in public administrations and institutions need to be informed of the ethical
behaviour principles and their responsibilities related to these principles
Administration and institution managers are liable to include ethical behaviour principles
in the basic preparatory and in-house training programs that are implemented for civil
servants
5 MISSION ORGANISATIONAL STRUCTURE AND DUTIES
Mission of an administration is the cause of existence of the administration and its
place within the state structure Organisational structure ensures that duties that are carried
22
out to attain the objectives and aims of the administration are controlled and monitored
Duties that are carried out by the administration are led by the mission and organisational
structure These factors in question which complete each other form an important basis for
the other components of internal control system
51 Mission
Public administrations set out their missions visions aims objectives and strategies in
strategic plans As Strategic Planning Guideline for Public Administrations states mission is the
cause of existence of an administration In this regard mission covers all the services and
activities an administration carries out In other words mission is the answer to such questions
as what the public administration does and how and for whom it does what it does Mission
should be sound realistic and participatory to lead the administration and should be
developed according to the changing conditions and needs It will also be proper to receive
opinions from personnel and stakeholders in forming and updating the mission
The following should be taken into consideration in mission declarations of administrations
The mission should be up-to-date precise and clear
The mission should be determined in line with the established aims of
administration not process of service provision
While determining the mission tasks and authorities granted to the
administration with legal regulations should be taken into consideration
In mission promotion people and entities that the administration provides
services for and the goods and services that the administration offers should
be stated
CE Box 3 Mission Example
For the mission which is very important for public administration to be achieved
personnel should be informed enough about the mission of administration they are affiliated
to Being informed about the mission and adopting it will guide the decisions and activities of
the administration and help the personnel understand their duties within the administration To
this effect firstly mission should be set down in writing and it should be announced to the
personnel and a system should be developed for the mission to be adopted by the
personnel On the other hand job descriptions of the sub-units should be determined in
writing in compliance with the mission and compliance with the mission should be regularly
reviewed
52 Organisational Structure
Organisational structure of the administration is another important factor which
influences the control environment Organisational structure is the provision of a framework
for the attainment of the aims and objectives of administration
In order to establish a proper control environment organisational structure should
Indicate the division of authorities and responsibilities within the organisation
Include accountability mechanisms and relevant reporting line which will ensure
the functionality of these mechanisms
Indicate the coordination and integration points
Carrying out research training and publishing activities developing and supporting
projects for strengthening and increasing the problem-solving capacity of families and for
identification and solution of the problems in cooperation with the institutions and
organisations in the light of scientific and ethical valuesrsquorsquo
(General Directorate of Family and Social Research 2007-2011 Strategic Plan)
23
Organisational structures of administrations are generally determined by the
organisational laws that are prepared in compliance with the framework that is set in Law No
3046 and duties of administrative units (main services consultationaudit and support units)
are shaped in these organisational laws Duties of the sub-units of administrations on the
other hand are determined in administrative regulations such as circulars and regulations
not in the organisational laws
Furthermore organisational structures of public administrations which fall under the
scope of the local administration are determined by Law No 5393 on Municipalities Law No
5216 on Metropolitan Municipalities Law No 5302 on Special Provincial Administration and
Law No 5355 on Local Administration Unions
Mission of the administration is achieved by the activities carried out by the units of the
administration and their sub-units and the units of the local administration Within this
framework duties of both the units and sub units should be in compliance with the mission of
the administration
Relevant chances regarding the organisational structure units and sub-units of the
administration and duties that are carried out by these units and sub-units can be made by
amending organisational law or revising administrative regulations according to the
circumstances within the framework of the reviewing activities in question
53 Job Descriptions
As it is stated in Public Internal Control Standards written definition of duties to be
carried out by units and sub-units of administrations and formation of a task distribution chart
covering duties of the personnel in the administrative units and their relevant authorities and
responsibilities assume importance for the mission of the administration to be accomplished
Within this framework preparation stage of job descriptions is demonstrated below
Public administrations can prepare their job descriptions by following the below given
process
CE Figure 3 Preparation Process of Job Descriptions
Job analysis is a process in which information regarding
the quality of every job carried out in the administration and
working environment the job will be carried out in as well as
working conditions is collected and collected information is
systematically examined and assessed While making job
analysis the followings should be followed
Determination of jobs to be analysed taking into
consideration the organisational structure of the
administration
Determination of the objective
Formation of the team to make the analysis ( it is
essential that the team members to make the
analysis should be selected from inside the
administration However it possible to receive
counselling from outside when necessary)
MAKING JOB ANALYSIS
24
KEY QUESTIONS IN JOB ANALYSIS
What are the requirements of the job (In terms
of knowledge experience and competence)
How is the job done
When is the job done
Where is the job done
Why is the job done
What are the assistive tools for the job
(Equipment)
What kinds of outputs are obtained
Job analysis does not have a value on its own It is only
valuable when it contributes to attaining the objectives of
administration Therefore analysing should start by
understanding the philosophy mission and objectives of the
administration and the role and importance of every unit
within the administration and should continue in this
direction
The findings gathered from the job analysis should be
submitted in a systematic and consistent way and the job
descriptions that are formed according to these findings
should be submitted to the top management for the job
description whose final draft has been completed
At minimum job descriptions should include the following
Unitamp Sub Unit
Name of the job (Name of the position)
Title that the job has
Level of competence (areas of responsibility
information problem solving)
Basic duties and responsibilities
Authorities
Required skills and abilities for the job
Its relation with the other jobs
Approval section and section regarding communiqueacute to
personnel
25
State Personnel Presidency determined standard job descriptions for some
titles (chief programmer warehouse official statistician personnel titled as inspector in the
municipalities etc) In this process it is possible that public administrations receive guidance
form State Personnel Presidency
531 Sensitive Duties
Some of duties that are carried out in public administration assume more importance
because of their nature than the other duties do in terms of esteem of administration risk of
corruption disclosure of secret information etc Therefore integrity of the personnel who
carry out the duty in question is attached more importance
It would be convenient to assess at least the followings while deciding whether a duty
is sensitive or not
Capacity to make important decisions that can impact administrationrsquos objectives
Its relations with the third parties and administrations outside the administration
which can impact decisions
Regular accession to confidential information
Whether financial transactions of high value are involved
The duty requiring special expertise at high levels
Other criteria that can be introduced by administrations
According to the criteria in question administration should determine sensitive duties
develop control mechanisms to mitigate the risks identified and review the chances to occur
at the level of the risk
The following table demonstrates the fields of activity which can be sensitive for
administrations and gives examples regarding these fields
CE Table 2 Examples of Sensitive Duties
Areas of Management Examples for Sensitive Duties
Financial management Accounting
Managing payments
Analysing the financial reports
Job descriptions should be announced to the personnel for
them to learn what they need to do under which rules they
work and what their objectives are
Job descriptions should be reviewed and updated annually
ANNOUNCING JOB
DESCRIPTIONS TO THE
PERSONNEL
UPDATING JOB DESCRIPTIONS
26
Commitment process Membership for the Tender
Commission
Contracting process
Process of examining and accepting
Publishing tender documents
Human resources management Definition of positions
Job description
Recruitment process
Assessment
Implementation of salary system
Information management systems Accession to the system and controls
Security of the systems and key
documents
Developing the system
Support Services Controlling valuable stocks
532 Monitoring the Results of Duties
Administrations should continuously assess sensitive duties and decide what steps to
take in accordance with the changes in the level of the risks (such as renewing controls
identifying new sensitive duties re-evaluating sensitive dutiesrsquo risk levels by taking into
consideration the cost-effectiveness)
Managers carry out the activities of administrations through written or spoken
instructions However it may be difficult for the management to monitor the results of duties
due to such reasons as the structures of units organisational complexity scattered
organisations the number of the personnel being high and duties being varied Managers
should develop such methods as introducing reporting mechanisms and holding regular
meetings to overcome this difficulty
6 COMPETENCE AND PERFORMANCE OF PERSONNEL Good management of human resources aims to ensure the efficiency effectiveness and
productivity of personnel
27
CE Box 4 Humans first
The basic aim is the selection of proper personnel for the fulfilment of the mission of
administration appraisal of personnel career planning for those who are successful and
ensuring they have the basic skills and adequate knowledge with a high sense of
responsibility and identity
61 Transition to Human Resources Management from Personnel Management
As it assumes the responsibility for identifying policies objectives and standards in
human resources management (HRM) top management plays a significant role in HRM
Besides top management should create a transparent and accountable environment
complying with laws and legislation
The expertise that human resources managers have in this area should lead the
other unit managers to apply human resources standards at every level of the administration
Furthermore HRM is a responsibility for all levels of management starting from top
management In line with the policies in question the unit managers when they carry out in
an effective way the tasks given to them by the senior managers should also assume such
duties as orientation and training of the new personnel improvement of their work
performance developing a proper work environment and relations in which they will work in
cooperation boosting the moral and motivation of personnel safeguarding the health of
personnel and improving the working conditions of the personnel
62 Activity Areas in Human Resources Management
The basic functions of HRM can be listed as follows
Conduction of job analyses
Job descriptions
Job requirements
Labour force assessment
Staff analysis
Cost-benefit analysis
Limitations of various legal regulations (Budget Law Decree of Law on General Cadre
Procedure etc)
Recruitment process
SWOT analysis (of the recruitment process)
With the principle lsquogood people make good organisationsrsquo we can say the quality of the
employees of an administration is the quality of the outputs of that administration First of
all it must be kept in mind that employees are humans and a balance must be
established between the needs of administration and employees It is important for
personal motivation that assignments be conducted in line with merits and careers of
employees in every stage from recruitment to retirement The only capital an
administration has which can not be materially measured is human
Humans First
28
Announcements on newspapers internet and administrationrsquos billboards
Developing easy application methods which meet the needs are fair and do not
lead to discrimination
Examination process being open which will give confidence
Merit and career evaluation system
PromotionAchievement criteria
Personnel performance indicators
Appraisal system
Rewarding mechanisms
Training Activities
Training needs questionnaire
Training programs (theoretical and practical)
Abroad trainings and internships
Post-training assessments
Participation in such activities as conferences and workshops which support personal
development
Poor performance management and disciplinary practices
Determining the data on which decisions about non- appropriateness for duty will
based and announcing this to all the personnel
Clearly determining the criteria to terminate duties and announcing these criteria to
the personnel
7 DELEGATION of AUTHORITY Authority refers to the power of administrative bodies to make administrative decisions
and to conduct administrative transactions
Responsibility can be defined as a body of rules and sanctions that those who assume
roles in administrative activities are subject to
Delegation of authority is the transfer of authority and responsibility to make decisions
to another body within the framework of the applicable legislation Delegation of authority
does not remove the managerial responsibility of the delegator
Rigid and traditional administrative structures in which all the authorities as well as
transferring and execution functions gather in a single centre are not preferred In such
administrations motivation of employees and managers of lower levels will be decreased to
own the administration and produce services in line with the objectives of the administration
Administrations on the other hand in which managers delegate all their authorities to
lower levels with insufficient capacity and do not monitor the results are not desirable either
Delegation of authority forms a step for transition form an authoritarian management
understanding to a transparent and accountable management understanding In modern
administrative structures a proper control environment is created employees are assigned
responsibilities and authorities at the level of their duties and employees together with the
lower level managers are included into the decision-making mechanisms In such
administrations working motivation will increase therefore effectiveness and efficiency
indicators will go up with the attainment of the aims and objectives
In relation to delegation of authority authorities to be delegated and their limits are
defined by regulations on various laws The main regulations in this regard are as follows
Law No 3046 on Ministries
Law No 5442 on Provincial Administration
Law No 2547 on High Education
Law No 5393 on Municipalities
Law No 5018 on General Management
Organisational Laws of Administrations
29
71 Determination of Delegation of Authority
Delegation of authority should be carried out according to the hierarchical structure of
the organisation With a top-down approach authorities to be delegated from Minister to
undersecretary (-authorities to be delegated to Head of Administration-) to his deputies and
to heads of units from head of unit to head of department from head of department to
director of branch should be determined in writing and consulted with whom it may concern
72 Delegation of Authority and Work Flow Process
Work flow processes of administrations should be determined and the officials to take part
in the processes and their authorities and responsibilities should be set out These processes
which are determined should be analysed and who to be assigned which authority in the
processes should be determined
What is expected in the delegation of authority is that the official who is to be delegated
the authority should be well-informed of the process and have the quality and experience to
manage the process Employees that are delegated authority are expected to report the
current situation of the process to the delegator and the delegators are expected to seek for
this report
73 Delegation of Authority and Responsibility
We can handle responsibilities in three different categories
Managerial responsibility
It refers to the responsibility to the senior level in hierarchical terms Besides it is
defined as performance responsibility
Delegation of authority will not remove the managerial responsibility of the
delegator
Financial (Compensation) Responsibility
It is the financial responsibility for public andor personal loss caused by using
the authority delegated Financial responsibility to arise from the usage of this
authority will belong to the user of the authority
Legal (punitive) Responsibility
Legal responsibility covers managerial and financial responsibility Legal
responsibilities are defined in the Constitution organisational laws Turkish Penal
Code and special legislations It is a must that all the employees and political
authorities working in the public administration behave with legal responsibility
while carrying out their duties
74 Factors of Delegation of Authority
Those authorities that can be delegated and those that cannot be delegated
should be determined with their limits on senior management level and announced
The basic factors to be taken into consideration in delegation of authority are as
follows
Delegation of authority must be in writing
Legally there are authorities which can not be delegated and these are
not at the administrationrsquos discretion (For example authority to give
disciplinary punishment or the authority of administrative tutelage etc)
Limits of the authority to be delegated must be set out
As long the as the delegation of authority continues the delegator will not
be able to use that authority
That the official delegatingdelegated authority leaving the job will
terminate the authority
30
75 Delegation of Authority and Communication
Employees taking over the authority should periodically report the current situation of
the process to the delegator and the delegator should seek for this report which will provide
feedback to Head of Administration regarding the process This forms an example about
monitoring function
8 INTERNAL CONTROL AND RISK STEERING BOARD
81 Roles and Members of the Board
The Board has a consultation role which will provide additional value for the activities
of administration in development of methods and processes regarding internal control system
such as monitoring internal control practices preparation of action plans and implementation
of the current plans
The Board is formed by the approval of Head of Administration for commencement of
studies on the internal control system within the framework of Action Plan Manual on
Harmonisation with Public Internal Control Standards The Board consists of authorising officers
(or their deputies) under the chairmanship of the deputy Head of Administration and when
the deputy Head of Administration is not available an authorising officer to be assigned by
the Head of Administration will take over as chairman All or some of the authorising officers
are selected for the ICRSB and how many to select should be determined with a view to
provide efficiency in line with the organisational structure When deemed necessary The
Head of Administration can invite those authorising officers who are not members of the
Board to meetings of Board to get their opinions provided that they are not included in the
decision-making Secretarial services of the Board are provided by strategy development
units
The Board periodically convenes Experts from inside and outside the administration
can be invited to the Board if deemed necessary in order to contribute to the objectives and
aims The Board is free within the framework of the duties and responsibilities given to itself in
determination of the dates and content of meetings and notifies the relevant persons of the
relevant arrangements in advance
Decisions are made based on majority voting Each member has only one voting right
including Chairman of the Board However when the voting of both sides is equal the
majority is considered to be the side that the chairman takes Those members who do not
side with the decisions state their justifications for not siding with the decision in writing
Deputy senior manager authorising officers or the deputies they assign should have a single
equivalent voting right in the meetings however the other representatives and experts
whose opinions are received should not have a voting right The Head of Administration on
the other hand should be able to participate in the Board meetings without having a voting
right and should encourage the participation of authorising officers for strengthening internal
control system For meetings which are not participated by Head of Administration briefing
should be made through reporting system
Details about how the Board works should be specified in the relevant legislation
The Board regularly monitors internal communication activities and processes and
revises them when deemed necessary and determines new communication methods to fit
the changing organisational structure
31
CE Figure 4 Information Flow in Internal Control and Risk Steering Board
82 The Boardrsquos Scope of Duty
The Board works to support the accountability of senior management in the fields of
management internal control and especially risk and is authorised to carry out the followings
with the approval of senior manager Within this framework its duties in the field of risk can be
listed as follows
It prepares the Risk Strategy and Policy Document (RSPD) or reviews the available RSPD
and submits it for the approval of senior manager
It determines policies in establishment of the risk management culture in the
administration
It determines the risks of spending units to be managed in partnership and the related
policies and procedures and communicates them to the unitrsquos risk coordinator for
coordination purposes
It determines the risks to be managed in partnership with the other administrations and
communicates them to the relevant administrative risk coordinator to ensure that
necessary precautions are taken for management in partnership with the relevant
administrations
The Board periodically assembles to assess whether risk management process functions
well or not and the level achieved regarding risks and reports the level achieved to the
senior manager
The Board fulfils following duties other than risk management
Assessing internal audit reports and providing guidance for implementation of
recommendation and ideas regarding internal control environment and the other
components in line with the requirements of the administration
Monitoring the activities of the administration carried out within the framework of
strategic plans and policies of the administration by means of periodical meetings
Making decisions on dissemination of good practice examples both inside and outside
the administration as a result of monitoring activities that are carried out
Deputy Head of
Administration
Internal Control and
Risk Steering Board Strategy
Development
Unit
Authorising
Officer
(A) Spending Unit (B) Spending Unit (C) Spending Unit
Authorising
Officer Authorising
Officer
32
33
RISK MANAGEMENT
1 Introduction Administrations utilise the resources allocated for them in order to reach the set out
objectives Activities processes and projects which are carried out for utilisation of these
resources bring along risks Risk management is a good tool for administrations to achieve the
aims they set out in accordance with their missions and visions Box RM1 describes Risk
RM Box 1 Definition of Risk
Risk is the uncertainty of events that may emerge in the future (if positive it is an opportunity if
negative then it is a threat) For the administrations this means that aims and the objectives
they set out to achieve these aims can be affected positively or negatively by internal or
external factors
Risk management covers risk assessment determination of effective control activities
monitoring and continuous improvement of these processes Risk management must be
practised corporately for consistency purposes which brings us to the concept of Corporate
Risk Management Corporate risk management covers the entire administration and ensures
that risk management processes are considered and handled as a whole
2 Risk Management standards Administrations while implementing risk management take into account the following
standards
RM Box 2 Risk Management Standards
3 Benefits of Risk Management for Administrations
The followings are the important benefits of a properly applied risk management in
corporate terms
Helps improve performance of administrations and assists administrations in attaining
their aims and objectives
Helps provide the continuity of services the administration provide and improve the
quality of activities the administration carries out
Info amp Communication
Monitoring
Control Activities
Risk Management
Control Environment
Standard 5 Planning and Programming
The administrations shall establish and announce their activities goals objectives and indicators as well as the
plans and programs including the resources which are required for the realization of above listed elements They shall
also ensure that the activities are in compliance with plans and programs
Standard 6 Determination and assessment of risks
The administrations shall define and assess the internal and external risks that could prevent the achievement of
goals and objectives by performing a systematic analysis and determine the measures to be taken
34
Ensures cost-benefit balance between the risks identified and the controls applied
and therefore increases the efficiency in resource allocation
Helps control the impacts of potential losses and decrease the costs of such losses
Ensures compliance with the legislation and regulations
Helps strengthen decision making mechanisms by supporting evidence and risk-based
decision making
Enhances accountability by supporting the clear definition of tasks roles and
responsibilities within the administration
Helps the administration have a more positive image in the eyes of public opinion
4 Critical Achievement Factors for an Effective Risk Management
For administrations to obtain the expected benefits from risk management the
followings are required
Ownership of the risk management process and determination of a risk strategy
encouraging its implementation in accordance with the mission and vision
Establishment of necessary mechanisms to have a single risk management language
Provision of sufficient information guidance and advice regarding risk management
Simplicity flexibility and practicality of risk management processes and integrated
planning and implementation with the other basic processes (strategic planning
performance management human resources management etc)
Supporting the assessments regarding risks with reliable evidence at all times
Systematic monitoring reporting and evaluation of risk management processes
Increasing within the administration awareness that everyone has an important role to
play in risk management and risk management should be fulfilled as an integral part of
the existent processes
Having an organisational communication strategy and proper and functional
communication channels inside and outside the administration
5 Risk Strategy and Policy Paper Risk Strategy is the organisational approach defined for risk management and top
level policies whereas Risk Strategy and Policy Paper (RSPP) is the document in which this
approach and policies are set down in writing Risk strategy sets out the administrationrsquos
attitudes towards risks and forms a framework for the risk management process The RSPP of
an administration is prepared by the Internal Control and Risk Steering Board (ICRSB) for the
endorsement of the head of administration and should be available to and known by all
staff
The Organisational risk strategy should clearly set out the structures regarding the
management and ownership of risks how to address risks at strategic level and program and
activity levels the structures regarding communication monitoring assessment and getting
assurance the criteria for key risks risk register format and risk measurement criteria Attention
must be paid the risk policies of the organisation comply with national level policy papers
The Risk strategy must be set out to reflect the risk appetite of the administration at
strategic level As risk appetite can change in time based on various conditions (for example
risk appetite may be low in periods of financial crisis) risk strategy of the administration should
be reviewed at least once a year and updated when deemed necessary Box RM3 gives a
basic explanation about Risk Appetite
RM Box 3 Risk Appetite
Risk appetite is the amount of risk an administration is ready to take at any time
(toleratebe exposed to) in accordance with its mission vision and objectives Risk
appetite should be taken into consideration while preparing strategic plans
35
Risk appetite is affected by internal and external environment people business systems
and policies Within this framework risk appetite should be set out with a top down
guidance
It is possible for the administration to set different appetite levels as long as the
administration does not exceed its overall risk appetite limits
Both taking too many risks and taking too few risks may lead to failure Although low risk
appetite is considered to be a reliable management method it may constrain the
administration in terms of creativity innovation and taking advantage of
opportunities
Another prerequisite in risk management is the existence of a common risk language
While producing this common language what is needed is a joint terminology and
mechanisms to disseminate it Otherwise it is not possible to build a strong common
understanding to manage risks
Corporate risk management requires a contribution from all employees Ownership of
the risk management process by the staff (Identifying addressing responding reviewing and
monitoring the risks) and considering it as a part of their jobs can increase the effectiveness of
corporate risk management
In order for the risk management to contribute the achievement of objectives and to
improve management quality and also to reduce costs it should be embedded in the
activities Embedding risk management in the processes means that activities are carried out
as a whole including risk management
Box RM4 gives details of the content of the Risk Strategy and Policy Paper
RM Box 4 Risk Strategy and Policy Paper
6 TASKS AUTHORITIES AND RESPONSIBILITIES Good risk management is only possible if the administration is well organised Clear definition
of tasks roles and responsibilities awareness of staff on the expectations of them within the
framework of policies and practices of the administration existence of horizontal and vertical
communication mechanisms and mechanisms for communication that are outside the
administration are the requirements for a good control environment The assignment of tasks
roles and responsibilities to appropriate competent and authorised people in risk
management will provide a strong infrastructure for risk management in the administration
While it is necessary to define roles and responsibilities all staff are responsible for risk
management Diagram RM1 explains the structure of roles and responsibilities in risk
management
RM Figure 1 Tasks and Responsibilities in Risk Management
RSPP should include at least the following
Aim of risk management
Risk appetite
Compliance with the legislation and binding policy papers
Risk methodology to be adopted
How to determine key risks (criteria)
Organisational structure and duties
Roles and contributions of the employees
Communication Plan
36
61 Head of Administration
This person is defined within the framework of Law no 5018 on Public Financial
Management and Control and is authorised and responsible for risk management at the
highest level
Regarding risk management the Head of Administration
Ensures the establishment of the strategy regarding the management of risks in
accordance with the aims and objectives of his administration at the outset of each year
and approves the Risk Strategy Policy Paper (RSPP) which demonstrates how the strategy
will be implemented and notifies all staff of this in writing
In the RSPP he clearly defines all the tasks roles and responsibilities and the necessary
structures (for example the ICRSB) within the scope of this manual for risk management
Provides the Administrative Risk Co-ordinator (ARC) with necessary support regarding the
risks to be jointly managed with other administrations
Ensures that the proper mechanisms are established to provide for the necessary
sensitivity and participation regarding the management of risks for the public opinion and
the stakeholders
Sets out the strategic actions for the future in accordance with the considerations and
recommendations by the ICRSB and the ARC
Receives assurance on risk management from the ICRSB and presents an assurance
declaration to the Minister on whether the risks are managed effectively
He encourages the consistency of risk management processes
He reviews monitoring of reports and encourages the effectiveness of risk management
He sets an example in terms of his behaviours particularly in strategic risk management
He encourages the employees for identification of risks
He should show leadership in risk management
37
62 Internal Control and Risk Steering Board (ICRSB)
The Board develops policies for the improvement of risk management in the
administration and submits them for the approval of Head of Administration The Board
notifies the units of the policies and procedures On the advice of the ARC the ICRSB
determines a particular number of risks which it deems significant as the key risks among the
risks that are submitted to itself and reports whether these key risks are managed well or not
to Head of Administration in regular periods or whenever it deems necessary
Secretarial services of the board are carried out by the Administrative Risk
Coordinator (Head of SDU) Whenever necessary people with the relevant expertise from
within or outside the administration can be invited to the meetings ICRSB has the authority to
enforce the elements it determined regarding the following duties with the approval of the
Head of Administration
Regarding risk management the ICRSB carries out the following
Preparing Risk Strategy and Policy Paper (RSPP) of the administration or annually
reviewing the already available RSPP and submitting it to the Head of Administration
for approval
Defining policies for establishment of a risk management culture
Ensuring that risks are consistently managed in the administration
Determining critically strategic risks of the administration
Determining the risks of spending units which require a joint management and related
procedures and policies and submitting them to URC for coordination purposes
Setting out the risks that require joint management with other administrations and
ensure that necessary measures are taken for the joint management by notifying the
ARC
Meeting at least quarterly in order to consider whether the risk management processes
in the administration work effectively and assess the current status of risks and
reporting it to the Head of Administration
Ensuring that good practice cases are determined and spread to a larger place
63 Administrative Risk Coordinator
It is advisable that the Head of the SDU takes the role of Administrative Risk Co-
ordinator The ARC is a member of the ICRSB and is responsible to the Head of Administration
for consistency of risk management processes of the administration and their compliance
with the standards
Regarding risk management the ARC
Is responsible for the efficient operation and coordination of all risks processes in all units
Calls the relevant Unit Risk Coordinators (URC) for meeting at least once in three months
Prepares the Consolidated Risk Report (using the report form in this manual) on the basis
of the reports submitted by the URCs and submits this Consolidated Risk Report to the top
management and the ICRSB on a quarterly basis The report should include the ARCrsquos
personal considerations on the key risks
Carries out secretarial services of ICRSB and such tasks as setting out meeting agendas for
the Board keeping minutes of meetings submitting decisions of the Board to Head of
Administration for approval
Discusses the issues on common risk fields with the ARCs of other administrations and
coordinates these within the administration
ARC provides technical support to the units on risk management of the administration
Identifies the needs of units regarding risk management and reports them to the ICRSB
and the Head of Administration before each meeting
Sends feedback to URCs regarding opinions advice and decisions of ICRSB and takes
necessary precautions for the consistency of risk management processes of the
administration
38
64 Unit Risk Coordinator
The Unit Risk Coordinator (URC) is the authorising officer or the person who is determined
by the authorising officer Regarding risk management URC
Coordinates the identification of the unitrsquos risks that may have an impact on the
objectives of the administration and provides relevant guidance at the beginning of the
year URC associates risks that are determined with the activities of the sub-units using
their knowledge and expertise and pays attention to ensure that all important issues are
addressed Important risks included in the risk register are submitted to the ARC to be
presented to the ICRSB for consideration
Reviews the risk registers and relevant reports that are annually prepared on periods (such
as monthly quarterly semi-annually) to be set out by the administration and reports them
to the ARC
Monitors the risks managed and reported by the Sub-Unit Risk Coordinators (SURCs) at unit
level Evaluates the changes on the risks or the arising risks if any and reports them to the
ARC upon the approval from the unit director
Submits an assurance declaration to the ICRSB on whether the risks are managed
effectively
Provides feedback to SURCs regarding opinions advice and decisions of ARC and ICRSB
Determines training needs regarding risk management
65 Sub-Unit Risk Coordinator
The SURC is responsible for the coordination of risk management activities within sub-
units of the units in administrations (if such units exist or it is seen to be appropriate to manage
the risks at this level) and is the person to be determined by the authorising officer Heshe is
directly accountable to URC regarding risk management Sub-unit risk coordinators must be
selected from among those who have the sufficient competence and experience
Regarding risk management the SURC
Coordinates the conduction of tasks of identifying assessing addressing reviewing and
reporting of the sub-unitrsquos risks that are associated with the objectives of the
administration
Reports in line with the risk strategy of administration the recently identified risks that are
related to the activities of the sub-unit those risks with changing scores and the
effectiveness of controls carried out to decrease these risks to the Unit Risk Coordinator
(URC) on periods determined by URC
Is accountable to the URC and furthermore responsible for providing the Administrative
Risk Coordinator (ARC) with requested information and documents
66 Employees
The most important factor for risk management to be successful is the ownership of risk
management by employees Therefore every employee is responsible for managing risks in
their field of duty (identifying assessing responding to reviewing and reporting risks)
Regarding risk management employees
o Contribute to the risk management processes in their respective units by defining
communicating and responding to the expected emerging and changing risks
Manage the risks within their own fields of responsibility through the power and
responsibility assigned to them by the administration
Provide evidence to the SURCURC regarding the effectiveness of the management of
risks in their respective fields
Employees should not hesitate to identify risks and submit them to the relevant risk
coordinator It is important to bear in mind that just one loose screw could cause a plane
crash
39
67 Internal Auditor
The Internal Auditor provides the Head of Administration with advice regarding risk
management by making evaluations on whether risk management process is effective and
risks are managed in the right way or not Internal Audit can also provide advice on whether
any key risks have been overlooked or inappropriately controlled
68 Strategy Development Unit
The Strategy Development Unit (SDU) is responsible for providing training identifying
training needs and facilitating delivery of necessary training They are also responsible for
identifying best practice in risk management encouraging such practice to be shared and
providing guidance where necessary
69 Central Harmonisation Unit
The Central Harmonisation Unit (CHU) carries out such activities as making regulations
on internal control including risk management and activities for the development of risk
management The CHU also provides guidance ensures harmonisation and inter-
administrational coordination and reports on the effectiveness of risk management
7 RISK MANAGEMENT PROCESS
Basically the risk management process should start simultaneously1 with strategic planning
studies In cases when strategic plans should be renewed or amended studies concerning
risks should be carried out with current amendments in mind Within the framework of risks
identified in light of strategic objectives attitude of an administration towards risk
management are set out in the Risk Strategy and Policy Paper with information on risk
appetite involved Within this framework administrations identify risks at strategic
programproject level and operational (activity) level In identifying risks an administration
can start with strategic level (top-down) or activity level (bottom-up) or it can start the risk
management process by implementing both methods together
Figure RM2 shows the Risk Management process
1 If strategic plans are already prepared the risk management process should then begin as soon as possible
40
RM Figure 2 Risk Management process
The administration should manage the risks at strategic programme and operational level as
shown in figure RM3
RM Figure 3 Hierarchy of Risk
Administration level This is the area which covers the whole administration where decisions
related to strategic objectives are made and for which senior management of administration
is responsible Strategic objectives are medium and long term objectives and are associated
Idetification of
risks
Assessment of
risks
Monitoring and
reviewing risks
Responding to
risks
Risk
Managament
strategy
Risk Managament
Process
Idetification of
risks
Assessment of
risks
Monitoring and
reviewing risks
Responding to
risks
Risk
Managament
strategy
Risk Managament
Process
41
with senior level policy documents Therefore while making decisions for the future decision-
makers (top management) have to take into consideration a lot of uncertainties This is the
area where risks have the highest impact Besides this is the area which is affected most by
external risks such as governmental policies general economy and technological
developments This area assumes specific importance as those risks which are not managed
well at strategic level affect the other levels as well
Unit level This refers to units where policies of senior management are implemented and
which are responsible at the highest level for the usage of public resources within the
administration Impacts of such risks last for a shorter period of time comparing to those of the
strategic risks This is the area where units should identify their objectives and manage related
risks for the administration to achieve its strategic objectives This is the area which is affected
by risks both form inside and outside the administration For risks from upper and lower levels
to be assessed and coordinated it is vital that this level be managed well Besides there
should be strong communication in this area
Sub-Unit level In this area there are only those works which are carried out at operational
level with a view to achieving unitrsquos objectives Daily activities of all employees fall within the
scope of this area This is the area where short-term-decisions are made products and
services are produced and fewer uncertainties are experienced This area is affected more
by internal risks than external risks Risks not being managed well at this level may affect the
achievement of strategic objectives
71 Identifying Risks
Risk identification process which is the first stage of risk management is the process of
identifying categorising and updating the risks that prevent or limit the achievement of
administrationrsquos strategic objectives using previously defined methods The following box
suggests some questions to be considered when starting to identify risks
RM Box 5 Questions to be considered when starting to identify risks
The following should be considered while identifying risks
As a generally accepted rule strategic risks that can affect the administration are
determined at the stage of strategic plan preparation and risks identified are included
in the strategic plan
Risks should also be identified at programme and operational level Programme and
operational risks should include all the strategic risks However when identifying the
programme and operational risks we should not limit our scope with strategic risks but
have a wider spectrum
When identifying risks the administration can determine a top-down or bottom-up
method preferably used at the same time
What are the main objectives
What are the key activities
Who are the stakeholders
42
Risks identified should be associated with objectives of the administration It must be
taken into consideration that some risks can indirectly affect the objectives such as
those which damage the reputation of the administration
Risks should be identified systematically with previously determined methods These
methods can vary according to the characteristics of administrations and its activities
In this process administration can either use one or more of the below defined
methods or develop a new method in line with its own needs
Risks identified should be expressed as lsquoxrsquo risk or risk that lsquox may emergersquo It will be
convenient to register them this way in the risk register (see Annex 3 for the risk register
form)
Assess whether risks identified are internal or external risks
o Internal risks are the risks stemming from the events directly controlled by the
administration itself Internal risks can be grouped into three as strategic risks
program risks and activity risks
o External risks on the other hand are the uncertainties arising due to the
events that are out of the control of the administration which hampers or
prevents the achievement of objectives While identifying external risks it will
be useful to classify them by their subjects (Generally PESTLE analysis is used
see Box RM7)
After risks are identified their owner or the person to be responsible from them must
be defined and this information must be included in the risk register
Since risk identification is a dynamic process emerging risks should be identified and
changes to the existing risks should be consistently followed-up
RM Box 6 Factors and methods to be taken into consideration during the process of
identifying risk
The following box explains the PESTLE and SWOT analysis
HHHooowww dddooo III iiidddeeennnttt iiifffyyy rrriiissskkksss
Firstly decide how to identify the risks namely at strategic
level operational level or both
Identify and categorise the risks (social cultural political
scientific etc) taking into consideration the threats
opportunities and the scope
Decide on the required human resource tools and methods
Mostly the following methods are used to identify risks
However administrations can determine different methods
other than these methods in light of their needs
o PESTLE analysis (see Box RM7)
o SWOT Analysis (see Box RM7)
o Brainstorming (this method can be used both for
identification and assessment See Annex 1)
Group risks as internal and external ones
Make a stakeholder analysis (identify the risk tolerance
position and attitude of the stakeholders )
Repeat the identification regularly and in periods of change
43
PPPEEESSSTTTLLLEEE AAAnnnaaalllyyysssiiisss Pestle Analysis is the identification of risks by making assessments based on the
following categories
Politic
Economic
Social
Technologic
Legal
Environmental
Example
o Politic change of governmental priorities
o Economic inflation rate going above the expected levels
o Social population growth rate going much above the
expected levels
o Technologic information process infrastructure not being set up
o Legal cases in courts turning against
the administration
o Environmental an earthquake strike
SSSWWWOOOTTT AAAnnnaaalllyyysssiiisss (((IIInnn---hhhooouuussseee aaannnaaalllyyysssiiisss)))
SSStttrrreeennngggttthhhsss
WWWeeeaaakkknnneeesssssseeesss
OOOppppppooorrrtttuuunnniii tttiiieeesss
TTThhhrrreeeaaatttsss
EEExxxaaammmpppllleee
SSSttt rrreeennngggttthhhsss SSSpppeeeccciiiaaalll iiissseeeddd pppeeerrrsssooonnnnnneeelll
WWWeeeaaakkknnneeesssssseeesss OOOlllddd ttteeeccchhhnnnooolllooogggyyy
OOOppppppooorrr tttuuunnniii ttt iiieeesss EEEcccooonnnooommmiiiccc gggrrrooowwwttthhh
TTThhhrrreeeaaatttsss SSSuuuddddddeeennn pppooolll iiicccyyy ccchhhaaannngggeee
For detailed information refer to Strategic Planning Guideline for Public Administrations SPO June
2009
RM Box 7 PESTLE and SWOT analysis
44
What could go wrong in the achievement of
objectives
What are the critical achievement factors
Who are our stakeholders and what can their
negative or positives impact be on our activities
What are our risk categories Tables diagrams etc
What are our weaknesses
Which assets assume more critical importance
What areas are open to irregularities and fraud
Which events or situations can hamper our
activities
What are our most critical sources of information
In which areas do we spend most
Which activities or processes are more
complicated
In which areas are we subject to penal sanctions
What are the legal requirements
What are the resource limitations
The following two boxes give some tips for the process of risk identification and some questions to
ask
RM Box 8 Tips for Risk Identification
RM Box 9 Questions to ask in the process of risk identification
WWWhhhaaattt aaarrreee ttthhheee TTTiiipppsss
Whether there is available information regarding the risks and how
accurate it is if any should be taken into consideration
A working group including different fields of expertise would
increase the likelihood of identifying new risks
Using brainstorming method yields effective results (See Annex 1)
Having open communication lines and acting farsighted are the
key points
45
72 Risk Assessment
Risk assessment refers to analysing the factors that may have an impact on the
achievement of administrationrsquos objectives and evaluating the seriousness of the risk in terms
of impact and probability While assessing risks in addition to the potential events the
administration can face aspects which are specific to the administration (for example size of
the administration complexity of activities legislation it is subject to in relation to its activities
its political priorities public interest) should be considered
After risks are identified comes the stage where the risks are measured and prioritised
Prioritisation is listing down the risks in accordance with their priority in line with the scores they
are given Risk assessment helps decide whether to respond to identified risks and if so select
the best response with regards to the costbenefit balance
The following box gives some questions to be considered before starting the risk
assessment process
RM Box 10 Questions to be considered before starting the risk assessment process
Three important principles in risk assessment are
1 Identifying the impact and probability of each risk In assessment probability and impact
are analysed Probability refers to the chance of an event to occur at a particular period
On the other hand impact is the outcome or the effect produced
Three categories are used while assessing risks low risk level (shown in green) medium
risk level (shown in yellow) and high risk level (shown in red) These colours as in the
traffic lights facilitate understanding the degree of importance of the risks These are
shown in the following diagram
Probability and impact of the risks can also be shown using numbers In the following
diagram Point 1 indicates that there is almost no probability for that risk to occur while
point 10 means that it is almost certain that it is going to occur In terms of impact
point 1 is used where the outcome of the realisation of a risk has little importance
whereas point 10 means that this outcome is highly important Risks are scored
between 1 and 10 for their probability and impact (See Annex 5) In assessing impacts
and probabilities of risks one of the methods to be used is voting method (See Annex
2)
Risk maps are made use of to see the severity of the risks better A basic
demonstration of risks on the risk map is given in the following diagram
What are the objectives
What are the present controls
What are the possible results if the risk occurs
Do activities of some other administrationsunits affect my
risk
Who are the stakeholders and what is their level of
experience and expertise
46
RM Figure 3 Risk map
2 Assessing the risks on the basis of inherent risks and residual risks
Inherent risk refers to the amount of risk before it is managed or any action is taken
These inherent risks are transferred to the risk register (see Annex 3 for the Risk Register
form) after assessing their probability and impact In assessment as has been
suggested above the probability and the impact of the risk is scored between 1 and
10 Multiplication of the scores of probability and the impact indicates the risk score
The administration at this stage must decide on the risk appetite It must also be set
out which risks placed between which numbers are low medium or high risks in
accordance with the designated risk strategy of the administration and the risk map
of the administration must be produced in this framework (See Box RM3 Risk Map)
After risk score has been set risks are prioritised starting from the one with the highest
score Responses to be given to risks are determined Controls are identified and
applied considering the methods of responding to risks
The management must identify the level of the remaining risk after the control
activities it carries out to manage the risk Residual risk refers to the remaining risk after
an action has been taken to mitigate the probability and impact of a risk If the level
of the residual risk is still higher than the risk appetite the efficiency and competence
of the present control activities must be questioned and if deemed necessary
responses to be given to the risks must be reviewed The following box gives an
example of inherent and residual risk
RM Box 11 Example of inherent and residual risk
3 Recording the risks
Recording the risks contributes to the prioritisation of the risks and therefore to the
efficiency of the allocation of resources and to production of evidence for the decisions
taken helps people to understand their responsibility within risk management facilitates
the acquisition and communication of information to the right people at the right time
Activity using a car
Inherent risk having an accident because you are inexperienced
Control action getting a licence taking driving courses
Residual risk another inexperienced driver crashing into your car
47
via the reporting mechanism and enables the reviewing and monitoring processes of the
risk
Risk records are reported in two stages Risk Register (see Annex 3) used in the
identification and registry of risks Consolidated Risk Report (see Annex 4)used for the
reporting of risks to the senior managers (see Annex 7 for an example of a completed Risk
Register)
The following box gives some tips for the risk assessment process
RM Box 12 Tips for risk assessment
RM Box 13 Example of the Risk Assessment process
Measure the impacts and probabilities of the risks identified for a
particular period of time
While determining the impact score assess the impact the risk will have
on the objective that is foreseen to be hampered
Utilise proper methods in the assessment
Bear in mind that risk assessment of a job can best be made by the
person who does this job
Note that activities of other administrationunit can have impacts on
your risks and risks are not independent of each other
Utilise such table as risk maps to be able see all the risks together
Prioritise risks in line with the risk scores (Impact X Probability)
48
You are going to deliver training on your subject of expertise
Your Objective Audience understands the subject you explain
You identify your risks
Risk 1 As you arrive late you may not have sufficient time to deliver the training
Risk 2 You may deliver your presentation using an inappropriate approach as you do not know who
the audience is
Risk 3 You may have difficulty in supporting what you explain as you donrsquot have the softcopy of the
presentation
Letrsquos see the likelihood of the Risks 1 2 and 3 and how it would affect your objectives if they occur
RRRiiissskkk 111 Likelihood The traffic would be bad at that hour In addition you have a lot of other things to do that day
Likelihood 7
Impact You can arrive late but you know the subject very well Even if you deliver it in very short time it still
would be understandable for the audience The impact of arriving late on your objective is 3
Risk Score 7x3 = 21
RRRiiissskkk 222
Likelihood In the letter you have been told what the subject is but not who the audience is and you donrsquot have
the chance to ring someone and learn Likelihood 5
Impact If you are to deliver the training to the experts who already know the issue you get into details but if
your audience is made up of people who donrsquot know anything about it you only draw the general framework
If you cannot learn who the audience is and you deliver the training in detail while the audience is unaware of
the subject and they would not understand or you give little information to the people who already know about
it they would not learn anything new The impact of using the wrong approach in the delivery is 9
Risk Score 5x9 = 45
RRRiiissskkk 333
Likelihood You generally carry your computer around You also have habit to carry your pen drive in your
bag after saving your studies in it Likelihood 2
Impact Even if you donrsquot Project the presentation on the screen you know the subject very well You could
still effectively deliver it to the audience The impact of not having the soft copy with you on your objective 3
Risk Score 2x3 = 6
As shown in the risk map
Imp
act
10 10 20 30 40 50 60 70 80 90 100 9 9 18 27 36 45 54 63 72 81 90 8 8 16 24 32 40 48 56 64 72 80
7 7 14 21 28 35 42 49 56 63 70 6 6 12 18 24 30 36 42 48 54 60 5 5 10 15 20 25 30 35 40 45 50
4 4 8 12 16 20 24 28 32 36 40 3 3 6 9 12 15 18 21 24 27 30
2 2 4 6 8 10 12 14 16 18 20 1 1 2 3 4 5 6 7 8 9 10
1 2 3 4 5 6 7 8 9 10
Likelihood
Prioritisation
1 Risk 2 (Risk Score 45)
2 Risk 1 (Risk Score 21)
3 Risk 3 (Risk Score 6)
(Note that risks are not always assessed according to the scores Some strategic risks should be taken into
consideration even if they have a low score Emergency precautionsplans should be available You may not
always foresee what will happen Your plans should be flexible Therefore you will be able to handle the
situation when something unexpected emerges
49
73 Responding to Risks
Responding to risks refers to setting out the responses to the risks identified and assessed within
the risk appetites by the public administration and mitigating the potential threats or taking
the arising opportunities Before deciding on the method to respond to risks a costbenefit
analysis must essentially be carried out The objective desired to be reached by responding
to risks is to mitigate the likelihood of the risk and its impact and achieving the foreseen
objective in the most efficient manner
Box RM 14 Questions to consider in responding to risks
The following figure shows within the framework of risk appetite how inherent risk turns into
residual risk as a result of responses controls actions (also see Box RM3 Risk Appetite)
RM Figure 4 Risk Indication Table
(OGCrsquos Risk Dashboard from HM Treasuryrsquos publication named Thinking about Risk)
Figure RM4 demonstrates the followings Columns 1 and 5 Control activities successfully decrease the inherent risk so that the
remaining risk called the ldquoresidual riskrdquo is reduced to the same level as risk appetite
Such points where the risk appetite and residual risk of an administration overlap are
ideal situations in terms of risk management (cost-effect)
What is the level of risk
What happens if no response is given to the risk
Which risks must be controlled
Which risks can be transferred
What are the consequences of resorting to risk aversion as a public
administration
Is the opportunity good enough to take the risk
50
Columns 2 3 and 4 Control activities decreased the risk However residual risk is still
higher than the risk appetite (tolerable level) This shows that effectiveness and
adequacy of the controls implemented should be questioned and more control
activities should be implemented
In column 6 as the inherent risk is equal to risk appetite risk is tolerable However
these risks should be monitored just as the other risks because of the possibility of
changing
In column 7 on the other hand control activities decreased residual risk below the risk
appetite This shows that more than necessary controls are implemented and
resources are not used efficiently In these over-control cases control activities should
be decreased to a level at which residual risk is equal to risk appetite
There are four methods of responding to risk and these are shown in the following diagram
Figure RM5
RM Figure 5 Methods of responding to risk
Tolerating This is a passive method of response given to the risks which public administrations are
comfortable to undertake In the following cases risks can be accepted
If the inherent risk is within the limits of risk appetite then it is accepted
When it is understood that cost of the actions to be taken (controlling transferring or
avoiding) for an intolerable risk would exceed the potential impact of the risk then the risk
is accepted
Some risks are out of the control of the management Certain risks do not disappear
unless the activity is terminated whereas terminating an activity is not always possible or
desirable
Treating This is a method of response given to a risk by means of control activities carried out
with a view to keeping risks at a tolerable level (risk appetite) in public administrations
This method can be applied using the five following controls
Preventive Controls
Corrective Controls
Directive Controls
Detective Controls
Emergency Plans
Methods of responding to risk
Tolerating
Treating
Transferring
Avoiding
51
For detailed information refer to the Control Activities chapter
Transferring This is the response given to the risks by taking some of them away from the
responsibility of the administration and transferring it to others (Even if the risks are
transferred the responsibility cannot be transferred and they need to be managed under
the control of the administration because it is the administration that will be affected when
the risks are realised)
Risk transfer is carried out using the following methods
Completely and partly transferring the activity to another administration
Transferring its operation to third parties using a procurement method
Transferring it by means of insurance (when appropriate)
Avoiding if the risk we have to take is too big to manage and there are alternatives to the activity
performed it is possible to terminate this activity For example deciding not to build a factory
which is expected to cause too much air pollution or deciding not to purchase the computers
that are planned to be purchased because of budgetary cut
The following box summarises the process of responding to risk
Box RM 15 Process of responding to risk
While managing risks opportunities they bring along should also be taken into consideration
Alongside negative impacts risks can also lead to opportunities In order to be able to take these
opportunities that would make additional contribution to the achievement of administrationrsquos
objectives the administration must have designated strategies Taking the opportunity is not an
alternative method to respond to risks rather it is a method to be applied additionally
Opportunities are taken in the following cases
When the cases of taking the opportunity and reducing the threats coexist For example
making health and scientific researches to find a cure of a disease (Disease threat will
decrease and there will emerge the opportunity at the same time that cost will decrease
with less people going to hospitals)
When opportunities emerge before the negative event occurs For example using a new
technology to be able work better or reaching to a greater number of people via e-state
The following box gives some tips for use when responding to risk
List the Threats and Opportunities according to the analysis results
Define your attitude considering the content of the risk
Tolerate
Control
Transfer
Avoid
Ensure that the benefit that the response will provide is higher than the cost it will bring
52
RM Box 16 Tips for responding to risk
Prioritising risks helps decide on which risk to respond first
As a public administration while determining the responses to be
given to risks recipients of the services and the impacts on them
must be considered
Stay away from over-control measures while responding to risks
Over-control harms the efficiency of the administration as much
as insufficient controls do
The possibility that acting in coordination with other
administrations in responding to risks may be more efficient must
be considered
53
Your organisation has decided to buy a new IT system
You identify your risks
Risk 1 The new system has inadequate response times
Risk 2 Data is not transferred accurately from the old IT system to the new system
Risk 3 You do not have the capability to operate the new IT system
Risk 4 The new IT system does not work
What responses can you give to these risks
RRRiiissskkk 111
Tolerate You have been assured that the new system has a five second response time
which is similar to the current system so you decide that it does not need to be quicker
RRRiiissskkk 222
Treat You need to introduce controls to make sure that data is transferred accurately
Preventive controls Testing done on the new IT system before it is introduced to
ensure that data is not corrupted on transfer
Corrective controls Testing is done comparing data transferred from the old system
to the data on the new system This control activity corrects the errors
Directive controls Requirement that IT staff working on developing the new system
have adequate skills and experience
Detective controls testing is done after one year of operating the new system to see
if standing data transferred from the old system is accurate
Emergency plan You should make sure that you can revert to using the old system in
the event that the new system does not have properly transferred data
RRRiiissskkk 333
Transfer You outsource the running of the new system to another organisation which has the
relevant expertise
RRRiiissskkk 444
Avoid If it is detected during testing that new IT system is not working you quit buying this
system and search for an alternative IT system
Take the opportunity
Your new IT system allows you to operate more efficiently freeing up staff time to do other
activities
The following box gives an example of the process of responding to risk
RM Box 17 Example of the process of responding to risk
54
74 Reviewing Risks
Risks can change in terms of their impact and likelihood due to various changing conditions
or measures taken Furthermore it is also possible that new risks areas are formed due to
changing conditions Therefore all the aspects of risks identified and the risk management
process should at least be reviewed on a regular basis Reviews can be carried out on
frequencies to be set by the administration according to the level of importance of the risks
In the event that extraordinary developments take place and this has a serious impact on the
risks Administrative Risk Coordinator (ARC) upon the spoken or written instruction by the
head of administration organises an emergency meeting for the Internal Control and Risk
Steering Board to assess the risks For example natural disasters economic crises early
election resolutions are extraordinary developments
Reviewing the risks and reviewing the risk management process are two different processes
and the fact that one of them is carried out does not necessarily mean that the other is
carried out as well Whereas each risk is reviewed by its respective owner the risk
management process is reviewed by the Head of Administration and or ARC Reviewing
risks regularly would provide flexibility in adapting to the changing conditions
Risks are reviewed as follows
Whether risks still exist new risks have arisen the likelihood or impact of a risk has
changed or not is reviewed
The priority should be given to key risks (those with the highest probability and impact)
during a review Other risks should be reviewed later
While reviewing strategic risks first and foremost amended policy papers if any
developments in the other counties expectations of the public for that period
Internal Audit Reports Inspection Reports External Audit Reports and other relevant
reports and documents should be considered
Under the light of the developments if there have been any changes to the risk
profile the risk register of the administrationunitsub-unit must be reviewed
The change must be communicated to the risk coordinator at the next senior level
within five working days
By reviewing the prioritisation of the keymain risks the assessment results should be
submitted within five working days by the ARC to the ICRSB in a revised Risk Report
The results of the assessment will be discussed by the ICRSB and the report is then
submitted to the Head of Administration by the ARC
Conclusion and evaluation part of the report must definitely include remarks on
whether the risks management process provides the necessary assurance and
whether new measures are needed or not
o Do we give reasonable assurance on the successful management of
risks
o Do we give reasonable assurance on the effective implementation of
the control activities
The process of reviewing risks is summarised in the box RM18 and questions to consider are
listed in box RM19
55
RM Box 18 Process for reviewing risk
RM Box 19 Questions to consider in the risk review process
75 Communication and Reporting
Communication within the context of risk management refers to accurate and timely
conveyance of the right information to the relevant people through various mechanisms at
the right time Communication is a vital process which needs to be effectively applied in all
phases of risk management
The following are important to communicate
The administrationrsquos objectives policies and procedures
The risk management strategy
The numbering system in the risk assessment stage and measurement mechanisms
Which controls are convenient in responding to risks
How well risks are managed in reviewing risks
It is important to bear in mind that this vertical and horizontal communication is mutual
(communication-feedback)
Set out a review period depending on the characteristic of the activity
Frequently review the first critical risks
During the review assess the probability and impact of the risks for that
period
Decide whether the risk is still a threat
Identify whether new risks have arisen for that period
The condition of the control activities must be reviewed according to the
change in the risk It would be appropriate to eliminate an activity which
became pointless as the risk has disappeared
Record the identified findings on the risk register
Report the risks of every level
Changes regarding the risks are reflected on the risk register however in
emergencies the managers must be informed as soon as possible
What are the changes in the environmental conditions
What are changes that impact on the operation of the activity
How do the changes affect the administration
Are present controls sufficient to address the changing situation
Is there sufficient evidence that the controls are effective
It would be useful to take into consideration the policy papers of
the government and the administration while assessing risks
56
To ensure effective communication the issues in Box RM20 should be considered
RM Box 20 Issues for effective communication
In addition to internal communication efficient communication lines are needed with the
partners where the services provided requires partnerships and with the citizen of NGOs who
are affected directly or indirectly by the services provided by the administration Therefore
while the administration is producing its Risk Strategy and Policy Paper it should prepare an
efficient communication plan which regulates the internal and external communication and
share it with all stakeholders
Reporting has a direct impact on the decision making processes in risk management The
reports should be as short and accurate as possible demonstrate the evidence regarding the
evaluations they should be relevant and submitted to the relevant people where necessary
Reporting must be carried out within the administration both vertically and horizontally It
should be explicitly set out who will report to whom and with what frequency in risk
management process Reporting will be done in the forms to be determined by
administrations and in pre-determined periods by at least using the information contained in
the forms shown in the Annex to this Manual When deemed necessary administrations can
develop different forms other than the forms contained in the Manual
Who will communicate with whom in which format
Who is responsible to whom about what
How the communication should be with high levels
How the communication with the Minister works
Who will communicate what information to which levels
How to ensure the accuracy of information
The expectation of top management from the employees regarding risk
management should be clearly defined and conveyed to all employees
57
Administrationrsquos Mission
Strategic Plan and Performance
Programme Budget
Annual Management Plan Activities Processes Projects
Identify
Measure (impact x
probability)
Prioritise
Tolerate
Control
Transfer
Avoid
Operational Level
Unit Level
Administration Level
Risk Assessment
Assess Manage Monitor
Risk Register
Control Activities
Mo
nito
ring
an
d E
valu
atio
n
Take the opportunities
Within the scope of this chapter of the manual Risk Management can be demonstrated via
the following diagram
RM Figure 6 Risk Management Process
76 Learning
Learning needs to be enriched through systematic training tools and disseminated to the
target groups using the most effective method Depending on the target group such
methods as conferences seminars workshops trainings hands-on trainings internships
exchanging information via various communication channels sharing best practices failures
or mistakes would facilitate learning the risk management processes and establish a basis for
the risk management practices in corporate sense
58
Addressing risks largely depends on experiences Previous experiences and making everyone
aware of the successful and unsuccessful practices via a strong communication network
would facilitate more effective and faster addressing of risks In particular conveying the
positive and negative experiences about the emerging risks and the methods to handle
these to the stakeholders and learning what could go wrong can only be ensured if a
method that focuses on learning from mistakes is adopted and learning experiences are
shared Therefore it will be useful to use the peer review method within the administration In
this method units learn how the others at the same hierarchical levels manage risks and they
can adopt good practice examples in their own units
Sharing risk management experiences with external stakeholders especially organisations
experienced in this field could not only help the administrations develop new methods but
also ensure a more efficient use of risk management resources
59
RISK MANAGEMENT ANNEXES
ANNEX 1 Using the brainstorming method to identify assess and record risks
Step 1
Collect together in the same room all members of the Unit of Sub Unit or all staff who work on
a project or on a business process Identify an appropriate facilitator (see box RM 21) to
guide brainstorming workshop The brainstorming would be most effective if it is facilitated by
an independent person who has experience at facilitating brainstorming
(Note this can also be done by collecting all senior managers in an Administration to
brainstorm strategic risks)
Requirement for step 1 all attendees of the brainstorming should be fully familiar with the Sub
Unit Unit projectbusiness processAdministration respectively
RM Box 21 Role of the facilitator
Step 2
Once all brainstorming attendees are assembled as per step 1 firstly clarify what the
objectives of the Sub UnitUnit projectbusiness processAdministration respectively are
These may be included in the strategic plan or for sub units may not previously have been
identified Think widely ndash are there other objectives that are not included All attendees
should agree that these are the objectives before proceeding to Step 3
Step 3
All attendees at the brainstorming should brainstorm ndash what are the risks to the achievement
of each of the objectives identified in step 2 This can be done as one group or for larger
brainstorming sessions in pairs or sub-groups Risks identified by the brainstorming should be
recorded in the risk voting form in Annex 2 (columns 3 4 and 5) clarifying which objective(s)
might not be achieved if the risk happens
Step 4
Once all risks are identified all brainstorming participants should vote on what they think the
likelihood and impact of the risk are using the guidance for scoring in the risk management
chapter of this manual These votes should be recorded on the risk voting form In line with
the number of participants number of the related columns can be increased (Columns 678
and 101112) (For scoring impacts and probabilities see Annex 5 Risk Assessment Criteria
Table)
Encourage the workshop attendees to all participate in identifying risks
Watch out for duplication of similar risks (if 2 risks are very similar considering
amalgamating them)
Ensure that all attendees vote on impact and likelihood of the identified risks
Encourage attendees to challenge each otherrsquos scores defend their own or
change them if they think appropriate
Ensure that the risk scores are accurately entered in the spreadsheet and
prioritised
Action plan the response to risks starting with the highest priority
For each response ensure responsibility is allocated to a named individual
Ensure for each response that a review and reporting date is identified (exact
date)
60
Step 5
Once initial votes are recorded on the risk voting form where there are large variations
between the highest and lowest score for likelihood andor impact for a particular risk the
individual(s) who gave the highest score should first of all justify why they gave the high score
and try to convince the others why they should increase their score The individual(s) who
gave the lowest score should then justify why they gave the low score and try to convince
the others why they should decrease their score After these justifications have been given
an opportunity should be given to all who were convinced by any of the justifications to
change their score
Step 6
The risks identified should be listed in decreasing order of the multiple (Column 14) between
the average impact (Column 9) and average probability score (Column 13) from the
brainstorming The participants should be asked if the result is what they expected Does
what they considered to be their most significant risk have the highest score If not look at
the voting again and consider if it needs to be changed
Step 7
Once brainstorming participants are satisfied with the prioritisation of the risks complete the
other columns of the risk register (Annex 3) starting with the highest priority risk
Step 8
If the risk which is written in column 5 in the Risk Register arises from an event which will occur
at a particular date (eg elections) column 6 in the Risk Register namely time frame column
can be completed by writing how much time before the date risk is expected to materialize
(eg a month three months etc) Column can be left blank if timing is not important
Step 9
When identifying control activities consider whether the risk level is within the risk appetite for
that particular risk or not what control(s) would be most cost-effective and would mitigate
the risk best by reducing the impact andor the likelihood of the risk materialising Also
consider what the existing controls are whether these are currently effective and whether
they can be improved or it would be more cost-effective to introduce new additional
control(s) in addition to or instead of the existing control(s) Complete the related columns in
line with explanations in the table (Columns 1112 in the Risk Register)
Step 10
Form will have been fully completed when the other columns are completed taking into
consideration the instructions in Risk register Form
The following Box gives some suggestions for ground rules for brainstorming
RM Box 22 Suggested ground rules for brainstorming
There is no such thing as a bad idea
One person speaking at a time
Active participation
Keep to the timetable
The facilitator is in charge (if there is one)
Open discussion but no personal criticism
61
ANNEX 2 Risk Voting Form This form is used to calculate the risk score after risks are identified
62
ANNEX 3 Risk Register This is a form used to report the status after risks identified at administrationunitsub-unit level are recorded
RISK REGISTER
AdministrationUnitSub-unit
Date 20
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Se
ria
l n
o
Re
fere
nc
e N
o
Str
ate
gic
Ob
jec
tiv
e
Un
its
Ob
jec
tiv
e
Risk Identified
Tim
e fra
me
Pro
ba
bility
Imp
ac
t
Ris
k s
co
re(R
)
Ch
an
ge
(Dir
ec
tio
n o
f ri
sk)
CurrentNewAdditional
control activities
Sta
rtin
g d
ate
Risk
owner
Monitoring
and
Reporting
Risk
45
-100
9-4
4
Reason 1-8
Columns
1 Serial no shows the sequencing in the risk register
2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to This
code does not change as long as risk continues to exist The same code is not given to another risk
3 Strategic Objective This is the column in which code of strategic objective related to risk which is demonstrated in strategic plan is
written
4 Units objective If risk register is completed at unitsub-unit level objective of unit which is directly or indirectly related to strategic
objectives of the administration and can be affected by the risk is written in this column if risk register is completed at administration level
63
then this column is left blank
5 Risk Identified Description of the risk Reason Reasons which cause the risk to occur
6
Time frame If the risk arises from an event which will occur at a particular date (eg elections) this column can be completed by writing
how much time before the date risk is expected to materialize (eg a month three months etc) Column can be left blank if timing is not
important
7
Probability Probability value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be
useful to list related control activities actions taken and related regulations In this way probability that risk will materialize
notwithstanding the actions taken can be determined
8
Impact Impact value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be useful
to list related control activities actions taken and related regulations In this way what the impact of the risk will be if it happens
notwithstanding the actions taken can be determined
9 Risk Score (R=IxP) risk score determined by multiplying probability and impact scores in the Risk Voting Form (Annex 2) (between 1-100 )
See below for an explanation of the colours to use
10
Change (Direction of risk) This is the column in which the change in the status of the risk is shown in light of the previous risk register It can
be shown according to the administrations preference in writing such as updownstable or by means of direction signs If there is no
previous risk register then it is stated as New
11
CurrentNewAdditional control activities Current control activities are written in this column It is assessed whether these activities are still
needed or not If not they are removed It is also assessed whether current control activities are appropriate or sufficient If calculated risk
score is above the desired level taking into consideration the current control activities then new or additional control activities which are
planned are written in this column
12 Starting date The exact date that newadditional control activities will start to be implemented
13
Risk owner is the person responsible for managing the risk and implementing the foreseen control activities It is the risk owner who
collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures that
evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement control
activities The risk owner also reports risks and updated risk registers to the next senior level
14 Monitoring and Reporting When to review and to whom to report risks are written in this column
Colours
High risk
Medium risk
Low risk
No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient information
64
Note In the event that a new risk is identified during the year the employee identifying this risk reports it to senior manager If manager decides
this is a risk which needs to be managed then this risk is registered in the risk register form and approved by the relevant manager
ANNEX 4 Consolidated Risk Report
This is the form which enables corporate risks of an administration to be submitted to senior manager as a report composed of a few pages
CONSOLIDATED REPORT
(Corporate Risks)
AdministrationUnitSub-unit Date 20
1 2 3 4 5 6 7 8
Se
ria
l N
o
Re
fere
nc
e N
o
Str
ate
gic
Ob
jec
tiv
e
Risk Identified
Status
Risk Owner Explanation
Previous risk
score and colour
Current risk score
and colour
45-100 45-100
9-44 9-44
1-8 1-8
Columns
1 Serial no shows the sequencing in the risk register
2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to
This code does not change as long as risk continues to exist The same code is not given to another risk
65
3 Strategic Objective This is the column in which code of strategic objective related to risk which is demonstrated in strategic plan is
written
4 Risk Identified Description of risk
5 Previous risk score and colour shows the status of risk in the previous Consolidated Risk Report
6 Current risk score and colour shows the status at the date of the report
7
Risk owner is the person responsible for managing the risk and implementing the foreseen control activities It is the risk owner who
collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures
that evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement
control activities The risk owner also reports risks and updated risk registers to the next senior level
8 Explanation Information about the effectiveness of control activities and foresight for the future are given in the explanation section
Colours
High risk
Medium risk
Low risk
No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient
information
66
ANNEX 5 Risk Assessment Criteria Table
Va
lue
Ra
ng
e
Probability
Impact
Strategy Activities Financial Compliance with
Legislation
10
High
Risks which are almost
certain to occur within
5 years Taking into
consideration the
structure of the
administration they
generally arise form
policies and
procedures The wider
the activity area of the
administration the
more likely it is that the
risky event occurs
Risks which
can have a
major impact
on attaining
strategic
objectives
These are risks
which are
generally
faced in the
long term but
can cause
the
administration
to divert form
its objectives
in case of
occurrence
Risks which cause the
administrationunitsub-
unit not to provide the
service it has to provide
in an effective and
efficient way belong in
this category
Risks which will cause
heavy financial loss for
the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
which are above the
acceptable level
should be accepted as
a high risk
Risks which will cause a
big obligation upon the
administrationunitsub-
unit in case of
intentional or
unintentional non-
compliance with the
legislation Such risks
can be seen in areas
where the legislation is
too complicated and
unclear
9
8
7
6
Medium
Risks which are likely to
occur within 5 years
These are generally
such risks that the
administrationunitsub-
unit or administrations
with similar structures
Risks which
can have a
certain level
of impact on
attaining
strategic
objectives
Risks with a certain
level of impact on the
competence of the
administrationunitsub-
unit to provide the
service it has to provide
in an effective and
Risks which will cause a
certain level of
financial loss for the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
Risks which will create
a certain level of
obligation upon the
administrationunitsub-
unit in case of
intentional or
unintentional non-
5
67
4
have faced formerly efficient way belong in
this category
which are within the
acceptable level
should be accepted as
a medium risk
compliance with the
legislation
3
Low
Risks with low
probability of
occurrence within 5
years These are
generally such risks that
the administration
unitdepartment faces
very rarely These are
risks with almost no
likelihood of
occurrence
Risks which
can have the
least impact
on attaining
strategic
objectives
Their impacts
are generally
little and
cover a
limited area
Risks with little impact
on the competence of
the
administrationunitsub-
unit to provide the
service it has to provide
in an effective and
efficient way belong in
this category
Risks which will cause
little financial loss for
the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
which are below the
acceptable level
should be accepted as
a low risk
Risks which will cause a
little obligation upon
the
administrationunitsub-
unit in case of
intentional or
unintentional non-
compliance with the
legislation
2
1
Unknown
In case that there is no
idea about the
likelihood of the risk
occurring within 5
years the risk is shown
in blue until it can be
clearly identified with
larger data
The impact of
a risk likely to
occur on
strategic
objectives of
the
administration
could not be
determined
The impact of a risk
likely to occur on the
activities could not be
determined
The financial impact of
a risk likely to occur
could not be
determined
The impact of a risk
likely to occur in case
of non-compliance
with the legislation
could not be
determined
Risk has recently emerged no data was obtained regarding its status and there is no sufficient data for analysing the new risk or it is a risk which
previously occurred but there is no sufficient data for the analysis Information should be gained as soon as possible so that an analysis can be
made and an opinion formed
68
ANNEX 6 Case Study Example of Inherent and Residual Risk
Case study example to illustrate the concepts of inherent and residual risk and also to
illustrate how a risk owner can obtain information from several different control owners to
monitor the extent to which the risk they are responsible for is successfully mitigated by the
existing controls
The scenario concerns a storage warehouse for gold bars a risk owner who was the Store
manager a risk that gold bars are stolen and 4 controls
a) An IT system control giving bars in and out and a balance held for each working day ndash
daily printouts sent by the IT manager to the risk owner
b) An independent company comes in once a month to perform a stocktake count of gold
bars in the warehouse which they reconcile with the relevant printout of stock from the IT
manager ndash any variances in stock held was investigated and explanations provided where
possible ndash the independent company provides a monthly report to the risk owner on results of
the work they have done detailing any unexplained variances (which could potentially be
incidences of theft)
c) Security guards ndash professionals guarding access to the warehouse 24 hours a day and 7
days a week ensuring that only authorised staff have access to the warehouse and that all
bags are put through a metal detector on leaving to ensure gold bars are not being
smuggled out (gold bars are too heavy to be easily hidden on the person) On recruitment a
criminal record check is made on the security guards to ensure that they do not have prior
convictions for theft Security guards report weekly to the risk owner on their work and
d) An alarm system ndash any incidences of it being set off are sent in a report by the security
guards to the risk owner Regular (weekly) checks on the alarm systemrsquos functioning are
carried out by the security guards with success of the check included in their reports to the
risk owner
The inherent risk in the absence of the above 4 controls would be considered high (a high
probability that bars would be stolen and a high impact as gold bars are expensive) This
would be above the risk appetite and consequently the above 4 controls would be
designed to mitigate the risk of the gold bars being stolen with the foreseen effect of the four
controls being that the residual risk would be reduced (Note all four control measures
combined would mitigate only the probability of the gold bars being stolen not the impact)
The risk owner would gather evidence as to their effectiveness of the four controls If they
were found to be effective he would consider whether the risk had been successfully
mitigated to within the risk appetite (likely answer Yes unless a further new control or a
strengthening of the existing controls was considered necessary if the risk appetite was very
low due to the high impactthe organisation is very risk averse)
If one or more of the 4 controls is found by the risk owner to be ineffective it is likely that the
risk would still be at a level above the risk appetite and so the risk owner would need to
escalate the issue to his line manager suggesting methods for further mitigating the risk
(either by introducing an additional control or by strengthening the control(s) that had been
found to be ineffective)
69
ANNEX 7 Case Study Example of completed Risk Voting Form Risk Register and Consolidated Risk Report
70
71
72
CONTROL ACTIVITIES
1 Introduction Control activities (also referred to as controls) are actions aimed at reducing
the impact andor the likelihood of a risk occurring and thus increase the probability
of attaining the goals and objectives of the organisation or part of the organisation
For an effective control the introduction of the control activities depends on the
completed risk assessment The management must plan organise and direct
sufficient control activities to obtain reasonable assurance that the tasks and goals
will be achieved Control activities cover both financial and non-financial controls
and they should be designed and implemented as a whole for all the activities of the
administration
This section of the manual within the framework of internal control standards
looks at how procedures should be developed as control activities to ensure that risks
to achieving administrative objectives are managed effectively
2 Control Activities Standards Administrations while identifying and implementing their control activities
take into account the following standards
CA Box 1 Internal Control Standards
Standard 7 Control strategies and methods
The administrations shall determine and implement control strategies and methods
which aim to achieve the objectives and are suitable for risk response
Standard 8 Determination and documentation of procedure
The administrations shall prepare and update written procedures which are required
for administration activities as well as financial decisions and transactions and
arrangements relevant to these areas and also give the relevant personnel access to
these documents
Standard 9 Segregation of duties
With a view to reducing fault flaw error irregularity and corruption risks the duties of
approval implementation recording and control of financial decisions and
transactions shall be allocated among personnel
Standard 10 Hierarchical controls
The administrators shall systematically control the compliance of the works and
transactions with the procedures
Standard 11 Continuity of activities
The administrations shall take necessary measures for continuity of the activities
Standard 12 Information system controls
The administrations shall develop control mechanisms in order to ensure the continuity
and security of information systems
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Environment
73
3 Planning Process of Control Activities Control activities can be regarded as the ability of administrations to get
through the challenges they experience in carrying out their activities Control
activities should be designed within the framework of cost-effectiveness analysis in a
way to directly facilitate attainment of objectives Ideally when introducing control
activities the heads of organisations must take into account the expected benefit
from them as well as the costs of their introduction and implementation Control
activities should ideally be introduced in the processes and systems at the time of
setting up these processes and systems because the introduction of control activities
at a later stage is more expensive and less efficient
It is important for effectiveness of controls that control activities be
understandable applicable and consistent A good control strategy should take into
account how to implement the controls as well as identifying them At this juncture
administrative financial and physical capacity of an administration should be taken
into consideration
Another important point to pay attention to in planning control activities is the
evaluation of effectiveness of controls implemented Such issues as whether the aim
of implementing the control is commensurate with the targeted results and whether
the expected cost is in parallel with the actual cost should be evaluated
Furthermore regular review of control activities in the light of changing circumstances
is also an important factor in terms of effectiveness-evaluation
Administrations should take into consideration the following basic
requirements in identifying control activities
CA Box 2 Basic Requirements Planning of control activities
In order to be effective control activities must be
adequate (the right control in the right place at the right level and
commensurate to the risk involved)
cost-effective (the costs of implementing a control should not exceed its
benefits)
comprehensive understandable and directly related to the control objectives
documented clearly
evaluated as a whole so that they are consistent in their operation
carried on until effectiveness is evaluated
4 Classification of control activities The control activities are generally classified as follows Administrations should
implement the following basic requirements as minimum standard however they
can implement additional control activities depending on the nature of the risk
4 1 Preventive controls
These are the controls to be carried out to mitigate the likelihood and prevent
as much as possible the undesirable outcomes that may emerge when risks occur
For example ex-ante financial control operations applying the principle of
segregation of duties to prevent fraud or irregularities
74
CA Box 3 Basic requirements Preventive Controls
The security of physical and intangible rights (intellectual assets etc) and records
physical safeguarding of assets
recording financialmanagement information
access controls such as passwords identity cards guards and
segregation of duties in order to avoid conflicts of interest
42 Corrective Controls
These are the controls aiming at reducing the impact of the undesirable
outcomes that stem from the threats the risks pose For example placing provisions
regarding the reimbursement of unduly payments in the agreements setting the
period of guarantee in advance
CA Box 4 Basic requirements Corrective Controls
identifying methods for the purpose of recovery from loss or damage which
would effect the activities negatively
appropriate actions are taken for the correction or elimination of the identified
differences
43 Directive Controls
These are the controls applied to reach a certain end For example provision
of trainings on protection against possible threats using protective materials (masks
special clothes etc) preventive medical practices (giving messages for washing
hands in periods of epidemics publishing private leaflets)
CA Box 5 Basic requirements Directive Controls
an approved organisation chart that is constantly up-dated to reflect
organisational changes
manuals or written procedures brochures booklets posters and other similar
documents on implementation
established clear and documented definitions of the responsibilities and tasks for
resources activities program projects objectives and targets
assigning tasks and responsibilities by taking into account their relevant skills and
experiences
delegating authority based on the organisational structure and responsibilities to
do the jobs effectively and it should be documented
establishing effective means of communication throughout the organisation
and
establishing clear reporting methods
44 Detective Controls
These are the controls applied to identify the damages and losses
experienced once the risks are realised For example conformity controls carried out
after spending has been made to identify the responsibility controls performed to
detect negligence by experts or authorities
75
CA Box 6 Basic requirements Detective Controls
periodic countsphysical inventories
comparison of the countinventories with the records
methods for the identification and analysis of differences
5 Methods of control activities The main methods of controls are mentioned below Administrations may also
implement different ex-ante and ex-post control methods based on the requirements
of their organisational structure and field of activity
Ex-ante controls are the controls put into practice in the light of the
appropriate procedures before the activity takes place whereas Ex-post controls refer
to the controls performed by the management through the use of pre-identified
methods after the activities take place
CA Box 7 Tips for control activities
The following box gives some issues to be considered when control activities are
identified
While determining the control activities and allocating resources for them
it may be necessary to give priority also those risks with high probability and
low impact and rating low in the prioritization list which is formulated
according to the risk scores
Preparing emergency plans as well as control activities for those risks with a
very high probability and impact assumes great importance
Reducing both the realization probability and impact of internal risks is
possible with control activities
Reducing the realization probability of external risks on the other hand
may not be under the control of the administration However mitigating
the impacts of risks is possible with a proper risk management
While responding to risks over-controlling should be avoided Both over-
control and under-control can undermine the effectiveness of the controls
According to the content of the risk several control methods can be used
at once if deemed necessary
Have the costs and benefits of implementing the control activities been
analysed
Have the new control activities been piloted to see if they are having the
desired effects
Are the control activities effectively operating as planned Is the required
evidence on controls collected and analysed periodically
After a reasonable period of time are the new control activities and
existing controls that are being continued functioning as expected And
do you report this to the manager risk coordinator
76
CA Box 8 Factors to be determined when identifying control activities
51 Authorisation and approval
Managers should introduce appropriate rules and procedures for decision-
making authorisation and approval taking into account the following Decision-
making and approval shall be carried out only by authorised persons Authority
means that the operations are initiated only by persons acting within their powers
Observance of the order of authorisation requires employees to act in accordance
with directions and within the limits set by the manager of the organisation or the
legislation The procedures for authorisation should include specific conditions and
delegation of powers by managers to employees for performance of particular
activities The approval is endorsement (certification) of transactions data or
documents whereby processes actions proposals andor consequences thereof are
completed or validated
52 Segregation of duties
To minimise the risk of errors irregularities and violations and their non-
detection managers should introduce rules stipulating that different employees be
responsible for the implementation of two or more key stages of an operation
process or activity To ensure effective checks and to strike a balance in the
implementation of an operation the responsibilities shall be segregated in a manner
which precludes an employee from being responsible simultaneously for the approval
(decision-making) implementation accounting and control
In organisations with fewer staff this segregation is more difficult to implement
In such cases the manager may consider the possibility of combining two of the
specified activities and compensate the non-application of this control mechanism
by another eg rotation of employees rotation of duties or additional management
checks Thus the risk of a single person dealing with more than one key aspect of an
operation process or activity for an unjustifiably long period of time could be
reduced
53 Double signature system
The double signature system is a procedure to ensure the accuracy of the
data included in the document The method is applied in non-financial processes
such as provision of information to the top management (reports information notes
statistics etc) and appointment orders and before financial obligations such as
signing of contracts and making payments (payment order etc) This makes it
Which unitWho will conduct the activities
Deadlines of the activities
Necessary resources for the activities to be conducted
Critical achievement factors
How to document the activities
Monitoring processes for the activities
77
possible that especially in financial transactions the person responsible for the
accounting entries knows about pending obligations or payments and performs due
accounting procedures The double signature system gives assurance that the
procedures are carried out by authorised staff
54 Reconciliation of data
Procedures should also guarantee that data from different documents and
sources are matched for ascertainment of consistency For example accounting
entries relating to bank accounts are reconciled with corresponding bank
statements invoice data are matched with those in the warehouse receipt etc
55 Supervision procedures
Supervision procedures should be carried out on a daily basis by line
managers on assignment of work and its performance Assignment of work by the line
managers does not reduce their own responsibility for the performance of the work
Line managers should give staff the necessary directions and instructions in order to
ensure understanding and avoid errors and frauds in the discharge of their duties
Line managers should also apply these procedures to assure themselves that the tasks
assigned are carried out correctly
56 Ex-ante financial controls
Ex-ante financial control is a control performed to check the compliance of
the financial decisions and operations of administrations regarding their incomes
expenditures assets and liabilities with the budget of the administration Further
checks are carried out with the available appropriation amount expenditures
programme financing programme and the provisions of central government budget
law and other financial legislation It is also checked whether resources are used
effectively economically and efficiently The purpose of ex-ante control is for the
managers to obtain reasonable assurance of the compliance of such
decisionsactions with the legislation and the performance programme2
57 Procedures for accounting operations
Procedures should ensure that accounting for all financial transactions on a
given date is complete true accurate and timely Their purpose is to support the
taking of correct decisions from which financial consequences arise These
procedures should be developed in accordance with the relevant legislation and
public accounting standards
2 Please see regulation on procedures and principles on internal control and ex-ante financial control for
further details
78
58 Anti-corruption
There should be rules and procedures for warning examination detection
and reporting of administrative weakness discrepancies and violations which create
conditions for corruption frauds and irregularities
Anti-corruption procedures include
preventive controls
a system for checking detecting and reporting early indications of corruption
frauds and irregularities
whistleblowing procedures (for more information please refer to Information
and communication section) and
a set of procedures for reporting irregular activities to the external competent
authorities such as the Prosecutorrsquos Office
59 Access to assets and information
Managers must ensure that only authorised persons responsible for the
safeguarding andor use of assets and information have access to them The
restriction of the access to assets reduces the risk of their misuse or their wrongful
utilisation and protects the organisation from losses The degree of the restriction
depends on the vulnerability of the assets and information and the risks of loss or
misuse When determining the vulnerability of assets the manager shall consider their
value transportability and the possibility for them to be exchanged for cash
510 Documentation archiving and storing of information
Procedures for documentation archiving and storing of information shall be
introduced to support the performance of operations taking of correct managerial
decisions and control of the processes in an organisation Documentation involves
developing written evidence of decisions made events occurred actions and
transactions performed etc The documentation must be complete accurate and
timely
The documentation procedures include those for document circulation
describing the order for circulation and use of documents produced and received
The documentation procedures must allow tracing of every document action
process in the organisation stating precisely who performed what how and when
the purpose and type of actdocument issued as a result thereof
According to the terminology adopted by the European Commission this
comprises an audit trail Its establishment helps achieve
transparency
tracing of the processes in the organisation from their initiation till completion
and
tracing the segregation of functions by decision-making performance
accounting and control
The audit trail shall state what procedures and transactions exist who the
responsible persons are what documents are drawn up what systems for
management and control of data flows exist and what the form of presentation of
the results is
Archiving procedures must ensure chronological and systematic filing of
documents about past events decisions and actions concerning the organisation
There should be specific guidelines describing in detail the procedures for archive
establishment completion use and destruction
79
The procedures for storage of information shall ensure physical preservation of
the information media (paper andor electronic) as well as preservation of the
content without change so that the information provides a true and fair view of the
facts decisions and actions relating to the organisation
511 Business continuity (or emergency plans)
Adequate measures are in place to ensure continuity of service in case of
business-as-usual interruption Business Continuity Plans are in place to ensure that
the entity is able to continue operating to the extent possible whatever the nature of
a major disruption
512 Control activities related to Information Technology (IT)
IT systems entail specific types of control activities which should be introduced
in organisations by their managers These mechanisms for information systems control
consist of two major groups general control mechanisms and applications control
mechanisms (applications controls)
General control mechanisms are applicable to all operations and contribute
to their proper implementation The applications control mechanisms include both
procedures programmed in the software product itself and procedures that must be
carried out manually in order to exercise control over the processing of different
operations The general control mechanisms are needed for the functioning of the
applications control mechanisms Absence of sufficient general controls cannot be
offset by applications controls
Usually general control mechanisms are used in information analysis and
processing centres for installation and maintenance of software products for
definition of access to information
controls for information analysis and processing centres ndash they include the
organisation and planning of worksthe intervention of the respective
administratorsoperators procedures for saving and subsequent use of
information back-up and contingency plans
software controls ndash these refer to the acquisition installation and maintenance
of software products necessary for the maintenance of the entire system and
for processing of software applications
access definition controls ndash these ensure protection against unauthorised
access Access definition restricts users by allowing them to use and perform
operations only with particular software products thus ensuring segregation of
responsibilities
General software controls built during the development of the system entail
detailed application tests and allow checking of the appropriateness of the rationale
of the program and whether all errors will be detected After the system is built the
controls for access and maintenance of the system give assurance that nobody can
use or make changes in the applications without the appropriate authorisation and
that all the necessary changes are made in accordance with the established
procedure for authorisation and approval
The applications control mechanisms support internal control preventing entry
of wrong data in the system detecting and correcting errors based on automated
procedures for control over data form and content The prevention and detection of
these errors is programmed in the respective application The applications control
mechanisms analyse the data on-line (simultaneously with their entry in the system)
80
provide ongoing information in case of detected error and ensure immediate
correction
The use of both types of controls provides assurance that the information is
analysed and processed completely correctly and accurately
513 Assessing costs and benefits of control activities
After initial selection of control activities to reduce the impact of risks risk
owners should evaluate the costs and expected benefits of the control activity If the
costs of the control activity exceed the expected benefits the control activity should
not be selected
81
6 Practical Stages For Control Activities Practical steps for control activities are briefly indicated in the following table Since control activities are linked to r isks points on risk
management are provided in stages 1 2 and 3 whereas points on control activities are provided in stages 4 and 5 For further details on stages 1 2
and 3 please refer to the risk management chapter
CA Table 1 ndash Stages for control activities
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
Identify objectives
Identify risks to
achieving objectives
Select method of
responding to risks
Accepting
Controlling
Transferring
Avoiding
Taking the
opportunity
Select control
method(s)
Preventative
Detective
Corrective
Directive
Select type of control activities
authorisation and approval
segregation of duties
double signature system
reconciliation of data
supervision
ex-ante controls Checking
compliance with the law
accounting covering all financial
processes
anti-corruption
access to assets and information
documentation archiving and
information storage
business continuity and
information technology
Or
Refer to CA Annex 2 List of common
control activities
82
83
7 Steps to identify and implement control activities
Step 1 Administrations when assessing their risks review their systems and processes to determine
whether they have existing controls to mitigate their risks
(Administrations where risk management will be implemented in the framework of the principles
mentioned in this manual for the first time should list and evaluate all the existing control activities
Those control activities that donrsquot match the objectives and the risks of the administration should be
terminated)
Step 2 Administrations assess whether these existing controls are effectivesufficient in terms of
mitigating risks
Step 3 If there are no existing controls or the existing controls are not effective sufficient new
andor additional control activities are determined (To help you decide which control activities to
select you may refer to the list of control activities at Annex 2) In this steps it will be useful to
consider the following
It may be appropriate to select more than one control activity
Any new control activities you select must be evaluated for cost-effectiveness and
Appropriate control activities should be tested beforehand
Step 4 New control activities are not foreseen for those high risks that are managed
effectivelysufficiently with the existing controls and the existing control activities should continue
Step 5 Risk owners once the risk register has been approved have to put in place the new control
activities and also ensure that monitoring of both new controls and existing controls that are being
continued at the predetermined starting date
Step 6 Stakeholders are notified in writing about the control activities and whether they are
working effectively
Step 7 Risk owner while reporting the risks in the of the Consolidated Risk Report (Risk
Management Annex 4) will notify the manager risk coordinator how well the new control
activities and existing controls that are being continued are working This reporting involves writing
a summary of what has happened identifying the impact of the new control activities and existing
controls that are being continued and attaching any evidence to the report as an annex
84
Control Activities Annexes
Annex 1 ndash Examples of some common risks and controls
Common Risks Possible Control Activities
Risk management
Risks are not being managed effectively
and so the organisationrsquos objectives may
not be achieved
Risk workshops are organised to
determine risks allocate owners
determine controls and how their
operation is monitored - corrective
Cash management
Cash holdings could be stolen Cash is kept locked away and access
to it is strictly controlled - preventive
There is segregation of duties for staff
who have access to cash -
preventive
Cheques and other payment forms
are serially numbered ndash preventive
Asset management
Assets could be stolen Physical controls - for example using a
safe - preventive
separation of duties authorisation
levels passwords - preventive and
tagging of goods reconciliations
stock counts - detective
Document control
Documents received could be lost Keeping a register that shows where
all the received documents are filed -
preventive
Due to document control procedures not
being clear and specific decisions not
being taken on time
The document control procedure defines the
controls needed to
approve documents for adequacy
prior to issue
ensure that changes and the current
revision status of key documents
(strategic plan performance
programmes etc) are identified
ensure that previous versions of
applicable documents are available
at points of use
ensure that distribution of sensitive
and classified documents is
controlled and
identify documents that should be
archived - All preventive
Planning and budgeting
Budget resources may be spent
inappropriately
Effective planningbudgeting process ndash
preventive
85
Common Risks Possible Control Activities
Staff have received training in budget
preparation ndash preventive
Comparison of interim and final
accounts and activity reports with the
strategic plan performance
programme and the budget ndash
detective
Financial information may not be
accurate and complete
Financial information being stored or
reported on the computer -
preventive
Procurement
Error and fraud could occur in the
procurement process
Separation of duties between staff
making decisions staff selected for
the tender commission and staff
involved in payments - preventive
Applying ex-ante controls to the
award decision before the signing of
the contract ndash preventive
Random checks on transactions by
authorised staff ndash detective
Identifying purchasing thresholds -
preventive
Requirement to seek the ex-ante
approval of a senior manager or the
Minister for some high-value
procurements (Double signature
system) - preventive and
Regular rotation of staff who have
critical responsibilities in the
procurement process - preventive
Stores
Unauthorised removal of goods from
store
Physical stock checks to inventory
records ndash detective
Goods ordered but not delivered on time
or partially delivered
Including penal provisions in the
contract regarding any failure to
deliver goods on time ndash corrective
Comparison between invoices goods
delivery notes and the contract ndash
detective
Revenue management
Delays in submitting tax statements on
time and the failure to collect revenues
on a timely basis
Incentives for timely submission of tax
statements (advance warning
posters etc) - directive
Incentives for on-line submission of tax
statements - preventative
Penalties for late submission ndash
preventative
Contingency planning
Major lsquoincidentrsquo destroys important data A Business Contingency Plan exists
86
Common Risks Possible Control Activities
has been tested and kept up to date
- preventive
IT security
Unauthorised staff may obtain access to
computerised data
Personal identifiers and passwords ndash
preventative
Review of on-line access and
transaction logs ndash detective
Master files may be changed
inappropriately
Supervisor authorisation required on
forms indicating data to be changed
- preventive
Supervisor does not have change
access rights - preventive and
Supervisor verifies changes against a
printout of changes - detective
87
Annex 2 List of common control activities
Category Control Activity
Risk management
Appropriate risk
management policies
procedures techniques
and mechanisms exist for
each of the organisationrsquos
activities
Management has ensured that all relevant objectives
and associated risks for each significant activity have
been identified in conjunction with conducting the
risk assessment and analysis function
Management has identified the actions and control
activities needed to address the risks and directed
their implementation
Implementing control activities
The control activities
identified as necessary are
in place and being
applied
Management has ensured that
Control activities described in policy and procedures
manuals are actually applied and applied properly
Managers and employees understand the purpose of
internal control activities
Nominated staff review the functioning of established
control activities and remain alert for instances in
which excessive control activities should be
minimised
For existing control activities look out for
Guidance ndash it is likely that there will be official
guidance about how to carry out your work
Documentation ndash there may be standard document
control procedures to ensure that new documents
are registered and filed changes to documents are
recorded and documents no longer in use are
archived
Checking the work of others ndash this is a basic control
activity that can involve a supervisor or manager
checking the work of staff staff in one section
checking the work of staff in another section or
computer checks There may also be a requirement
for transactions to be checked by the SDU under the
ex ante control regulation
Security ndash protecting documents cash and assets
and
Contingency arrangements - ensuring the
continuation of essential services in the event of a
service failure
Performance monitoring
Senior management track
outturn in relation to its
operational and
performance plans
Top management are involved in developing annual
performance plans and targets and measuring and
reporting results against those plans and targets
Top management regularly review actual
performance against budgets forecasts and prior
period results
Top management take appropriate corrective action
88
Category Control Activity
when progress reports indicate that performance is
significantly out of line with plans
Operational managers
review actual
performance against
targets
Managers at all activity levels review performance
reports analyse trends and measure results against
targets
Managers review and compare financial budgetary
and operational performance to planned or
expected results
Appropriate control activities are employed such as
reconciliations of summary information to supporting
detail checking the accuracy of summarisations of
operations and checking the reliability of data
sources and data systems
Comparisons are made relating different sets of data
to one another so that analyses of the relationships
can be made and corrective actions can be taken if
necessary
Investigation of unexpected results or unusual trends
leads to identification of circumstances in which the
achievement of goals and objectives may be
threatened and corrective action is taken
Analysis and review of performance indicators and
results are used for both operational and financial
reporting control purposes
Quality of performance measures and indicators
The organisation monitors
the quality of
performance measures
and indicators
The organisation periodically reviews and validates
the propriety and integrity of performance measures
and indicators
Performance measurement assessment factors are
evaluated to ensure they are linked to mission goals
and objectives and are balanced and set
appropriate incentives for achieving goals while
complying with law regulations and ethical
standards
Actual performance data is continually compared
against planned goals and differences are analysed
to establish whether the right things are being
measured in the right way
Human resource management
The organisation
effectively manages its
workforce to achieve
results
A clear and coherent shared vision of organisationrsquos
mission goals values and strategies is explicitly
identified in the strategic plan annual performance
plan and other guiding documents and that view
has been clearly and consistently communicated to
all employees
The organisation has a coherent overall manpower
planning strategy as evidenced in its strategic plan
performance plan or separate manpower planning
document and that strategy encompasses
manpower planning policies programs and
practices to guide the organisation
The organisation has a specific and explicit workforce
89
Category Control Activity
planning strategy linked to the overall strategic plan
and that allows for identification of current and future
manpower planning needs
Senior leaders and managers support teamwork
reinforce the shared vision of the organisation and
encourage feedback from employees as evidenced
by actions taken to communicate this to all
employees and the existence of opportunities for
management to obtain feedback
The organisationrsquos performance management system
is given a high priority by top-level officials and it is
designed to guide the workforce to achieve the
organisationrsquos shared visionmission
Procedures are in place to ensure that staff with
appropriate competencies are recruited and
retained for the work of the organisation including a
formal recruiting and hiring plan with explicit links to
skill needs the organisation has identified
Employees are provided with information training
and tools to perform their duties and responsibilities
improve performance enhance their capabilities
and meet the demands of changing organisational
needs
Qualified and continuous training is provided to
ensure that internal control objectives are being met
Meaningful honest constructive performance
evaluation and feedback are provided to help
employees understand the connection between their
performance and the achievement of the
organisationrsquos goals
Information processing
The organisation uses a
variety of control activities
suited to information
processing systems to
ensure accuracy and
completeness
Edit checks are used in controlling data entry
Accounting for transactions is performed in numerical
sequences
File totals are compared with control accounts
Exceptions or violations indicated by other control
activities are examined and acted upon
Access to data files and programs is appropriately
controlled
Physical Control Over Vulnerable Assets
The organisation uses
physical controls to secure
and safeguard vulnerable
assets
Physical safeguarding policies and procedures have
been developed implemented and communicated
to all staff
The organisation has developed a disaster recovery
plan which is regularly tested updated and
communicated to staff
The organisation has developed a plan for the
identification and protection of any critical
infrastructure assets
Assets that are particularly vulnerable to loss theft
90
Category Control Activity
damage or unauthorised use such as cash
securities supplies inventories and equipment are
physically secured and access to them controlled
Assets such as cash securities supplies inventories
and equipment are periodically counted and
compared to control records and exceptions
examined
Cash and negotiable securities are maintained under
lock and key and access to them strictly controlled
Forms such as blank checks and purchase orders are
sequentially pre-numbered and physically secured
and access to them strictly controlled
Mechanical check signers and signature plates are
physically protected and access to them strictly
controlled
Equipment vulnerable to theft is securely fastened or
protected in some other manner
Identification plates and numbers are attached to
office furniture and fixtures equipment and other
portable assets
Inventories supplies and finished itemsgoods are
stored in physically secured areas and protected from
damage
Facilities are protected from fire by fire alarms and
sprinkler systems
Access to premises and facilities is controlled by
fences guards andor other physical controls
Access to facilities is restricted and controlled during
nonworking hours (alarms CCTV etc)
Separation of duties
Key high risk and sensitive
duties and responsibilities
are divided or segregated
among different people
to reduce the risk of error
waste or fraud
No one individual is allowed to control all key aspects
of a transaction or event
Responsibilities and duties involving transactions and
events are separated among different employees
with respect to authorisation approval processing
and recording making payments or collection of
income review and auditing and the custodial
functions and handling of related assets
Duties are assigned systematically to a number of
individuals to ensure that effective checks and
balances exist
Where feasible no one individual is allowed to work
alone with cash securities or other assets
The responsibility for opening mail which contains
cash is assigned to individuals who have no
responsibilities for or access to files or documents
pertaining to accounts receivable or cash accounts
Bank accounts are reconciled by staff who have no
responsibilities for cash receipts disbursements or
custody
91
Category Control Activity
Authorisation for transactions or events
Appropriate staff is
authorised for transactions
and other significant
events
Controls ensure that only valid transactions and other
events are initiated or entered into in accordance
with management decisions and directives
Controls exist to ensure that all transactions and other
significant events are authorised and executed only
by employees acting within the scope of their
authority
Authorisations are clearly communicated to
managers and employees and include the specific
conditions and terms under which authorisations are
to be made
The terms of authorisations are in accordance with
directives and within limitations established by law
regulation and management
Recording transactions and events
Transactions and other
significant events are
properly classified and
promptly recorded
Transactions and events are appropriately classified
and promptly recorded so that they maintain their
relevance value and usefulness to management in
controlling operations and making decisions
Proper classification and recording take place for
each transaction or event
Accountability for and access restrictions to resources and records
Access to resources and
records is limited and
accountability for their
custody is clearly
allocated
The risk of unauthorised use or loss is controlled by
restricting access to resources and records only to
authorised staff
Accountability for resources and records custody and
use is assigned to specific individuals
Access restrictions and accountability assignments for
custody are recorded and periodically reviewed
Periodic comparison of resources with the recorded
accountability is made to determine if the two agree
and differences are examined
How frequently actual resources are compared to
records and the degree of access restrictions are
functions of the vulnerability of the resource to the risk
of errors fraud waste misuse theft or unauthorised
alteration
Management considers such factors as asset value
portability and exchangeability when determining
the appropriate degree of access restrictions
As a part of assigning and maintaining accountability
for resources and records management inform and
communicate those responsibilities to specific
individuals within the organisation and ensure that
those people are aware of their duties for appropriate
custody and use of those resources
Documentation
Internal control Written documentation exists covering the
92
Category Control Activity
transactions and other
significant events are
clearly documented
organisationrsquos internal control structure and for all
significant transactions and events
The documentation is readily available for
examination
The documentation for internal control includes
identification of the organisationrsquos activity-level
functions and related objectives and control activities
and appears in management directives
administrative policies manuals and other guidance
Documentation for internal control includes
documentation describing and covering
management information systems data collection
and handling and the specifics of general and
application control related to such systems
Documentation of transactions and other significant
events is complete and accurate and facilitates
tracing the transaction or event and related
information from authorisation and initiation through
its processing to after it is completed
Documentation whether in paper or electronic form
is useful to those involved in controlling evaluating or
analysing operations
All documentation and records are properly
managed maintained and periodically updated
General computer controls
The organisation
periodically performs a
comprehensive high-level
assessment of risks to its
information systems
Risk assessments are performed and documented
regularly and whenever systems facilities or other
conditions change
Risk assessments consider data sensitivity and
consistency
Effective computer
security controls are in
operation and are
monitored
The organisation has developed a plan that clearly
describes the organisation-wide security plan and
policies and procedures that support it
Senior management have established a structure to
implement and manage the IT security program
throughout the agency and security responsibilities
are clearly defined
The organisation monitors the security planrsquos
effectiveness and makes changes as needed
- Corrective actions are promptly and effectively
implemented and tested and they are continually
monitored
Effective computer
access controls are in
place and are monitored
Information resources are classified according to their
criticality and sensitivity
Resource classifications and related criteria have
been established and communicated to resource
owners
Resource owners have classified their information
resources based on approved criteria and with
regard to risk determinations and assessments and
have documented those classifications
93
Category Control Activity
Resource owners have identified authorised users
and their access to the information has been formally
authorised
The organisation monitors information systems access
investigates apparent violations and takes
appropriate remedial action
The organisation has established physical and logical
controls to prevent or detect unauthorised access
Application software
development and
change controls are in
place and are monitored
Application software modifications are properly
authorised
All new or revised software is thoroughly tested and
approved
The organisation has established procedures to ensure
control of its software libraries including labelling
access restrictions and use of inventories and
separate libraries
All key activities are monitored
Effective system software
controls are in place and
are monitored
The organisation limits access to system software
based on job responsibilities and access authorisation
is documented
Access to and use of system software are controlled
and monitored
The organisation controls changes made to system
software
There is effective
separation of duties for IT
operations
Incompatible duties have been identified and policies
implemented to segregate those duties
Access controls have been established to enforce
segregation of duties
Controls ensure the
continuity of IT services
The criticality and sensitivity of computerised
operations have been assessed and prioritised and
supporting resources have been identified
The organisation has taken steps to prevent and
minimise potential damage and interruption through
the use of data and program backup procedures
including offsite storage of backup data as well as
environmental controls staff training and hardware
maintenance and management
Management have developed and documented a
comprehensive IT service contingency plan
The organisation periodically tests the contingency
plan and adjusts it as appropriate
Computer application controls
Source documents are
controlled and require
authorisation
Access to blank source documents is restricted
Source documents are pre-numbered sequentially
Key source documents require authorising signatures
For batch application systems batch control sheets
are used providing information such as date control
number number of documents and control totals for
key fields
94
Category Control Activity
Senior management or independent review of data
occurs before it is entered into the application system
Data entry terminals have restricted access
Master files and exception reporting are used to
ensure that all data processed are authorised
Completeness controls All authorised transactions are entered into and
processed by the computer
Reconciliations are performed to verify data
completeness
Accuracy controls The organisationrsquos data entry design features
contribute to data accuracy
Data validation and editing are performed to identify
erroneous data
Erroneous data is captured reported investigated
and promptly corrected
Output reports are reviewed to help maintain data
accuracy and validity
Control Over Integrity of
Processing and Data Files
Procedures ensure that the current version of
programs and data files are used during processing
Programs include routines to verify that the proper
version of the computer file is used during processing
Programs include routines for checking internal file
header labels before processing
The application protects against concurrent file
updates
95
Annex 3 - Illustrations for cost benefit analysis
Example 1
You are considering hiring a junior clerk to carry out a 100 per cent check on all payments
your spending unit makes (checking each agrees to the supporting documents) to ensure the
correct amount is paid This is an ex-ante control as the check is made prior to the payment
You estimate that this task will occupy the junior clerk for 100 per cent of their working time
Cost of the junior clerk 2500 YTL a month (1200 salary plus 1300 contribution to overheads
eg heating the building)
Scenario A
Benefit your experience of such a checking control is that it will find on average errors of
overpayment of 3000 YTL a month
Decision ndash this control activity is cost effective and the junior clerk should be employed to
do this checking
Scenario B
Cost same as above
Benefit your experience of such a checking control is that it will find on average errors of
overpayment of 2000 YTL a month
Decision ndash this control activity is not cost effective and the junior clerk should not be
employed on a full time basis to do this checking You can rely on other controls instead
Possibilities
Focus checking on only the highest value or riskiest payments ndash this will only employ the clerk
for 50 per cent of their time If you estimate that it will find on average errors of
overpayment of 1600 YTL a month (ie over 50 per cent of the clerkrsquos cost) this is a better
alternative control or
Donrsquot do any checking ndash rely on separation of duties control (different clerk raises payment
to the one that enacts the payment) to prevent fraudulent overpayments
Example 2
You do not currently employ any public relations expert
In the absence of any control on dealings with the press you assess the risk of reputational
damage as being high likelihood and high impact
Cost of the expert in public relations 4500 YTL a month (2500 salary plus 2000 contribution
to overheads eg heating the building)
Scenario 1
96
You have a low risk appetite in terms of reputational damage and consider that the benefit
of all dealings with the press going through the expert in public relations will successfully mitigate
the risk to within your risk appetite (by considerably reducing the likelihood of reputational damage
through ill-advised comments being given to the press) You consider that this risk mitigation is so
important to your administration that it justifies the employment of the expert in public relations
Decision you employ the expert in public relations
Scenario 2
You have a high risk appetite in terms of reputational damage and consider that the risk of
reputational damage through ill-advised comments being given to the press without employing the
expert in public relations is equal to or less than your risk appetite for this risk You thus consider that
the benefit of employing the expert is outweighed by the cost You therefore consider that it is not
cost-effective to employ the expert in public relations
Decision you do not employ the expert in public relations
Action as you are equal to or less than your risk appetite for the reputational risk you need
not select an alternative control activity but you should continue to review in the future as the
decision may be changed if your risk appetite reduces or your assessment of the likelihood andor
impact of the risk increases
97
INFORMATION AND COMMUNICATION
1 INTRODUCTION Information and communication as the fourth component of the five components of COSO
internal control model ensures the relation between control environment risk assessment and
control activities through sharing information and communication and has an important role in
increasing the functionality and operational competence of internal control system which is
regarded as a tool for attaining organisational objectives and aims as it regulates information flow
within the administration
Aim of this chapter of the manual is to give information within the framework of internal
control standards about structures and practices related to use of information and communication
mechanisms and to provide guidance for users about reporting registry and filing systems and
methods to be used in notifying faults irregularities and corruptions with a view to ensuring that
administrations carry out their activities in line with their objectives as well as accounting for their
activities
Communication refers to transformation and conveyance of information within the organisation
vertically and horizontally and externally via proper mechanisms to relevant people
administrations and bodies Administrations must aim to establish an effectively managed and well
coordinated communication system for the information that meets the information needs of
managers staff and the public
In the event that information and communication systems do not function as expected
managers and staff may came up against the risk of not being able make timely and right
decisions not being able to implement those decisions and ultimately not being able to achieve
the objectives In this regard information should be accessible useful timely accurate complete
and up-to-date
2 Information and Communication Standards Information and communication includes the information communication record system which will
ensure transfer of required information to the person personnel and the administrator who need
the information in determined format and in a time period which enable the concerned to fulfil
internal control and their other responsibilities
IC Box 1 Information and Communication Standards
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Environment
Standard 13 Information and communication
The administrations shall have a suitable information and communication system with a view to ensuring that the
performance of the units and the personnel is monitored decision making processes operate soundly and
efficiency and satisfaction in providing service
Standard 14 Reporting
Goals objectives indicators and activities of the administration and the results of them shall be reported in
accordance with the principles of transparency and accountability
Standard 15 Record and filing system
The administrations shall have a comprehensive and up-to-date system where the works and transactions
including incoming and outgoing documents are recorded classified and filed
Standard 16 Notification of faults irregularities and corruptions
The administrations shall develop methods which will ensure that the faults irregularities and corruptions are
notified in a specific order
98
3 ROLES AND RESPONSIBILITIES IN INFORMATION AND COMMUNICATION
Minister
Ensures coordination and cooperation with other ministries and informs the public opinion and
the TGNA about the annual performance programme and activity report submitted to him by the
administration
Head of Administration
The Head of Administration (Head of Administration) must publish an announcement via the
internal communication network or an official letter on what to do before the preparation of such
documents as strategic plan performance program activity report Risk Strategy and Policy Paper
which need to be prepared in way which will ensure attainment of pre-identified objectives in the
fields the administration is responsible for
Another duty of the Head of Administration is to sign the internal control assurance declaration
and inform the public opinion and the Minister
As the quality of the information exchange and communication between the Head of
Administration and the other actors has a direct effect on the accountability of the Head of
Administration the Head of Administration must guide the relevant units about the frequency and
methods of feedback he prefers
The Head of Administration must take notice whether the current information system meets the
needs during the set up and integration of new information systems If a new system is to be set up
it must be designed by taking integration with the other information systems into consideration
Internal Auditor
As prescribed by the Law no 5018 the internal auditors work to assess the internal control system
under the head of administration In this regard internal auditors report whether internal control
system functions properly or not to the Head of Administration Therefore to be able carry out their
duties internal auditors should be given unlimited access to every kind of information they need
Setting up of such a mechanism is up to the robust communication and flow of information
between the internal auditors and Head of Administrations
The Head of Administration is entitled to take preventive or corrective actions and develop new
control activities based on the report submitted by the internal auditor or request additional reports
Authorising Officer
Authorising Officers must ensure that tasks powers and responsibilities of staff are defined
clearly and in writing and communicated to all staff In this framework a chart of duties which
demonstrate the functional reporting network must be produced and communicated to the staff
A communication network that ensures quick and timely access by the staff and managers to the
activities and the results must be used In this regard the organisational chart of the administration
can also include a diagram which shows the tasks of the sub-units and the responsible and
authorised staff on the intranet and internet Authorising Officer must ensure that sub-units are
informed about the activities of each other
Authorising officers
must ensure that an electronic communication and archiving system is used effectively for
the accurate and reliable acquisition storage and communication of the information
needed regarding the objectives activities and indicators that are relevant to their
respective units from among those included in the strategic plan and performance
program of the administration
must provide for the regular announcement of the status of realisation regarding the
performance objectives and indicators related to their respective units and the grounds for
the data on the webpage of the unit and
must provide information for periodical reporting to the SDUs that will be carried out by
authorising officers (information about objectives and risks of the unit status of realisation
etc)
99
should transfer timely complete and accurate information and documents regarding
financial transaction processes to the Accounting Officer and set up mechanisms to store
records and statistics
Realisation Officer
Realisation officers who are responsible for issuing spending orders must periodically brief the
authorising officer of the spending process In this regard information on the spending order being
complete accurate understandable and reliable plays a significant role in realisation officers
fulfilling their tasks as requested from them
Accounting Officer
The Accounting Officer is responsible for performing accounting services and keeping accounting
records in a regular transparent and accessible way Accounting Officers must regularly report to
the authorising officer on the accounting records
Strategy Development Units
SDU managers must review the information included in the activity reports performance
programmes and strategic plans by holding periodic meetings with the authorising officers of other
units Personnel of SDUs must obtain the information that is needed in the field of financial
management and control through these persons
Necessary coordination for the formation of the team to carry out the studies on the
establishment and development of Information Management Systems within the administration is
provided by the SDU
In fulfilment of the coordination duties of SDUs which are defined by laws Principles and
Procedures of Internal Control and Ex-ante Financial Control Strategy Planning Guideline
Legislation and Manual on Performance Programs to be Prepared in Public Administrations and
secondary and tertiary regulations such as Budget Preparation Manual must be taken into
consideration
SDUs must have webpage where they have forums good practice examples frequently asked
questions to ensure communication with internal and external stakeholders in order to carry out
their tasks more effectively
Central Harmonisation Unit
While carrying out its tasks in the filed of information and communication
CHU sets up a common (web-based) network where information can be shared
They organise trainings panels and conferences for the actors that take part in the field of
internal control
CHU members are assigned to be responsible for particular administrations to enhance
information and communication with SDUs of administrations They communicate SDUs and
provide them with information and guidance via official letters call centres telephone
forums etc
Please refer to the CHU Handbook for further details on the roles and responsibilities of CHU
Besides practices and methods in the area of information and communication given this
manual public administrations must also take into consideration those regulations in the legislation
which are directly related to the area of information and communication These basic regulations
are contained in IC Annex I
4 INFORMATION The prerequisite for reliable and proper information is immediate recording and suitable
classification of all operations and transactions Internal control includes obtaining classifying
recording utilising and reporting both financial and non-financial information
41 Characteristics of Information
Characteristics that the information which is used in public administrations must have are given
below
100
Timely Information should be obtained and transferred in the right time by the right
personnel
Related Information should be related to every activity work or action
Available Information holdings should be available to those who require them the moment
they need it and also later Technology should be available to users in order to facilitate
obtaining storing transferring and using information
Comprehensible The description of information holdings must have the same meaning for
users at all levels of the administration In addition information that is shared with external
stakeholders must be clear and meaningful for the users
Usable Information must meet the needs of its users in relation to the purposes for which it
was received
Complete Both the content and form of information should be complete in order to
provide for efficient and effective use of information holdings
Accurate Information must be able to reflect the points regarding the aims objectives and
activities it is related to accurately and correctly
Up-to-date Information must be up dated and related to the needs A lack of up-to-date
information can impair decision making and program delivery Managers and personnel
should take necessary actions to keep information up-to-date
42 Information Management
Information management is a process where information is planned and obtained from any
kind of source internally or externally classified stored communicated to relevant bodies in a
timely manner for interpretation reviewed for updating and destroyed The stages of this process
are complementary to each other In any stage there may occur a need to take into consideration
the phases of the previous or next stage
101
IC Figure Information Management Process
421 Planning Information Need
Planning stage starts with identifying strategic aims and objectives and performance
objectives as well as identifying information needs to achieve these objectives This stage includes
the assessment on who needs what information when and why how they can acquire it at all level
from the operational to the strategic activity level in order for the administration to maintain its
operations effectively
In the planning stage the following factors must be taken into consideration
Internal and external information users must be defined and classified Information
needs of users must be determined Information holdings must be examined to see
whether the current information need of the users can be met using them
While novel databases and information systems are designed the risk for the information
to be disseminated to the public must be considered
The benefit and cost of information in terms of the users must be analysed
The information need for new legislative strategic and operational aims must be
defined along with the relevant information system requirements furthermore the
person and the time to do this work must be set out
Emerging information needs must be compared to the present information and
information systems within and outside the administration
For increasing the value or productivity or decreasing the cost of the systems in use
such methods as combining information systems using novel technologies and standard
practices can be referred to
Value of information is not only about how it is used and kept but also about how and when
it is going to be destroyed Many factors such as legislation information policies and needs may
Planning
information need
Organising
information
Creating and
collecting
information
Reviewing and
keeping
information
Utilising and sharing
information
INFORMATION
MANAGEMENT PROCESS
102
have an impact on how long to keep that information Information which is being kept should be
destroyed in accordance with the relevant legislation after necessary approvals have been
received
422 Creating and Collecting Information
While producing and collecting information first of all the value of the information for the
administration must be set out and it should be made sure that the people in need of information
do have access to it on time
Information collection and creation process should focus on the followings and information
collected or created must have the capacity to meet the needs of the administration To this end
The holdings must be periodically reviewed in order to determine if the information that is
created or collected continues to meet the identified needs and it must be followed up
whether users really use the information Great deal of information can still be
unnecessarily collected for a reason that was identified in previous periods If the
administration decides to stop collecting that information firstly it must set out whether
any individual or program would be affected
Quality and scope of information as well as its relation to the defined needs and whether
it meets the needs or not should be understood in regular reviews In addition implicit
information of the staff must be turned into explicit information and incorporated into the
information inventory The information produced as a result of the process studies must be
classified starting from the most frequently used to the least
Information must be compiled in information pools to be created This information must be
clear and understandable The information in the pool must be open to access upon
being classified in accordance with the information hierarchy such as strategic and
operational Management of the information pool must be carried out by a team who
are competent in the processes to be formed within the administration
Legislation or policies may demand that certain information be collected by an
administration Therefore information that is collected must meet legislative and
institution-specific policy requirements
Information collection must be coordinated To this end
all information collection activities must be accounted for including all regions and
organisational units and information collected must be accessible
the administration must ensure that information collection conforms to the applicable
standards
information must be periodically reviewed in order to ensure that the requirements of the
relevant legislation are respected This might be done during the annual update of
personal information and
before information is created or collected existing information holdings must be reviewed
to determine if the information needs can be satisfied by existing holdings or readily
accessible external information sources
The following are the leading sources of information
instructions approvals invoices transaction orders petitions
interactions between clients vendors or other the ministries and agencies
planning documents-budgets forecasts work plans blueprints (technical or
engineering designs)
drafts schemes of information architecture
reports policy briefing notes other documents supporting the activities and
justifications
meeting documents-agendas records of decision
commission documents job descriptions member lists
requests for information and the responses emails forms used to collect responses
templates related instructions responses in every format
103
client records applications evaluations emails phone calls
every kind of data in electronic medium and
information resources which could provide additional information
Collecting Information from PublicPrivate Sector
The response burden should be minimised to the lowest level possible in this process To this end
the administration should determine from whom it will receive information at what
frequency and in what detail as well as what burden this process will create upon
respondents and
there should be cooperation with other administrations in such issues as undertaking joint
collection or information sharing
The forms should meet all statutory and policy requirements To this end
all the forms in both paper and electronic media must be reviewed before they are put
into use to ensure that applicable requirements are met Furthermore the responsible
person must be assigned
423 Organising Information
The aim of organising information is to establish a link between the operations of the
administration and usage sharing retrieving archiving and destroying of information and facilitate
the process for administrations and the other stakeholders
The following steps must be taken for an efficient information organisation
it must be ensured that users both internal and external to the administration are satisfied
with their access to information Methods should be established to measure user satisfaction
(such as user surveys and questionnaires applied after completion of certain services as well
as periodically applied questionnaires)
the custodians of information holdings (eg Data Processing Departments Library Services
etc) must identify the information needs of users and improve their services to better meet
the needs of users for quick and easy access eg shortening response time using efficient
and effective technology for transmission designing a user-friendly system
information must be available for public dissemination and communicated to the public
where and when appropriate For instance establishing such structures as e-libraries to
facilitate public access
information available for use by the other administrations must be checked to see whether
they are subject to any legal or policy constraints
administrations must have an up-to-date publications catalogue which must be deposited
in the administrationrsquos library Published material must be catalogued according to
established standards and
all the documents published by the administration must be accessible on webpage of the
administration
Registering Filing and Archiving of Information
Registry and Filing
To ensure an effective management any kind of document including electronic ones internal
communications operations and transactions must be recorded classified filed and archived
there must be a comprehensive and up-to-date system for this
If meaningful and valuable information for the control of activities and decision making is
desired all the operations and transaction must be instantly recorded
In order to ensure the quality of information and reporting fulfilment of internal control activities
and responsibilities and effective and efficient monitoring activities all transactions need to be
completely and clearly documented
These documents should be easily accessible where needed
104
The documents of the internal control system should include structure and policies of the
administration types of activities related objectives and control procedures
The process of registry should be applied in a way that it will cover all the stages of a
transaction including the start and approval stages until their final classification This is also the case
for the regular updating of documents
Regardless of the media they are received in (such as paper fax e-mail or electronic)
documents should be recorded and kept within the framework of a registry plan which is suitable
at least to one official file
Registry procedures must be communicated to staff in writing
In this context Standard Filing Plan no 20057 issued on the Official Gazette no 25766 dated 24
March 2005 prepared under the coordination by the Prime Ministry General Directorate of State
Archives must be taken as the basis to establish a common method for all public administrations to
file all the documents including electronic ones and ensure fast and easy access to them where
necessary
Ensuring standardisation in the filing system would help achieve harmony within the institution
and if it can be disseminated among all organisations it would form a basis for an efficient and
effective communication system across the country
Standardisation of Filing services would
ensure that documents about same issues are codified using same numbers in all
organisations
facilitate easy and fast access to the right information and documents requested and
make sorting classifying keeping the documents and putting them into service easier as
standard file numbers will refer to the same issues in all organisations
ensure integrity and easiness in the establishment of a tidy fast effective and efficient
system of document and file and communication
provide infrastructure for the automation of documents and correspondences and
establishment of information networks among organisations and
facilitate internal and inter-organisational file and operation tracking The document or
information looked for would be easily found in a short period of time
The task of carrying out studies on the registry usage and archiving of electronic documents
has been assigned to the General directorate of State Archives upon Decision no 7 dated 9
September 2004 of the e-Transformation Executive board in accordance with the Prime Ministry
Circular number 200816 on Electronic Document Standards published in the Official Gazette
number 26938 and dated 16 July 2008 and TSE Standard number 13298 has been published This
Standard is a main source for electronic document management systems to be used by all public
organisations
Electronic document management systems to be established by the administrations will comply
with the TSE Standard no 13298 and furthermore inter-organisational sharing of electronic
documents produced will be carried out by the criteria on electronic document sharing services as
set out on the web address wwwdevletarsivlerigovtr
Archiving Services
Archiving services include identification of the materials the administrations and the staff have
that will become archive materials in the future their protection against any losses preservation
under proper conditions utilisation in accordance with national interests cropping and disposal if
not deemed necessary to maintain Principles and procedures on archiving services have been set
out in the Regulation on State Archiving Services published in the Official Gazette number 19816
and dated 16 May 1988 and amended by the Official Gazette number 25735 and dated 22
February 2005
As per this regulation administrations have to take necessary precautions to protect
information and documents against disasters theft fire etc set out the procedures for the
preservation of confidential documents take the measures to ensure that the documents remain
legible in the future inform the managers and the staff about the proper periods of preservation for
the documents
105
424 Using and Sharing Information
Using and sharing information is crucial in terms of accountability and transparency for those
who take part in the activities of the administration and other stakeholders
Information is an asset which renews itself turns into a new form and becomes more valuable
as it is communicated and shared Therefore regular communication and circulation of
information within an administration is a principle of information management Sharing
administrative information reflects a cycle in which the information is communicated to the
relevant persons administrative works are notified reactions of the personnel is received reactions
are assessed evaluated and communicated back to the relevant persons
The following must be considered while using and sharing information
Comply with privacy security and legal restrictions
Whenever possible use electronic media to share information resources (email repositories
websites and so on)
Ensure that information remains complete accurate up-to-date relevant and
understandable
Verify the accuracy and reliability of information (especially when conducting web-related
research)
Take advantage of administrative investments in information resources (magazine and
journal subscriptions databases online library services and so on) while respecting
copyright licensing and intellectual property rights
When retaining information that has been lsquocopiedrsquo indicate the source whether it is from
an information resource already saved in organisation repository from a publication or
from a website
Furthermore transferring information from those who leave their jobs to those starting a new job
is crucial to the continuity of the activity in an administration In this context the following should be
taken into consideration
106
IC Table 1 what to do when leaving and starting a job
When leaving a job When starting a new job
Discussing your responsibilities with your manager
when leaving the job and determining and
monitoring the internal policies for the administrative
closure of your business processes
Providing pertinent information about everything
you leave for your successor explaining why it will
be needed
Backing up all the information in the electronic
medium related to job and transferring it to
information pool
Transferring the documents under your responsibility
to the relevant successor
Creating a list of job-related website addresses a
summary of ongoing projects and related contact
information and an inventory of information
resources (including file numbers) that will help your
successor get used to his or her new job
Returning or extending the deadline of the material
that was borrowed from the library
Removing former employeersquos name from distribution
lists
See if any electronic and
paper information resources
of business value have been
transferred to your custody
Take note of any instructions
or messages you receive
regarding access to
electronic tools such as a
shared drive business system
or repositories
Familiarise yourself with your
information management
responsibilities and practices
Take part in training sessions
on information management
and recording
Add new employeersquos name
on the distribution list
425 Reviewing and Protecting Information
Organisations must periodically review such main processes of information management as
planning producing collecting defining accessing and using information and share the results
with managers
Therefore attention must be paid to the following
Store the information in a manner that preserves its form and status keeping its structure
context and content intact
Mark each information resource according to its proper security classification either on the
paper or electronic document
Protect classified and protected information by ensuring it isnt left in waste or recycle
containers and by storing it in locked desks or cabinets after work hours and during
extended periods of absence
Implement effective access control procedures ensuring that classified and protected
information is only made available on a need-to-know basis to those who are authorised to
access it
The level of protection must be consistent with the level of risk
Take the requests for access and usage from other users into consideration and assess their
compliance with the legislation
Periodically back up the information for protection purposes
43 Information Security
Information can be stored on paper it can be kept in the electronic format or transferred
verbally as well Regardless of its form information must be properly recorded and protected
Information security means safeguarding valuable assets in an administration against loss misuse or
damage
The aim of information security is to ensure the following
Safeguarding data integrity
Preventing unauthorised access
Respecting privacy and secrecy
107
Continuity of the system
431 Information Security Management System
Information security management system is a systematic approach adopted for the organisationrsquos
sensitive information that needs protection to be managed properly and the main objective of this
system is the safeguarding storing and making the sensitive and critical information available
where necessary
Setting Up an Information Security Management System
In order to establish an information security management system
Primarily the decision must be taken on whether the system will cover the entire
organisation or a part of it
Secondly a policy that sets out the objectives must be introduced
Finally a systematic risk assessment approach must be adopted and potential risks
must be identified mitigated as appropriate
Requirements of an Information Security Management System
The following are the requirements for an efficiently operating Information Security
Management System
Support and ownership by top management and managers of the administration must be
ensured
Information management should not be regarded as merely a technical issue and a job
only for the Data Processing Department The system must have the potential to reach its
objectives with active participation by all staff of the administration
Establishment of an information security management system must not be regarded as en
extra burden and waste of time
ElementsPrinciples of Security
The risks of compromise to information security for example hacking need to be defined and
controls to mitigate those risks should be introduced If these controls are absent or ineffective that
will considerably decrease the efficiency of the information security system
The main principles of security are confidentiality integrity availability authentication non-
repudiation responsibility and Access control For more detailed information see Turkish Standards
Institute TSE-17799 ldquoInformation Security Management Standardrdquo document Furthermore there are
other international models aiming to ensure the security of electronically produced information
such as COBIT e-SAC (Electronic System Audit and Control) and System Trust while you can also
explore the standards ISOIEC 27001 and ISOIEC 27002 (International Organisation for
Standardisation)
Also please refer to ldquoRegulation on the Principles and Procedures Regarding the Implementation
of the Law on Electronic Signaturerdquo based on the Law on Electronic Signature number 5070 and e-
Transformation Turkey 2005 Action Plan ( Action 5 Current systems at public institutions particularly
central institutions using critical information will be analysed and information security policies and
measures will be developed accordingly and (Action 33 The needs of disaster management of
public information system will be identified and recommendations will be developed )
For preserving and storing documents that are kept in written environment please refer to the
section lsquo423 on organisation of Information Registry Filing and Archiving System
432 Information Security Control Activities
In order to set the level of importance of an item of information the degree of the effect on
the administration that stems from the risk of harm made on the ldquoconfidentiality integrity and
availabilityrdquo of the item of information must be defined in the first place The harm that can be
made on these three security features of information systems may have different degrees of effect
For instance disclosure of top secret information can cause serious harm on an administration while
it may not be that harmful if that information becomes unavailable
108
The risks to information security identified must be analysed and ranked and the cost of the
control activities to be established and operated to mitigate those risks must be in proportion to the
value of the information protected and the risk identified after examining potential threats For
some ideas of suitable control activities see the Control Activities chapter
IC Figure 1 Process of Control Activities for Information Security
The image above is an example of security related control activities It demonstrates 4 different
attacks As can be told from the image attack [1] is immediately prevented at the stage of
prevention while attacks [2] [3] and [4] are not Of the attacks that manage to survive the
prevention process attack [2] is identified at the stage of detection and eliminated Attacks [3]
and [4] manage to pass the detection stage At the stage of response which is the final stage that
has been designed in accordance with the level of tolerance decided attack [3] is eliminated
while attack [4] which survives all stages damages the system passing through all security
processes
5 MANAGEMENT INFORMATION SYSTEMS (MIS) Management information systems are computer-assisted systems (consisting of
computer hardware and software) which should ideally provide timely strategic information
needed by managers in the form they demand it so they can make the right decisions on an
informed basis
The aim is the transmission of the right and complete information to the right people in the
proper format (form report table graphics etc) A labour force is needed to run update and
maintain the systems MIS give information on how the administration is performing in terms of
financial information information regarding the staff information of the movableimmovable
assets performance information information from the organisationrsquos document archive etc
against key performance indicators MIS may also give information on risk management
Information should be registered classified calculated summarised reported stored Back up
copies of the system should be kept in case the system crashes If these processes are not done
systematically managers may have incorrect information and thus make the wrong decisions While designing MIS first the civil servants must understand the importance of acquiring and
recording reliable and accurate information and be aware of their responsibilities in this regard
then business processes related to the production of information must be defined completely and
clearly and finally support from IT must be obtained
Some organisations have dispersed information systems however the existence of such structure
does not necessarily mean they have MIS In some cases information is not related and integrated
with all the actions and units of an administration Data recorded by different units in different
Response Identification Prevention
109
systems is stored independently of the other units Duplication of information in different units of the
administration is an inefficient use of resources Data being entered into a central computerised
system ensures that managers should have access to information which covers all the
administration
The resistance to information sharing in administrations is a significant problem It is not possible to
transmit the accurate and timely information which management needs in the administrations
where information is not shared which is an obstacle for MIS Hence a culture of information
sharing should be encouraged
51 Stages of Establishing MIS
In the development of management information systems SDUs undertake the task of
coordination and provide technical assistance to the spending units The following process can be
followed by the SDUs and the spending units in establishing MIS
511 Establishment of the MIS Working Group
A participative method should be adopted in the establishment of MIS in administrations and the
work programme should be produced for a working group to be formed with the participation of
representatives from all the spending units under the coordination of the SDU and tasks should be
distributed
512 Preparation of the MIS Working Plan
In the working plan
To begin with a comprehensive need analysis should be carried out to identify which type
of information the management may need
Upon the completion of the need analysis data provider units for the MIS should be
identified This will provide a significant infrastructure for the information map to be
produced
The properties the current information system of the administration and related problems
and solution recommendations should be disclosed what needs to be done to solve the
problems and what is aimed should be determined and structures should be set up in the
administrations to support production and sharing of information
Cost and benefit aspects of the system planned to be established should be considered
The potential risks relating to MIS should be identified and a risk management process
should be carried out The control activities to be applied for the risks with high significance
and likelihood should be determined
A good MIS must be flexible enough to keep up with the changes occurring inside and
outside the administration Besides success criteria of the system such as inclusion of early
warning mechanisms should be determined
In the medium term a corporate information map must be prepared that will cover the
entire organisation Preparation of a corporate information map would ensure quick access
to the information and expertise needed Information map must be produced primarily at
unit level and then at individual level considering their level of expertise and experience
While forming such a structure organisational charts or documents for distribution of tasks
within the units at a more special level can be made use of Production of the corporate
information map and its proper operation would ensure that the following question is
responded easily
ldquoWho knows whatrdquo
For instance quick identification of who (which department which employee etc) has
information about staff budget or archives and of the relation among this information will
be ensured
Establishment of MIS can be initiated by pilot implementations in the units Using pilot
implementations as a starting point and ascertaining how the system works will ensure
economy both in terms of time and cost and labour force Potential mistakes to be made in
110
the further stages of the process can be prevented by eliminating the shortcomings and
correcting the mistakes observed during the pilot implementations
513 MonitoringAssessment
Periodic reports must be produced and presented to the top management during the
establishment of MIS to show the progress in the development of the system Action must be
taken against the problems identified at this stage to ensure performance of the activities as
planned
Studies about the fulfilment of MIS services in administrations must be carried out upon the
approval and under the supervision of head of administration Furthermore the head of
administration must inform the related units on the working method adopted
An MIS needs to be dynamic to keep pace with changes in technology or in the demands
for information by management
514 Related Legislation
Law no 5436 which amends Law no 5018 prescribes the establishment of SDUs and assigns them
with the task of providing the services related to MIS
In the Regulation on the Working Principles and Procedures of SDUs providing the services
regarding MIS and carrying out studies for the establishment of the system are listed among the
tasks of the SDUs
6 COMMUNICATION Communication is the exchange of information among individuals andor organisations to support
service delivery decision making and sharing carrying out and coordinating activities It plays a
central role in the development of a robust internal control system and helps management to
make decisions by providing feedback on how all the components of internal control are working
An administration needs information at all levels to achieve its objectives and manage risks
In this context information flows can take place both horizontally and vertically as well as from
outside the organisation
Information must be properly communicated within an administration to the managers
andor staff in need of it on a timely basis in order for them to fulfil their responsibilities and ensure
coordination with other units External communication with the beneficiaries suppliers and
stakeholders such as other public administrations is also essential for effective internal control
Communication can be verbal written or electronic or a combination of the three Where
verbal communication is deemed sufficient documenting only the important verbally
communicated information would be useful so records of key information are kept and can be
subsequently referred to by those who are given access to it
IC Box 2 Communication Channels
Management should establish communication channels that
provide accurate information at the right time
meet individual demands
inform employees of their roles and responsibilities
support reporting
allow employees to make recommendations for improvement
give messages that top management can understand enabling them to
make decisions
inform employees of the importance of internal control and of decisions
taken
are both internal and external and
have the right target group
111
61 Internal and External Communication
Administrations should consider the following general issues regarding their internal and external
communication
The public should be provided with timely accurate clear objective and complete
information about policies programmes services and activities
The language used should be comprehensible and plain Turkish
Administrations should be visible accessible and accountable to the public for the services
they provide
Various means and methods should be utilised in communication and information from a
variety of sources should be engaged to meet different needs
Communication needs should be regularly identified
Administrations should receive opinions from internal and external stakeholders while setting
out objectives and aims and formulating processes and should establish mechanisms to
assess these
Public administrations should work cooperatively with stakeholders when necessary in order to
ensure efficient communication
Services should be provided in a fair quick and responsive manner
Administrations should have the capacity and equipment to follow up innovations in
technology in the field of communication and allocate necessary resources to do so In this
context activities carried out should be proportionate to resources allocated and results
expected
IC Table 2 Communication Principles and Procedures
Internal
Communication Principles Method
Top management and employees should
understand the internal communication
system and be well aware of their
responsibilities
Internal communication activities and
processes should be reviewed regularly and
revised where necessary New
communication methods should be adopted
to stay in line with the changing
administrative structure
It must be ensured that staff
communicate their considerations
recommendations and questions to top
management
Staff should be regularly informed about
the operation of the internal communication
system what to do and the responsibilities in
writing or electronically (including
information and communication system for
risks)
Necessary mechanisms (Intranet
internet announcement boards compliant
and suggestion boxes top manager briefings
etc) should be established to inform the
employees about the mission vision and the
objectives of the administration
Communication between managers and
employees should be clear and cooperative
in order to achieve the goals and mission of
the administration
Staff objectives should be made
consistent with those of the administration
A more effective communication should
be ensured between Senior management
and personnel
Regular meetings and an electronic
mechanism that enables the SDUs to
coordinate spending units and produce
statistical data via necessary analysis
Recommendations and ideas of
personnel should be heard and action taken
to address them when appropriate
To this effect in-house communication
seminars and training programs should be
organised
Vertical communication A reporting system should be established
112
Personnel should convey the necessary
timely complete and accurate information
to their managers in time for the managers to
make decisions and achieve objectives
Personnel should notified by their
managers when in which scope in what
way and from which unit the information is
demanded
Managers should inform the staff about
the policies goal and objectives of the
administration
within the administration which flows from
staff to managers (minutes of meetings unit
activity reports exchange of information on
a weekly or daily basis in person or
electronically a reporting system that
enables the managers to monitor daily
activities etc)
Regular meetings between management
and internal auditors timely submission of
internal audit reports to top management
Horizontal Communication
Refers to the effective sharing of
information among employees of the same
hierarchical level in order to carry out the
tasks and activities in the administrations
Personnel and units to share
information should be announced to staff
and the duty to share information should be
included in the job descriptions of the
relevant personnel and units
Managers should hold regular meetings
to exchange ideas on their respective fields
of competence and the problems and
suggestions regarding management
Establishment of a system to monitor
meetings and activities of people of the
same level
Creation of an e-mail group for the
people from the same hierarchical level
Strengthening data processing
infrastructure and ensuring active operation
of units
Ensuring that top management have
more effective communication with
employees
Internal communication seminars and
training programmes should be organised
EXTERNAL
Communication Principles Method
The accessibility of the citizens to the
information and services of the
administrations should be enhanced
Services delivered by administrations within
the framework of ldquoe-staterdquo should be shared
with the other relevant administrations and
citizens (MERNIS UYAP etc)
The administrationrsquos website which provides
the necessary documents should be
established and some services should be
provided via this website 247
Documents and services provided online
should be updated regularly and the
administration should assign certain people
to manage the design and content of the
website
Furthermore English broadcast for the
access of foreign users to information will be
useful
Mechanisms should be set up to enable
citizens to express their complaints and
suggestions (forum frequently asked
questions activation of use of Information
Acquisition System and BIMER etc)
Administrations should inform the press
about issues deemed important for decision
The press should be invited to important
conferences and seminars
113
makers and the public
Services provided by the administration
should be advertised on TV or the internet
The head of administration should inform
the public annually about the performance
programme and activity report of the
administration and these should be
published on the administrationrsquos website
Active operation of the press and public
relations units should be ensured
62 Communication Methods
A communication system is made up of methods and records produced to determine
acquire change and transfer useful information Staff must be able to communicate with all the
units in the organisation including sharing risky information
With the advancements in technology numerous and various communication means are
now available in public administrations The most widely used means of communication are
detailed in IC Annex 2
621 Reporting
Reports are crucial tools for the establishment of an effective internal control system as they
facilitate the monitoring of control effectiveness
Managers should take reports submitted to them into consideration when making decisions
In this context accurate and succinct reports that have been prepared on time would help the
managers Furthermore communication and reporting is an important element of risk
management (see Risk Management Chapter)
Administrations should communicate financial and non-financial information and results
regarding their policies programs activities and projects to the relevant persons and bodies in
writing or verbally at particular times Within this framework vertical and horizontal reporting lines
within the administration should be determined in writing Furthermore each administration should
also take into consideration external reporting mechanisms
IC Figure 3 shows the mechanism of vertical reporting among the hierarchical stages
regarding the decisions and works at the strategic programming and operational levels and the
mechanism of horizontal reporting among the personnel of the same level Vertical reporting is the
reporting of personnel to managers Horizontal reporting on the other hand is the necessary flow
of information among the people and units that are on the same level
IC Figure 3 Reporting Lines
ObjectiveActivity
Other staff
Medium-
level managers
VERTICAL
REPORTING
Strategic
Operational
Top
Management
114
Examples of horizontal reporting within an administration
Staff attending a training program sharing with colleagues the report they prepare
about training results and
Minutes of Meeting shared with other units
Examples of vertical reporting within an administration
Consolidated Risk Report submitted to senior management
Minutes of Meeting copied to a senior manager for their information
Internal Audit Reports submitted to senior management and
Quarterly Reports Semi-Annual Reports submitted to senior management
Examples of reporting outside the administration
Internal Control System Evaluation Report prepared by the SDU and submitted to the
CHU and
Annual activity report for an administration prepared by the Head of Administration
published to the public and copied to the Turkish Court of Accounts and Ministry of
Finance
IC Box 3 Basic Principles for Effective Reporting
IC Annex 3 details the reports prescribed to be prepared as per the Public Financial
Management and Control Law No 5018 and the applicable regulations in the framework of the
principles of financial transparency and accountability
7 WHISTLEBLOWING OF FAILURES IRREGULARITIES AND FRAUD One of the most important elements of accountability and transparency is the existence of
a mechanism that ensures that staff and stakeholders are able to effectively express their concerns
Article 279 of Turkish Penal Code states that if a civil servant learns by means of the position
he holds that a crime which necessitates investigation and prosecution was committed and
neglects or delays notifying the competent authorities of this crime he will have committed a crime
It should be explicitly determined and announced to staff which reports will be
prepared by whom at what frequency and when they will be prepared and who
they will be submitted to and who will control them Reports must be in compliance
with tasks responsibilities and the principles of financial transparency and
accountability
The information included in the reports must be accurate up-to-date succinct
objective complete relevant and sufficient
Reports should use a common and clear language that everyone can understand
Reports must be produced at certain periods and on a consistent basis so that
comparisons can be made between years
Reports should attract the attention of readers be easy-to-read-and-understand
and include sufficient and appropriate visual material
All reports should have a conclusion and evaluation section
Desired format for the report should be determined in advance by
administrationunit requesting the report and notified to the relevant
administrationunit
HORIZONTAL
REPORTING
115
himself
71 Concepts of Failure Irregularity Fraud and Whistleblowing
Failure refers to an unintentional action against the legislation
Irregularity and fraud on the other hand refer to the behaviours of the administrationrsquos staff
or third parties on purpose against the present rules in order to achieve unfair or unlawful gain
Whistleblowing is the notification of illegal and unethical behaviours and actions to top
management third parties outside the management or authorised bodies or persons (who can be
inside or outside the administration) by the persons with information (employees or stakeholders)
Failure to blow the whistle can cause damage to the administration
In line with the above given information administrations must determine distinct methods for
evaluating irregularities fraud and failures they have been notified about
It should be borne in mind that person who makes the notification may be left alone
isolated his or her career may be undermined or he may not be taken seriously Therefore any kind
of biased or discriminative conduct against the personnel or third parties that blow the whistle
should be prevented
72 Scope of Notifications
There are three basic types of whistleblowing and complaints in public administrations
Those regarding the violation of ethical values
Those regarding faults irregularities and fraud
Complaints by civil servants regarding administrative actions and processes
implemented against them by managers or administrations
721 Whistleblowing and complaint in cases of violation of ethical values
Whistle blowing mechanisms are defined in the No 5176 Law on Establishment of Civil Servants
Ethical Board and Making Amendments on Some Laws and Legislation on Ethical Behaviour
Principles and Procedures for Civil Servants
Under this legislation cases of ethical behaviour violation by the director general and by those
who have a title at this level are notified to Ethical Board while cases of violation by the other
employees are notified to the relevant administrative manager to be directed to the
administrationrsquos disciplinary board Within this framework administrations carry out the process to
ensure compliance with the law
A flowchart showing the detailed process for whistleblowing and complaint in cases of violation
of ethical values is at Annex 4a
722 Whistleblowing and complaint regarding irregularities and fraud
Law no 4483 defines the procedures to be followed in cases of crimes committed by civil
servants by means which are in relation to their duties Accordingly cases of whistleblowing or
complaint about civil servants are filed processed and concluded under this Law
In cases when a complaint by a person is not processed he can appeal to administrative
court if he wishes The administration has to record all the cases of whistleblowing or complaint
processed or not
A flowchart showing the detailed process for whistleblowing and complaint in regarding
irregularities and fraud is at Annex 4b
723 Complaints by civil servants
Proceedings relating to complaints by civil servants regarding administrative actions and
processes implemented against them by their managers or administrations are carried out within
the framework of Article 21 of Law No 657 and Legislation on Complaint and Application Rights of
Civil Servants
116
73 The Responsibility for Detecting Faults Irregularities and Fraud
The responsibility for identifying and preventing failures irregularities and fraud rests with
management and all employees Under the ethical behaviour culture of the administration the
necessary actions should be taken to prevent failures irregularities and fraud under the supervision
of the responsible managers
74 Whistleblowing System
For employees to communicate their concerns and for these concerns to be taken seriously
administrations should have the related regulations that comply with their structures as well as
reporting mechanisms In these regulations the following should be included
the subject-matter of a whistleblowing
how to protect the confidentially of and provide security for a whistleblower who has good
faith
the stages of the whistleblowing procedure (first to manager then head of unit head of
internal audit head of human resources unit or head of financial services unit head of
administration)
how cases of whistleblowing are evaluated by the administration and what actions are
taken (examination inside the administration or official investigation etc)
information given with a view to informing the whistleblower about who the subject matter
concerns whether he can contact that person as well as about evaluation progress andor
results
Within this framework administrations should announce to the personnel all the ways of
whistleblowing and complaint
In cases of whistleblowing and complaint the identity of the whistleblower should be kept
confidential so that they are not exposed to discrimination
Administrations should receive cases of whistleblowing and complaint in the electronic
format via their web sites as well as in writing Besides administration should set up mechanisms to
facilitate it for the external stakeholders to whistleblow or complain and announce it on their
billboards and websites
Administration should not set up different mechanisms other than the preliminary
examination procedures that are determined in Law no 4483 for cases of whistleblowing and
complaint regarding corruptions and irregularities As a result of the preliminary examination the
situation whether investigation permit is given or not should be notified both to the Chief Public
Prosecutorrsquos Office and the whistleblower with a detailed justification and the letters regarding
these notifications should be kept in the whistleblowing files
For an effective whistleblowing system following basic requirements are taken into
consideration
117
IC Box 4 Basic requirements for Whistleblowing
IC Box 5 Issues to consider while evaluating whistleblowing notifications
Are the behaviours or actions in the administration unlawful
Are the behaviours or events taking place in the administration against the ethical
values (morals professional ethics etc)
When the whistleblowing is not in compliance with the procedure it must still be
definitely evaluated as long as it is based on concrete evidence
Seriousness and importance of the issues put forward should be taken into
consideration
There should be good will and public benefit
There should be a reasonable belief that the information and the allegations the
information includes are completely true and may uncover malpractice
Top management should announce the procedures for dealing with whistleblowing
and complaint from inside and outside the administration
Administrations should determine for central and local units who notifications will be
referred to
Methods must be developed for anonymous notifications from staff and third
persons (Telephone in a way that ensures evidenced delivery internet application
provided that forms given are completed anonymous letter suggestion boxes
etc)
Written spoken or electronic cases of whistleblowing should be recorded in a
separate folder by the authorised unit or person regardless of whether they are
based on enough evidence or not
Discriminative treatment towards whistleblower should be prevented
Periodical meetings should be held with staff in which their views should be heard
and their trust should be won in regard to reporting malpractices within the
administration
All the communication channels should be left open to ensure that personnel can
blow the whistle
In the event that the personnel that are proved right after examination and
evaluation process of the whistleblowing they should be rewarded by means of
secret methods to be determined by the administration
118
IC Figure 4 Whistleblowing Process
Whistle blower
Is it illegal
Is it unethical and immoral
Is it based on concrete evidence
Do I have good will
Do I draw benefit
from this
sec
ure
co
mm
un
ica
tion
ch
an
ne
ls (e-m
ail
ad
dre
sses te
leo
ph
on
e
nu
mb
ers
sec
ure
co
mm
un
ica
tion
ch
an
ne
ls (e-m
ail
ad
dre
sses te
leo
ph
on
e
nu
mb
ers
Unitperson to evaluate the case of
whistle blowing
Evaluation Criteria
Disciplinary Board Inspection BoardAudit
Unit
Chief Public Prosecuter
(investigation request is
from outside the
administration)
Authorising officer
119
IC Box 6 Current Legislation relating to whistleblowing and complaint
Law No 5651 on Publications on the Internet and Suppression of Crimes Committed by
means of Such Publication
Law No 4982 on the Right to Information
Law No 3628 on Declaration of properties bribes and combating fraud
Law No 3071 on Official Letters
Ethics Law Regulation and Prime Ministry Circular
Principles and Procedures on the Complaint and application rights of Civil Servants
Compliant regulation under Public Procurement Law No 4734
8 RELATIONS AMONG UNITS
81 Information and Communication between the CHU and SDUs
The extent to which the tasks the CHU carries out are effective and efficient depends on the level
of communication it achieves with SDUs
The CHU must develop organisational communication mechanisms to ensure transfer of information
to the SDUs This could either be done via a call centre to be established within the CHU or
particular CHU staff (client representatives) can be matched with particular SDUs This would
enable CHU staff to better know the unit they are responsible for and therefore make evaluations
and problem solving easier This would also improve the influence of the CHU on other units
Furthermore ensuring face-to-face communication between CHU and SDU staff and organising
periodic meetings andor conference calls to review the internal control system can be another
method of information transfer
The CHU must set out the critical arrangements that are relevant to the SDUs using participative
methods where the participation of SDUs must be ensured Furthermore the level of participation
by the SDUs will enhance the level of communication
82 Information and Communication between SDUs and Spending Units Ensuring coordination with spending units for the adoption of various elements such as preparation
of activity reports and performance programmes and implementation of internal control which are
important elements of Public Financial Management is the responsibility of SDUs An effective and
efficient organisational communication with spending units would also contribute to the smooth
progress of coordination process
SDU staff and spending units must be matched Each member of SDU must be in constant
communication with the spending unit they are responsible for and transfer the necessary
information to the spending units periodically Spending units must also assign the
departmentbranchunit staff to be in continuous communication with Strategy SDU Such
matching plays a crucial role in the transfer of consistent and accurate information both from the
SDUs to the spending units and from the spending units to the SDUs
Furthermore these information flows must also be reviewed in the meetings to be held regularly
(advised frequency minimum monthly maximum quarterly) by the spending unit officials and SDU
managers and the actions to be taken and required development must be discussed in these
meetings
In the event that it is necessary for the SDUs to make decisions which would affect the spending
units officials from spending units must be able to get involved in this process depending on the
level of the decision
120
INFORMATION AND COMMUNICATION ANNEXES
Annex 1 - Legislation on Information and Communication
Regulation on the Principles and Procedures to be applied in Official
Correspondences by the Prime Ministry
Regulation on the Prime Ministry State Archiving Services published in the
Official Gazette number 19816 dated 16 May 1988
Regulation on Public Servants Ethical Behaviour Principles and Principles and
Procedures for Application
Regulation on Declaration of Assets published in the Official Gazette no 20696
dated 15 November 1990
Regulation on the Complaints and Application by Public Servants Assets
published in the Official Gazette no 17926 dated 12 January 1983
Prime Ministry circular on Standard Folder Plan no 20057 dated 24 March
2005
(Manual to be prepared by Central Harmonisation Unit can be included
including the FMC Manual)
Prime Ministry circular dated 19 March 2007 on Civil Servants Ethical Board
Regulation on Complaints under the Scope of the Law no 4734 on Public
Procurement (The arrangements to be made by the CHU including the FMC
Manual can be covered in this part)
Law no 406 Telegraph and Telephone
Radio Law no 2813
Law no 3071 on Official Letters
Law no 4982 on the Right to Information
Law no 5070 Electronic Signature
Law no 5651 on Publications on the Internet and Suppression of Crimes
Committed by means of Such Publication
Law no 5369 on Provision of Universal Service and Amendments to Certain
Laws
Law No 5176 on Establishment of Civil Servants Ethical Board and Making
Amendments on Some Laws
Law No 4483 on Trying cases against Civil Servants
Law No 3628 on Making Declaration of Property and Fight against Bribery and
Corruption
Law no 5809 on Electronic Communication
121
Annex 2 - Widely Used Methods of Communication
Means Objective Advantages Disadvantages
Meetings Informing
Receiving
opinion
Making joint
decisions
Relatively cheap
A method that
people are
accustomed to
Contribute to the
culture of
participation
Open to discussion
and dialogue
Opportunity to come
up with solutions to
problems in the
administration
Difficulty to measure the
success and value of the
method
Possibility that results may not be
useful
Possibility that a minor group
may dominate the meeting in
case of bad management
Reports
Informing
Receiving
opinion
Making
decisions
Evaluation
Informs the target
group about the
subject in a sound
manner
Facilitates decision-
making process of
the manager
Possibility to access
accurate up to date
relevant and
adequately detailed
information
Requirement for qualified staff
Its production is time consuming
Brochures
Periodicals
Informing
Promotion
Opportunity for
creative design
Comprehensible
Particular and wide
target groups
Opportunity to
establish long term
relation with target
group
Opportunity to make
regular up-dates
regarding the subject
Limited feedback
Difficulty to measure the impact
on target group
Questionnaire
Interview
(letter
telephone
face to face)
Receiving
opinion
Evaluation
A method that
people are
accustomed to
Opportunity to reach
a wide group
Opportunity to select
particular target
groups
Scientific methods
can be used
Expensive time consuming
Requirement of in-detail
information to use the method
accurately
Possibility that responding rate
may be low
Possibility that the subject may
not be examined enough
122
Means Objective Advantages Disadvantages
Press releases
and
conferences
Informing
Receiving
opinion
Cheap
Easy to organise
Opportunity to
communicate to
many people
Difficulty to understand whether
the subject reached the target
group or not
Difficulty to measure the success
and value of the method
Difficulty to examine the subject
thoroughly
No feedback or limited
feedback
Brainstorming Exchanging
ideas
Making joint
decisions
Obtaining many
ideas regarding a
subject
Contribution to the
culture of
participation
Cheap flexible easy
to organise
Possibility that results may not be
useful
Possibility that the subject may
not be examined enough
Workshop Informing
Receiving
opinion
Making joint
decisions
Opportunity to set up
new networks
Fun for participants
Chance of finding
solutions to problems
Cheap flexible easy
to organise
Chance of examining
the subject
thoroughly
Opportunity to select
particular target
groups
Easier participation
because of unofficial
atmosphere
Non-scientific
Possibility that results may not
useful
Possibility that a minor group
may dominate the meeting
Possible to receive wrong results
with a small and randomly
selected group
Conference Informing
Receiving
opinion
Making joint
decisions
Opportunity to
become creative
and flexible
Opportunity to work
together with
different groups
Opportunity to set up
new networks
Opportunity to select
particular target
groups
Opportunity to
examine the subject
thoroughly
Opportunity to
discuss different
Expensive time consuming
Possible to receive wrong results
with a small and randomly
selected group
Raising different expectations
Possibility that result may not be
useful
Possibility that a minor group
may dominate the meeting in
case of bad management
123
opinions and ideas
Means Objective Advantages Disadvantages
Focus Group Receiving
grouprsquos
opinion with
the
leadership
of a
moderator
Faster and cheaper
compared to one-to-
one interview
Opportunity to
discuss different
opinions and ideas
Spoken discussion
accelerates the
process that outputs
are reflected in
writing
Possibility that useless information
may emerge in case of bad
moderation
Quality of participators affect
the quality of data
Conference
Call
Making joint
decisions
Finding
common
solutions to
problems
Opportunity to
discuss different
opinions and ideas
Opportunity to
examine the subject
thoroughly
Experienced
decision-makers and
persons with deep
information
accumulation
coming together
Possibility that results may not be
useful in case of bad
management
Expensive time consuming
Possibility that a minor group
may dominate the meeting in
case of bad management
Websites and
intranet
e- mail
Informing
Receiving
opinion
Cheap
Easy to organise
Opportunity to reach
many people
Effective information
sharing
Need for updating
Problem that unfavourable
people may get access
124
Annex 3 Reports Prepared under PFMC Law No 5018
Name of report Responsible unit Submitted to
Unit Activity Report
(Art 41 of Law no 5018)
Spending Units- Authorising
Officers Head of Administration
Local Administrations Activity
Report
Spending Units- Authorising
Officers Head of Administration
Administration Activity Report
(Art 41 of Law no 5018)
Head of Administration
(General budget
administrations special budget
administrations and social
security institutions)
Ministry of Finance Court of
Accounts and Public Opinion
Local Administrations Activity
Report
(Art 41 of Law no 5018)
Head of Administration
(Local Administrations)
Ministry of Interior Court of
Accounts Public Opinion
General Activity Report
(Art 41 of Law no 5018)
Ministry of Finance
(Directorate General for Budget
and Fiscal Control)
Court of Accounts and Public
Opinion
Local Administrations General
Activity Report
(Art 41 of Law no 5018)
Ministry of Interior Court of Accounts Ministry of
Finance and Public opinion
Administration AR General AR
Local Administrations General AR
(Art 41 of Law no 5018)
Court of Accounts (Expressing its
own opinions considering its
external audit results)
TGNA
Draft Law on Final Accounts
(Art 42 of Law no 5018)
Ministry of Finance (DG Public
Accounts) TGNA Court of Accounts
External Audit Overall Assessment
Report
(Art 68 of Law no 5018)
Court of Accounts TGNA
Corporate Financial Status and
Expectations Report
Public Administrations under the
scope of General Management Public Opinion
Central Government Budget
Realisations and Expectations
Report
Ministry of Finance
(Directorate General for Budget
and Fiscal Control)
Public Opinion
Financial Statistics
(Art 52 53 54 of Law No 5018)
Ministry of Finance (DG Public
Accounts) Public Opinion
In the production and submission of the Activity Reports above Law no 5018 and the
principles and procedures set out in the Regulation on Activity Reports Prepared by Public
Administrations are taken into account
In preparation and declaration of the financial statistics of public administrations Law No 5018
and the principles and procedures set out in General Communiqueacute on Financial Statistics of
General Management are taken into consideration
125
Annex 4a Whistle-Blowing Process Related to Ethical Values
Application
Registry (Relevant unitperson)
If related to
EVALUATION
Written petition
electronic mail or oral
application that is
recorded
Registration in the
document registry
system (written
electronic)
a separate folder
system for notification
applications
NOTIFICATION
To the relevant person
(person who whistle-blowing
is about)
To the relevant
administration (conduction
of the work within the
framework of Law No 657)
To whistle-blower
NOTIFICATION
If it is decided that ethical
behavior principles have
been violated
To Prime Ministry
To Public Opinion (Published in official gazette
If it is not detected that
ethical behavior principles
have been violated
- To the Prime Ministry
- To whom it may concern
If related to Director
General and upper
level positions than
Director General
If related lower level
positions than Director
General
Ethical Board Head Office of the
Relevant
Administration
Disciplinary Board
126
Annex 4b Whistleblowing and Evaluation Process for Crimes Committed by Civil Servants
Application
Registry (Relevant unitperson)
Head of the relevant unit
Written petition
(person or a
particular event
serious allegations
name family
name signature
domicile address)
Registration in the
document registry
system (written or
electronic - a
separate folder
system for
notification
applications)
Preparation of preliminary examination report and submission of it to the
body authorised to give the permit
NOTIFICATION
Directly Chief
Public Prosecutor
Other positions or
civil servants
Requesting investigation permit
from body authorised to give
the permit (Article 3 of Law No
4483
Making notification to body
authorised to give the
investigation permit (Article 3 of
Law No 4483
Body authorised to give the
permit starting the preliminary
examination (44835)
Permitting the
investigation about the
complaint whistleblowing
or subject matter of the
allegation
Not permitting the
investigation about the
complaint whistleblowing
or subject matter of
allegation
OBJECTION
(to the Court of Appeals
or regional administrative
court by the civil servant
about whom investigation
is conducted)
to the Chief Public
Prosecutorrsquos Office
to the civil servant
about whom the
investigation is
conducted
to the whistleblower
OBJECTION
(to the Court of Appeals
or regional administrative
court by the Chief Public
Prosecutorrsquos Office or
complainant)
127
MONITORING
1 Introduction
Monitoring is the assessment of the internal control system in terms of harmonisation with the
internal control standards to see whether it makes the expected contribution to the achievement
of goals and objectives of an administration It is the identification of the actions regarding the
aspects open to improvement Within this framework monitoring is an integrated process in which
capacity is assessed in interaction with the other components of internal control system
M Figure 1 COSO Monitoring Process
The main elements of monitoring are formation of a sound infrastructure for monitoring
designing and implementing monitoring procedures assessment and reporting of the results
Monitoring if designed and carried out properly provides the administration with the
reasonable assurance that the internal control system operates efficiently An efficient monitoring
helps
Timely identify and eliminate the problems in the system of internal control
Produce more accurate and reliable information to be used in decision making
Produce correct and timely financial statements
Confirm regularly that the internal control system is effective
Present evidence for the internal control assurance declarations
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Activities
128
Monitoring internal control systems requires participation Question forms internal and
external audit reports and requests and complaints from individuals andor organisations and the
opinions of unit directors must be benefited from during monitoring
2 Monitoring Internal Control Standards Monitoring includes all sorts of monitoring activities performed with the aim of quality
assessment of internal control system
M Box 1 Internal Control Standards
Standard 17 Assessment of internal control
The administrations shall assess their internal control systems at least once a year
Standard 18 Internal audit
The administrations shall ensure a functionally independent internal audit activity
3 Roles And Responsibilities
31 Senior Manager
The main responsibility for monitoring internal control system rests with Senior Manager This is
also emphasized in Article 11 of Law No 5018 and it is stated that Senior Managers are responsible
for observing and monitoring the functioning of financial management and control system
The Senior Manager fulfils this responsibility through internal auditors and Strategy
Development Units (SDU)
Approving the internal control system annual assessment report prepared by his
administration the Senior Manager ensures the submission of it to Central Harmonisation Unit (CHU)
Furthermore the Senior Manager annually states based on evidences that internal control
system gives reasonable assurance for attainment of the objectives and aims of his administration
through internal control assurance statements (Annex 3A)
On the other hand the Senior Manager ensures the implementation of recommendations
put forward as a result of internal and external audits
32 Internal Audit
Internal audit has the functions of providing information making assessments and making
recommendations on the adequacy efficiency and functioning of internal control system Within
this framework the Senior Manager who has the responsibility for a sound functioning of internal
control system receives opinions and support from internal auditors
33 Internal Control and Risk Steering Board (ICRSB)
ICRSB assesses Internal Control System Evaluation Reports prepared by SDU as a result of
annual assessment of internal control system (Annex 2) and following to defining shortcomings of
the report if any submits it with the relevant opinions for the approval of Senior Manager
34 Authorising Officers
Authorising officers have responsibilities regarding internal control and continuous
monitoring Furthermore Authorising Officers provide necessary information for SDUs regarding the
annual assessment of internal control system fill in the internal control question form (Annex 1) and
annually sign the internal control assurance declaration (Annex 3B) to be submitted to Senior
Manager
In addition Authorising Officers have the responsibility for taking relevant actions regarding the
recommendations contained in internal and external audit reports
129
35 Strategy Development Units (SDU)
Have been assigned the function by Law No 5018 and the applicable legislation3 to carry
out studies to establish implement and continuously develop internal control systems and to report
the study results to the Senior Manager
Within this framework SDUs annually assess internal control system on behalf of Senior
Manager Then they report assessment findings gained by means of forming a working group and
using such tools as check lists questionnaires and question forms to the Senior Manager with the
relevant opinions from Internal Control and Risk Steering Board
SDUs sign the declaration on functioning of internal control system with a view to ensure
effective efficient and economical execution of administrationrsquos activities
Personnel of SDUs take active role in the assessment process of internal control systems and
guide the units in filling the reports regarding assessment (Annex 1)
36 Other Managers and Employees
Other managers and employees are responsible for the effective functioning of internal
control system within their own fields Within this framework while carrying out their own duties they
observe the functioning of internal control system and in case of a problem they inform Senior
Manager and contribute to the assessment process of internal control system by providing
information
37 External Audit
External audit is conducted by Court of Accounts Within this framework Court of Accounts
can assess internal control systems in public administrations and can make recommendations
38 Central Harmonisation Unit (CHU)
In accordance with the Article 9 of Principles and Procedures regarding Internal Control
and Ex-ante Financial Control and Article 55 of Public Financial Management and Control Law No
5018 this unit develops standards and methods regarding internal control processes and provides
guidance services in public administrations
Furthermore CHU annually assesses the functioning of internal control systems in public
administrations based on Internal Control Assessment Reports approved and submitted by senior
mangers and submits the assessment report it prepared to the Senior Manager and Minister of
Finance
CHU in necessary cases carries out on-site monitoring activities regarding the factors
contained in reports prepared by public administrations
Within the framework of roles and responsibilities explained above the following scheme
demonstrates the exchange of information and reporting lines envisaged to be realized within the
scope of monitoring activities in the administration
3 Legislation on Principles and Procedures regarding Internal Control and Ex-ante Financial Control and Working
Principles and Procedures of Strategy Development Units
130
M Figure 2 ndash Reporting and information exchange process foreseen under monitoring
CENTRAL HARMONISATION UNIT
SENIOR MANAGER
INTERNAL AUDIT INTERNAL CONTROL RISK STEERING BOARD EXTERNAL AUDIT
(Report) Court of Accounts (Report)
STRATEGY DEVELOPMENT UNIT
AUTHORISING OFFICERS
SUB-UNIT MANAGERS
SUB-UNIT PERSONNEL
1) Straight arrows demonstrate the hierarchy in the reporting process
2) Dotted lines demonstrate the exchange of information
4 Guidance by the CHU4
Article 55 of Public Financial Management and Control Law no 5018 and Article 9 of the
Principles and Procedures on Internal Control and Ex-ante Financial Control prescribe that
standards and methods concerning financial management and control are developed and
harmonised by the Ministry of Finance and guidance is provided to the public administrations
In this context within the scope of its monitoring function the CHU
Monitors whether internal control standards are complied with
Monitors the operation of the systems by receiving information and reports from the
administrations regarding internal control and ex-ante financial control arrangements and
practices
Carries out researches on the national and international good practices and
conducts studies for their implementation
CHU annually assesses the operation of internal control system within the public sector
based on the Internal Control System Evaluation Reports submitted upon the approval by the
4 This part consists of general information on the guidance provided by the CHU detailed information can be found
on the CHU Handbook
131
heads of public administrations and where necessary carries out on-the-spot monitoring on the
issues included in the reports of the administrations
5 Assessment and Reporting Role of SDUs
Assessing internal control periodically and identifying and applying necessary actions are
crucially important to ensure the efficiency of the system In this context each organisation needs
to assess its internal control system Assessment of internal control system means analysing on the
basis of the internal control components whether the system makes the expected contribution to
the achievement of the aims and objectives an administration identifying the aspects open to
improvement and taking corrective actions
Public Internal Control Standards suggests that the internal control systems in the public
administrations must be assessed at least annually using ongoing monitoring or separate
evaluations In the assessment of the internal control system participation of all units is required and
internal and external audit reports and requests and complaints from individuals andor
organisations and the opinions of unit directors must be considered and the assessment process
must be methodological
51 Assessment of Internal Control System by SDUs
Assessment of Internal Control System by SDUs is carried out fundamentally be means of
Internal Control System Question Form Other tools such as checklists and questionnaires can also
be benefited from during the evaluation process Furthermore the opinions of the managers
requests and complaints from organisation andor individuals are taken into consideration in the
evaluations Evaluations are carried out at least annually Quarterly or semi-annual evaluations can
be carried out as well
Coordination of the assessment conveyance of the questionnaires to the relevant units and
consolidation of the responses are tasks of Internal Control sub-units in the SDUs
The staff to be assigned from the SDU must be determined to support the process of filling
the questionnaires and the evaluation process must be planned In the plan a representative must
be appointed for each unit and where the number of staff is insufficient at least one person must
be assigned as responsible and this must be communicated to the relevant units This responsible
person must provide guidance to the units in filling the questionnaires
Spending units are obliged to respond to the questions on Risk Assessment Control Activities
and Information and Communication Responding to the questions in the Control Environment and
Monitoring parts is at the discretion of spending units
SDUs must complete the sections on control environment and monitoring in the internal
control question forms which they will fill in as spending units
The following steps should be followed while evaluating the internal control system
Primarily unit managers should organise an opening meeting for the representatives from
the SDUs In this meeting guidance should be provided for responding the questionnaires
and the deadline for completing the questionnaire should be announced
The time table for the questionnaire SDU representative and their contact details should be
communicated to the unit manager along with the questionnaire itself The units must be
given a reasonable amount of time to complete the questionnaire which should be not less
than one week
The questionnaire should be completed with the participation by sub-unit managers and
staff under the coordination of the unit manager
Completing the questionnaire spending units should bear in mind that this is a kind of self
assessment therefore by means of answers they give to the questions they essentially assess
their own units Within this framework while completing the questionnaire they should make
an in-dept assessment about functioning of internal control in their own units
132
Where necessary support should be received from the SDU representatives
When the questionnaire is received by the SDU representative each question should be
checked and any misunderstanding should be corrected during this process To this end
SDU representative is entitled to get in touch with the unit manager regarding responses to
the questionnaire
Internal audit unitsinternal auditors can be asked for support and recommendation when
there is a need for checking the accuracy of information in the questionnaire
Following the submittal of all questionnaires the SDUs should consolidate the questionnaires
and prepare the evaluation report resorting to the questionnaires primarily and also the
following sources of information
Action plans produced on the basis of internal and external audit reports
Information on budget and ex-ante financial control and
Other sources of information (opinions of the managers requests or complaints by
individuals andor administrations)
Given that evaluation report will be produced using the above mentioned information
sources (questionnaire internal and external audit reports budget ex-ante financial control
information etc) it should be kept in mind that this process would take time
While assessing the results of the questionnaire the points should be added up and converted to a
percentage for each section For example the total number of points that can be scored for the
Control Environment section is 44 If the Unitrsquos score was 22 out of 44 the percentage result is 50
The percentage scores should be recorded for each section and a percentage score for the
whole questionnaire (using the total possible points total of 116)
The percentage scores should be interpreted as follows separately for each category and also for
the overall percentage score
M Table 1 ndash Interpretation of the Results of the Internal Control Question Form
score Interpretation
0-25 Evidence of some awareness and understanding but still in the early
stages of internal control development Direct action needed by SDU
to provide guidance
25-50 Evidence of implementation that is planned and in progress Action
needed by SDU to provide further guidance
50-75 Evidence of implementation in some key areas Further guidance may
be required by the SDU
75-95 Evidence that implementation of internal control is embedded and a
good capability is established SDU may wish to identify the best areas
as examples of best practice and inform CHU
95-100 Evidence of mature internal control system with excellent capability
established CHU will wish to use as example of best practice
52 Reporting of Internal Control System Evaluation Results
The SDU prepares a report regarding the activities carried out for establishing and
developing internal control system and evaluation on functioning effectiveness and efficiency of
the system It will be appropriate to use lsquoInternal Control System Evaluation Reportrsquo template
contained in Annex 2 in making the assessment results into a report
In the preparation of the aforementioned report ldquoInternal Control System Questionnairerdquo is
an important basis The report should include alongside information on the operation of the
internal control system the steps taken for strengthening it Furthermore the areas where the no or
insufficient controls exist where they do not work properly where the controls are excessive or the
plans and tables produced to address the problems identified should also be covered in the report
The report produced is reviewed by the ICRSB if there is one in the administration If not it is
reviewed by a board consisting of authorising officers or their assistants assigned by them chaired
133
by an authorising officer or a Deputy of the Senior Manager After eliminating any shortcomings it is
submitted to the Senior Manager for approval by the board
The annual evaluation report approved by the Senior Manager must be sent to the CHU by
the SDU until the end of the following March
53 Monitoring of Internal Control System Evaluation Reports
The measures and actions to be taken and the arrangements to be made regarding the
aspects identified in the Internal Control System Evaluation Report as requiring development must
be set out within the framework of managerial responsibility In certain areas in order to eliminate
the gaps the unit managers will have to take actions Furthermore if there are horizontal problems
on which most of the units are identified to score low actions for improvement should be initiated
by the Senior Manager
The measures and actions to be taken and arrangements to be made must be
implemented in the context of an action plan in a designated period of time SDUs must monitor
the implementation results of the aforementioned measures actions and arrangements at least
semi-annually and inform the Senior Manager about the implementation results
134
54 Work to be carried out by SDUs concerning Internal Audit Reports
In accordance with Article 64 of Law No 5018 reports submitted by internal auditors to the Senior Manager shall be sent to concerned unit and SDU
following to the assessment by the Senior Manager for taking necessary action It will be convenient that SDUs assess the report sent by the Senior
Manager in light of the following questions
M Table 2 ndash Evaluation of the Internal Audit Reports by the SDUs
Question 1 Question 2 Question 3 Question 4 Question 5 Question 6
What
information is
available in the
report about the
effectiveness of
internal control
system For
example what
information
does internal
audit report
include on risk
management
Are there any
problems
according to
internal audit
report
What are the
problems in
question
What are the works
to be carried out by
spending units for
fixing these
problems
It is possible that
SDUs provide
spending units
with guidance
on actions to be
taken
What are the works to be carried
out by SDU for fixing these
problems
Taking these problems into
consideration SDU identifies
measures to be taken in Internal
Control System Evaluation
Report to be submitted to senior
management
Identifying the training need
within the framework of
shortcomings related to internal
control system SDU can
demand that new training
programs be developed or
available program be revised
Has SDU done what is
necessary for fixing these
problems
It should be found out
whether SDU has done
necessary works
(delivering
trainingsgiving
recommendations) for
fixing the problems
135
136
6 Internal and External Audits
In accordance with the Law No 5018 the audit of our financial management and control
system is divided into two categories internal audit and external audit Internal audit is carried out
by the internal auditors working in the administration within the scope of the general government
with the exception of regulatory and supervisory institutions External audit of the administrations
under the general government on the other hand is carried out by the Turkish Court of Accounts
61 Internal Audit
Articles 63-67 of Law No 5018 sets out the overall scope of the internal audit system and the
professional framework has been established with the secondary and tertiary legislation
Activities and transactions of all the units of public administrations including those abroad
and in the countryside have been undergoing internal audit in line with audit standards within the
scope of risk based audit plans and programmes using a systematic consistent and well-disciplined
approach
The most distinctive difference between the current inspection boards and the internal
audit designed by the aforementioned Law is that internal auditors have a limited authority which
merely enables them to notify the most senior person in the administration when they find out cases
requiring investigation during the course of or following the audit However inspectors have the
authority to initiate investigations and directly submit reports containing findings of the
investigations to legal authorities
611 Definition and Aim of Internal Audit
Internal audit is defined in the Article 63 of Law No 5018 as follows
M Box 2 ndash Article 63 of Law No 5018
ldquo Internal audit is an activity of providing independent and objective assurance
and consultancy performed in order to improve and add value to the activities of
the public administrations by evaluating whether the resources are managed in
conformity with the principles of economy effectiveness and efficiency and by
providing guidance Such activities are performed with a systematic regular and
disciplined approach and in accordance with generally accepted standards
aiming to evaluate and improve the efficiency of risk management and of
management and control processes on the management and control structures
and financial transactions of administrationsrdquo
In the above definition ldquoobjective assurancerdquo refers to providing sufficient assurance within
and outside the organisation that an efficient internal control system exists in the organisation its risk
management internal control system and business processes operates efficiently the information
produced accurate and complete the assets are safeguarded and the activities are carried out
in an efficient economic and productive manner in line with the legislation
Along side the objective assurance it ensures internal audit provides independent and
impartial consultancy to assist the administrations in developing their risk management control and
management processes Consultancy covers providing recommendations to evaluate and
improve the activities and business processes of the administration aimed at the achievement of its
objectives in a systematic and regular manner
Internal auditors get involved neither in the arrangement or implementation of internal
control systems nor in the selection of control actions
137
612 Monitoring within the scope of Internal Audit
Internal auditors submit their reports directly to the Senior Manager of public administration
Following the evaluation of the Senior Manager these reports shall be given to the concerned units
and SDU for taking necessary action Internal audit reports and the actions taken about them shall
be sent by the head of public administration latest in two months to the Internal Audit
Coordination Board
Audit results are monitored within the framework of Public Internal Control Reporting
Standards which has been published by Board The corrective actions and advice recommended
by the internal auditor following the internal audit activity shall be completed by the auditee within
the time period indicated in the relevant report Senior Manager shall follow up whether the
measures stated in the report have been taken or not Senior Manager can fulfil this duty through
internal audit units (through internal auditors in administrations where there is no unit) Internal audit
units (internal auditors in administrations where there is no unit) prepare a follow up system to
monitor the implementation of internal reports
Unit directors the necessary actions regarding the recommendations included in the audit
report about the audited activities In the event that no action could be taken head of internal
audit unit informs the Senior Manager
If the recommendation or corrective measure to be taken will take a certain period of time
this shall be stated in the response to the audit report and the relevant unit shall communicate the
developments to the internal audit unit in the form of six-months periods at least
Actions taken by the audited units upon the report or the justifications for not taking actions
are sent to the internal audit unit to be submitted to the internal auditor
62 External Audit
Another means that contributes into accountability is external audit In this context external
audit has an important role in fulfilment of the legislative bodyrsquos budget right and effective
efficient and economic use of public resources Turkish court of Accounts carries out the audit of
the financial activities and transactions of public administrations in the name of the legislative
body
621 Aim of External Audit
The purpose of the ex post external audit to be performed by the Court of Accounts is to
audit within the framework of the accountability of public administrations within the scope of
general government the financial activities decisions and transactions of management in terms of
their compliance with the laws institutional purposes targets and plans and to report their results to
the Turkish Grand National Assembly
622 Scope of External Audit
External audit is divided into two categories namely regularity audit and performance
audit
Regularity audit is carried out by means of the followings
Detecting whether revenues expenditures and goods of public administrations and related
accounts and proceedings are in compliance with the laws and the other legal regulations
Giving opinions about their accuracy and reliability after assessing financial reports and
statements of public administrations and all those documents produced in relation to these
reports and statements
Assessing financial management and internal control system
Performance audit on the other hand is an act of measuring activity results in light of the
objectives and indicators identified by administrations within the framework of
accountability
623 Functioning of External Audit
External audit makes use of the accounts and other relevant documents of the public
administration In the event the TCA needs reports by the internal auditors can also be requested
138
Reports produced upon the audits are consolidated by the administrations submitted to the Senior
Manager to be responded and finally external audit overall evaluation report produced
considering the external audit reports and the responses to them is submitted to the Turkish Grand
National Assembly It is possible to make external audit results into administration-based or topic-
based reports and submit them to the TGNA as individual reports
624 Coordination between External Audit and Internal Audit
Ensuring coordination and cooperation based upon communication common
understanding and trust between external audit and internal audit assumes importance in
increasing the efficiency of both external audit and internal audit Furthermore such coordination
and communication will ensure effective use of audit resources by preventing unnecessary
repetitions of audit
In accordance with Law No 5018 Court of Accounts can make use of internal audit reports
within the framework of such coordination and communication Moreover it is expressed in internal
audit standards that head of internal audit unit shall share available information with the other
internal and external auditors and conduct his activities in coordination with these people
7 Internal Control Assurance Declarations The new financial management and control understanding brings forward the concepts of
financial transparency and accountability Briefing the public and judicial organ on activities of a
public administration which are carried out in order to attain the objectives and aims and their
results is one of the most important requirements of managerial accountability
This way it is ensured that ones carrying out public services feel more responsible and work
outcome-oriented and beneficiaries of the public services are informed on how they use the taxes
they pay and on the performance of public administrations and it is encouraged that public audit
is strengthened as well as legislative audit To this effect in the new financial management and
control system it is provisioned that authorising officers5 prepare unit activity report Ministry of
Internal Affairs prepare Assessment Report regarding the activities of local administrations Ministry
of Finance prepare Overall Activity Report and it is ensured that the Court of Accounts inform
Turkish Grand National Assembly with its own assessments
In order to deliver the concepts of financial transparency and accountability the actors of
the system Senior Managers and authorising officers allocated with appropriations from the
budget have been commissioned to prepare internal control assurance declarations and attach
these declarations to the activity reports of the administrations and those of the units6
Within this framework those who need to give internal control assurance declaration and
the type of declaration they will give are demonstrated in the following scheme
M Table 3 Types of Internal Control Assurance Declarations
THOSE WHO WILL GIVE INTERNAL
CONTROL ASSURANCE DECLARATION
TYPE OF INTERNAL CONTROL ASSURANCE
DECLARATION
SENIOR MANAGER INTERNAL CONTROL ASSURANCE DECLARATION
(SENIOR MANAGER) (ANNEX-3A)
AUTHORISING OFFICERS INTERNAL CONTROL ASSURANCE DECLARATION
(AUTHORISING OFFICER) (ANNEX-3B)
HEAD OF SDU DECLARATION OF THE HEAD OF SDU (ANNEX-3C)
5 Unit activity report and internal control assurance decalaration are prepared by those authorising officers to whom an
appropriation is allocated to in the budget 6 Art 8 of Principles and Procedures regarding Internal Control and Ex-ante financial Control Art 19 of By-law on the
Preparation of the Activity Reports of Public Administrations Annex234
139
On the other hand every authority signing the internal control assurance declaration should
be sure that the assurance he gave is supported by evaluation reports issued by the SDU internal
and external audit reports other external assessments and similar sound evidences Furthermore
while filling internal control assurance declaration of his administration the Senior Manager should
assess the Assurance Declarations of authorising officers and Head of SDU and should state in the
Internal Control Assurance Declaration that the reasonable assurance these declarations gave to
him formed an important basis for his own declaration
71 How to complete Internal Control Assurance Declarations
Guidance on the internal control assurance declarations to be completed by the Senior
Manager (Annex 3A) Authorising Officer (Annex 3B) and the Head of SDU (Annex 3C) is as follows
711 Guidance on Internal Control Assurance Declarations for Senior Manager
and Authorising Officer
Internal Control Assurance Declaration (ICAD) is comprised of four main parts namely
Responsibility Basis of Internal Control System and Assurance Declaration Risk Management and
Assessment of Internal Control System (Annex 3A and Annex 3B)
In completing the two Annexes 3A and 3B Senior Managers and Authorising Officers should
observe the standard templates and complete the relevant boxes Each box has a cross reference
to where more information can be found in the main body of this chapter
7111 Responsibility
The Senior Manager is responsible for establishing operating and monitoring an effective
financial management and control system which will contribute to the realization of the objectives
and aims of his administration Within this framework he is obliged to take necessary measures in
order to ensure that regulations regarding internal control system are adopted by employees and
that internal control standards are observed Authorising officer is responsible for compliance of
spending orders with the budget principles laws legislations by-laws and regulations as well as for
economical and efficient usage of subsidies and functioning of the internal control within the
framework of his duties and authorities
As the paragraph of ICAD regarding responsibilities is regulated within this framework name
of the relevant administration should be written only in the part written as [administration] other
than this no change should be made on the text
7112 Basis of Internal Control System and Assurance Declaration
Aim of the internal control system is to ensure the followings in order to give a reasonable
assurance on realization of the strategic objectives of administration
Effective efficient and economical management of public revenues expenditures
assets and obligations
Public administrations carrying out their activities in line with the law and the other
applicable regulations
Prevention of corruption and irregularity in every kind of financial decision and
operation
Gaining regular timely and reliable information and reports to make decisions and
to monitor and
Prevention of abuse and waste of assets and protection against losses
However internal control system will not give absolute assurance to administration for
realization of aims mentioned above even in the case that it is designed and operated very well
Because some factors outside the influence and control of administration can affect the capacity
of administration to attain its objectives Therefore we need to admit that internal control system
gives reasonable not absolute assurance to management for realization of objectives
The cost of internal control should not exceed the obtained benefit The management has
to take into consideration the control costs and its benefits while making decisions on regulation of
140
responses to risks and control activities Authorising officer in the same manner has to take into
consideration these factors while identifying and assessing the risks related to his unit
On the other hand while identifying weaknesses in internal control system correcting the
faults and contributing to the development of the system Senior Managerauthorising officer
receives support from internal and external assessments made within the framework of
management information systems evaluation reports issued by the SDU internal and external audit
reports and internal and external assessments Therefore it will be appropriate that such support
provided within this line be explained in ICAD by Senior Managerauthorising officer
7113 Management Information Systems
Managers need financial and non-financial information in order to detect whether the
administration has attained its objectives and aims or not and whether accountability function has
been fulfilled or not for an effective economical and efficient usage of resources Therefore best
fulfilment of such requirements and timely and accurate decisions are possible if there is proper
accurate timely and accessible information
Therefore management information system in the administration should be designed in a
way to produce the necessary information and reports needed by the management and to give
the opportunity to make analysis
Senior mangerauthorising officer should briefly touch upon in ICAD the management
information system that is available in administrationunit and explain what kind of contributions this
system make to functioning of internal control system
7114 Internal Audit
Responsibility for establishing an adequate and effective internal control system rests with
Senior Manager By giving information to the management on effectiveness adequacy and
functioning of internal control system making assessments and recommendations internal audit
takes an important part in helping senior management this responsibility
Within this framework during the audits carried out by internal auditors followings are
realized
It is detected whether internal control system functions in a sound manner and
Success of internal control system in compliance to the legislation and relevant
regulations in the accuracy of accounts and operations and in the reliability of
financial system tables in providing an effective economical and efficient
execution of activities programs and projects of the administration is determined
Senior Manager on the other hand assesses the factors which are envisaged to be
corrected and improved in internal audit reports and takes necessary measures
First of all Senior Manager should state in ICAD whether his administration has an internal
audit unit or not Internal audit unit if any should give a brief summary of what measures they take
regarding the adequacy effectiveness and functioning of internal control system in line with the
recommendations and assessments of internal auditors in this part of the declaration
The Senior Manager can make explanations in ICAD on how action plans that have been
prepared by the audited units regarding the measures to be taken by the administration as a result
of internal audits are monitored and also he can touch upon the support provided by internal
audit unit if provided regarding the monitoring activity in question
Authorising officer on the hand can make explanations in ICAD on action plans prepared
on the measures needed to be taken by his unit as a result of internal audit and their
implementation
7115 External Audit
Senior Managerauthorising officer should include in Internal Control Assurance Declaration
a summary of the relevant findings and assessments if the Court of Accounts has conducted an
external audit as well as of the operations carried out by the administration in response to these
findings and assessments
141
If an operation in relation to external audit reports of the previous years has been carried
out within the year the summary of such operation should be contained in this part of the
declaration
7116 Strategic Development Unit (SDU)
SDU carries out studies in such fields as establishing internal control system implementing
and developing the standards and submits the study results to Senior Manager
Although standard and method setting duty in financial management and internal control
processes is assigned to the Ministry of Finance every kind of method process and standards
regarding special operations which are considered to be necessary are prepared and submitted
for the approval of Senior Manager by the SDU provided that they are not opposed to Law No
5018 and the standards set by Ministry of Finance Authorising Officers bases his activities on the
relevant regulation along with the legislation
Furthermore SDU prepares an annual Internal Control Evaluation Report on functioning of
internal control system and submits them to senior manger Therefore the Senior Manager should
mention in ICAD these regulations and Internal Control Evaluation Reports regarding financial
management and control system prepared by SDU and enforced following to his approval
Within this framework authorising officer should touch upon in ICAD the guidance
provided by SDU for a sound functioning of internal control system in the unit
7117 Risk Management
Administrations introduce their missions and visions as well as their objectives aims and basic
policies in their strategic plans Besides preparing their strategic plans administrations analyse their
institutional strengths weaknesses threats and opportunities
With the help of such techniques as SWOT and PESTLE analyses administrations have the
chance to identify define and assess the risks they can come across in carrying out their activities
Generally risk is an uncertain event that may occur and its unfavourable outcomes and impacts
Risk is generally considered to be the threats which prevent the realization of aims and objectives
however well managed risks paves the way to benefit from probable opportunities
The two most important components of administrative risks are probability and impact
Therefore while addressing risks both the probability to occur and the impact it may create if
occurs are handled The most important feature of the risk concept is that it is inevitable Therefore
administration should prefer managing risks instead of overlooking them and referring to crisis
management in case it occurs It should be emphasized that as time and resources to manage risks
are limited and it is impossible to eliminate risks necessary control activities are conducted to keep
risks at a tolerable level
Risk perception risk awareness and risk appetite can be different according to the
organisational structure human resources and activities of an administration Therefore Senior
Manager should include in ICAD the following elements relating them to the activities and
functioning of administration (Authorising Officers should take into consideration only the parts
included in their own ICADs)
7118 Risk perception of administration
Leadership that Senior Manager has in risk management process
How the risk awareness is raised among the staff and how the staff is encouraged for
practicing risk management
Administrative risk appetite and how it is perceived by the staff
Whether there is a common agreed risk perception among the staff
should be summarized
7119 Capacity to cope with risks
For and effective risk management
How a training is provided and awareness is raised among the staff
142
How the staff is guided in addressing relevant risks in relation to their duties and
responsibilities how and when they will consult with senior management in the field
of risk management
How risk management is internalized within the framework of overall activities of
administrationunit should be explained
71110 Risk identification and assessment
What affects the activities of an administration is not merely financial risks In relation to the
activities of an administrationunit such risks as follows can also be encountered
Risks with outer sources such as political economical social cultural technological
environmental legal and ethical risks
Risks with inner sources such as assets infrastructure labour force and organisational
structure
Assessing the risks with outer sources can be handled within the strategic risks of an administration
Spending units should give more attention to the operational and functional risks related to their
own fields of activity Various risk categories in relation to the activities of administration and how
such risks are assessed should be briefly explained in ICAD (for example whether risk have such
definitions as risks to be eliminated to be transferred to be managed to be tolerated or not)
71111 Addressing controlling monitoring and reporting risks
Responses to be given to identified risks and the method to address risks should be briefly
explained It should be emphasized whether risk register report on risk status consolidated risk
report and similar methodologies are functional in the administration or not
Identifying control environment by defining the followings and reporting after an effective
monitoring will strengthen the effectiveness of internal control
Impact
Probability
Responses to be given measures to be taken
Ownership and
Type and frequency of reporting
Taking into consideration that ICAD is a declaration made within the framework of
accountability that internal control system of administration gives a reasonable assurance
supported with evidence a summary should be made within the above mentioned explanations
regarding risk perception and risk management
71112 Assessment of Internal Control System
While preparing ICAD an assessment related to the effectiveness of internal control system
in the activity period should be included It is quite useful to touch upon especially the specific high
risk areas and positive and negative developments regarding internal system in these areas As
such areas in question can vary according to the organisational structures and activities it is
appropriate to make the assessment according to the following headings
Human resources differences regarding the key personnel of administrationunit
differences regarding the qualities that activities necessitate wage policy working
conditions developments regarding underemployment over-employment
Physical infrastructure and assets developments which can influence the
fundamental activities of administrationunit in physical infrastructure and all the
assets of administrationunit
Information and communication infrastructure information infrastructure software
and hardware park that administrationunit uses important developments regarding
information systems new or updated information systems
Data security assessment of the effectiveness of controls regarding the security of
strategic information of administrationunit which has confidentiality
143
New structures and changing fields of activity how structures that emerged in
administrationunit as a result of changes occurred in the foundation law of
administration or new duty and activity division among administrations reflect in the
internal control system
Problems encountered in main fields of activity or examples of good practice Senior
Managerauthorising officer should include in assurance declaration the problems
which are experienced because of inner and outer factors and rooted in the
weaknesses of internal control system Besides measures to be taken in order to
overcome such problems should be summarized in the declaration Likewise threats
eliminated with the help of an effective internal control system should be touched
upon within the scope of lsquogood practicesrsquo
Developments regarding weaknesses stated in previous years Senior
Managerauthorising officer should include in this part the measures taken and
improvements experienced regarding the weaknesses and problems contained in
the assurance declarations of previous years and
Other developments Senior Managerauthorising officer should include in this part
important developments if any which are not within the scope of the above
mentioned headings
Senior Managerauthorising officer may not feel comfortable touching upon the
weaknesses and problems listed above in ICAD However it is clear that no assurance declaration
which does not mention any thread problem and weakness will be convincing and meet the
requirements of transparency and accountability principles What is important is to emphasize that
controls are developed and internal control system is strengthened for the identified problems and
weaknesses
Proceedings which are not found to be appropriate following to ex-ante financial control
authorising officer should include in this part the proceedings performed which are found to be
inappropriate by financial services if any Supporting opinion report and evidence of authorising
officer despite the negative opinion should be summarized to contribute to accountability 7 If
there is not such a proceeding as mentioned above then the expression ldquothere is not such a
proceeding I performed that is not found to be appropriate by SDUrdquo should be available in the
assurance declaration
On the other hand Senior Manager should state while filling Internal Control Assurance
Declaration that he evaluated the Assurance Declarations of Authorising Officers and the head of
SDU and that reasonable assurance provided by these declarations formed an important basis for
his own declaration
In case that Senior Manager received support from support and consultation boardsBoards
established officially and unofficially (ad hoc) such support should be explained in ICAD It is
possible that these boardsBoards prepare reports regarding the assessment of internal control
system emphasizing risk strategy and risk management to be submitted to Senior Manager In the
case that a similar supportconsultation unit to those which are called Consultation Board Audit
Board Risk Board or Steering Board and show differences among countriesadministrations in terms
of composition and working style is established the support received from such a Board should be
summarized which will strengthen the assurance that declaration provides
712 Guidance for Internal Control Assurance Declaration of Head of SDU
7 Regulation on Principles and Procedures regarding Internal Control and Ex-Ante Financial Control ndash Article 28
Financial services unit keeps a record of transactions carried out by the authorising officers despite the fact that ex-ante
financial control declared them inappropriate and these records are submitted to the Senior Manager monthly The said
records are also provided to auditors during internal and external audit
144
The Declaration by the Head of SDU (DHSDU) is a very important element which lays the
groundwork for the assurance that the Senior Manager needs to provide regarding the internal
control system in their administration(ANNEX 3C)
In completing Annex 3C Head of SDUs should observe the standard templates and
complete the relevant boxes Each box has a cross reference to where more information can be
found in the main body of this chapter
Head of SDU is responsible to ensure that the internal control system is implemented
monitored and their opinions and recommendations are reported to the Senior Manager to take
the necessary actions in time in order to ensure that the activities in the administration are carried
out in accordance with the financial management and control legislation and other legislation
and public resources are utilised in an efficient effective and economic manner
As the Field of Competence part of the DHSDU is based on this framework this part should
not be changed either except for writing the name of the administration in the brackets
(administration)
Furthermore if the declaration is supported by the explanations under the following
headings it will be the basis for the reasonable assurance that the Senior Manager has to provide
to the public opinion
7121 Management Information Systems
The Head of SDU financial and non-financial information is needed to identify whether the
aims and objectives of the administration are reached resources are used effectively effectively
and economically accountability purposes are met Meeting these requirements and ensuring
timely and right decision making by the administrationrsquos management is only possible with the
existence of proper accurate timely up-to-date and accessible information
Therefore the management information system within the administration must be designed
in a manner to produce the information and reports needed buy the management and provide
them with the chance to make analysis
The Head of SDU in the declaration should included the explanations that the activities in
the administration have been carried out in compliance with the legislation and in line with the
budgets prepared according to the strategic plan and annual performance programmes and
provide supportive evidence They should explain the contribution made by the management
information systems utilised in the administration to the legality of the activities
7122 Development of Internal Control System
SDUs are responsible for the establishment internal control systems in the administrations and
carry out studies regarding the implementation and development of the standards Head of SDU
should mention the studies carried out to ensure that the internal control system of the
administration is harmonised with the Public Internal Control standards and briefly describe the
process for the design of job descriptions formation of business processes and preparation and
implementation of action plans in this part of the declaration
7123 Monitoring and Review
Head of SDU should include the supportive evidence regarding the ex-ante financial control
activities carried out in line with the legislation and approval form the Senior Manager and the
monitoring of the due process control In addition it should be suggested that the transactions
carried out by the authorising officers despite the negative opinion upon ex-ante financial control
are recorded and submitted to the Senior Manager on a monthly basis for information purposes
On the other hand it should be stated that financial decisions and transactions to be
subject to the ex-ante financial control by the SDU are grouped according to their type cost and
subject considering the risky areas and reviewed at least once a year
Among the duties of SDU are establishing performance and quality criteria in issues within
the duty field of administration collecting analysing and interpreting the data and information on
management of administration improvement of the services and performance in issues within the
145
duty field of the administration analysing the external factors which will affect services conducting
capacity research within the institution analysing the effectiveness of the services and level of
satisfaction by these services and doing a general research in that sense
In this context the Head of SDU should include the studies carried out to increase the quality
of the services provided by the administration and studies for analysing the external factors which
will affect services the capacity research within the institution to analyse the effectiveness of the
services and the conclusions of these evaluations in the declaration
In this part of the declaration Head of SDU should provide explanations about the
arrangements prepared by their unit and put into effect upon the approval form the Senior
Manager
Finally the studies regarding the establishment of the internal control system in the
administration implementation and development of the standards and the process where the
financial management and control system of the organisation is reviewed on an annual basis and
reported to the Senior Manager should be described
7124 Briefing and Advising
Providing necessary information and consultancy to the Senior Manager and Authorising
Officers regarding the implementation of financial laws and other related legislation are also
among the duties of SDUs
In this part of the DHSDU it should be underlined that coordination has been ensured while working
with the spending units regarding the establishment of internal control system and the
implementation and development of the standards A brief explanation that information and
consultancy to the Senior Manager and Authorising Officers has been provided regarding the
implementation of financial laws and other related legislation should be included
7125 Financial Information
The Heads of SDU should themselves be convinced that the information included in the
section IIIA-Financial Information of the Activity Report is reliable complete and accurate
depending on the supportive evidence
146
MONITORING ANNEXES
Annex 1 Internal Control System Question Form
INTERNAL CONTROL SYSTEM QUESTION FORM
This questionnaire is designed for the public administrations to see whether the internal
control system complies with the internal control standards Furthermore it will provide the
opportunity to identify to what extent the internal control system facilitates the achievement of risks
considering the changing conditions resources and risks It is of crucial importance that those
responding to this questionnaire give factual answers to the questions as the questionnaire will be
used to identify the level of advancement of the internal control system in the administration
Heads of units are responsible for making an in-dept assessment about the functioning of
internal control in their respective units and completing the internal control questionnaire Within
this framework the questionnaires completed by heads of units under the guidance by SDUs are
sent back to SDUs to be consolidated and formed into an overall evaluation report for the entire
administration SDUs submit the report produced using these questionnaires to the CHU following
the approval by the Senior Manager
Completing the questionnaire
This questionnaire is made up of five parts each of which is based on the components of Internal
Control
Control Environment
Risk Assessment
Control Activities
Information and Communication and
Monitoring
Each part includes questions regarding functioning of internal control system in the context
of the aforementioned components It should be paid attention that responses to the questionnaire
should be consistent with the administration action plans produced to achieve compliance with
the Public Internal Control Standards
Spending units are obliged to respond to the questions about Risk Assessment control
Activities and Information and Communication Responding to the questions about Control
Environment and Monitoring is at spending unitrsquos discretion
The response part is made up of three options YES NO and IN DEVELOPMENT There is also a
forth column titled EXPLANATION YES means that the issues included in the question are properly
understood and implemented within the administrationunit NO means that the issues included in
the question are not understood or implemented within the unit overall administration IN
DEVELOPMENT means that the issues included in the question are partially understood or
implemented in unitsome divisions of administration In explanations part evidence and
recommendations should be written if any Guidance is given following the questions with a view
to helping better understand the questions
The questionnaire will be evaluated by means of scores assigned to answers to each
question The answer ldquoYesrdquo will correspond to score ldquo2rdquo while the answer ldquoIn Developmentrdquo to
score ldquo1rdquo and the answer ldquoNordquo to score ldquo0rdquo For each chapter of the questionnaire there will be a
total score calculated Besides there will be a total score for the whole questionnaire
If answer ldquoNordquo is given in response to a question steps should be taken to improve the
relevant areas by Head of UnitSenior Manager
If answer ldquoIn Developmentrdquo is given in response to a question head of unitSenior Manager
should assess what can be done to achieve progress in the relevant area
147
If answer ldquoYesrdquo is given in response to a question then it means that there is no factor in that
area which needs improvement
Taking into consideration that this questionnaire is a kind of self-assessment and internal
control system is a new practice for administrations please give realistic and reliable answers
In the event that you have some hesitations in completing the questionnaire please refer to
the SDU
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
1 Are the public internal control standards
well known in your administration It will
be convenient to deliver trainings and
hold meetings with a view to raising
awareness in this subject
CONTROL ENVIRONMENT
CONTROL ENVIRONMENT Control environment provides a general framework that is the
basis for the other components of the internal control system and it is concept used to
describe the setting out of the goals and objectives of the administration their
communication to the staff and creation of a due organisational structure and culture
Great influence on the control environment have personal and professional integrity ethic
values of the employees and the management supportive attitude towards internal
control written procedures and the practices for human resources management
organisational structure management philosophy and the operating style
2 Are there mechanisms in your
administration that ensure familiarization
of all employees with the code of
ethics
For example are trainings provided or
meetings organised to adapt the public
code of ethics to your administration
and to adopt them are leaflets
produced in this regard
3 Are there any codes of conductethics
available in addition to public codes of
ethics produced for your
administration
4 Has any standard been developed in
your administration in terms of duration
and method for services directly
delivered to citizens
8 If the response is ldquoYesrdquo evidence (details of the activities carried out etc) must be provided in the ldquoExplanationsrdquo column
9 If the response is ldquoIn Developmentrdquo necessary information (details of the activities carried out etc) must be provided in
the ldquoExplanationsrdquo column
148
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
5 Is it ensured that authorised bodies and
staff have access to outputs related to
all the works and transactions
6 Are there mechanisms available in your
administration for staff and the other
people who are delivered service by
the administration to submit their
recommendations assessments and
questions (questionnaires face-to-face
meetings group meetings electronic
applications etc)
It is recommended that questionnaires
to be developed be based upon the
principle of confidentiality
7 Is your administrationrsquos mission written
down and announced Mission can be
announced to the staff via bulletin
boards intranet or e-mail
Production of a strategic plan indicates
that the mission has been set out
8 Are there any directives circulars or
approvals in your administration
regarding job descriptions of units sub-
units and staff
Job descriptions for the units and sub-
units as well as for staff must be written
down and announced in order to
ensure that your administrationrsquos mission
is being carried out
If the response is ldquoNordquo when this is going
to be done must be stated
9 Does organisational chart of your
administration demonstrate key areas of
authority and responsibility reporting
lines which are appropriate to
accountability and coordination and
integration points
If the response is ldquoYesrdquo roles and
responsibilities regarding each objective
must be set our clearly
Organisational chart for units must be
produced
149
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
10 Have procedures regarding sensitive
tasks been set out in your
administration
It is recommended that procedures in
question be defined in writing and
announced to staff and that rotation
policy regarding sensitive duties be set
out
For detailed information on sensitive
duties refer to Control Environment
Chapter of the Manual
11 Do mechanisms available in your
administration to enable managers from
each level to monitor the results of tasks
assigned
If the response is ldquoYesrdquo these
mechanisms (reports work plans
regular meetings automation programs
etc) must be stated
12 Have competence skill and knowledge
each task entails been identified in your
administration
Answering this question it must be
assessed whether factors mentioned
above are taken into consideration or
not while recruiting staff
13 Have promotion procedures been
defined in writing in your administration
Factors mentioned above must be
defined taking into consideration staff
performance and these factors must
be announced to staff
14 In your administration is there a unit
responsible for trainings which identifies
training needs for each task identified
and ensures that training activities to
satisfy the needs are planned and
carried out each year
15 Do managers of your administration
share results of assessments they make
on staff competence and performance
with the staff
It is recommended that that the Senior
Managers share the results of the
150
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
assessments with the staff
16 Is action taken to increase the
performance of the staff whose
performance is deemed unsatisfactory
upon the performance assessment For
example is any action such as
providing private training for that
person discussing the areas where their
performance is deemed unsatisfactory
assigning them under the supervision of
more experienced staff taken
17 Are there rewarding mechanisms in your
administration geared towards those
staff who give a high performance and
are these mechanisms applied
It is recommended that rewarding
mechanisms be developed for staff who
give a high performance (picking
employee of the month abroad
assignments etc) and that these criteria
be announced to all the staff
18 Have procedures regarding human
resources (staff employment
replacement promotion training
performance appraisal personal rights
etc) been documented
If so examples must be provided
Procedures mentioned above must also
be announced to staff
19 Are the bodies of signature and
approval set out in the flowcharts
If the response is ldquoNordquo it is
recommended that these business flow
processes are defined bodies of
signature and approval are identified
and communicated
20 In your administration have delegations
been defined in writing
Delegations must include the
information on its scope quantity
duration and whether the authority
delegated can be delegated to
another person
Furthermore striking a balance
151
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
between authority and responsibility
should be paid attention in delegation
of power
21 Have minimum requirements
(knowledge skill and experience) been
identified in your administration for staff
to be delegated authority
Please explain how you define these
knowledge skills and experience and
how you ensure that the person to
whom the authority is delegated have
them
22 Does the employee who receives the
authority report information to the
delegator on a certain basis about the
utilisation of the authority
Reporting period must be proportionate
to the duration of the delegation
TOTAL POINTS - CONTROL ENVIRONMENT
RISK ASSESSMENT
RISK ASSESSMENT RISK ASSESSMENT is the process where the risks that might prevent the
achievement of the administrationrsquos objectives are defined analysed and necessary
actions are taken In this section the risk perception and risk handling capacity of the
administration must be self-assessed using the following questions
1 Have methodologies and responsibilities
as well as reporting procedures for
monitoring and assessing the
performance given in achievement of
objectives been identified in strategic
plans
If answer is ldquoYesrdquo how monitoring and
assessment processes work in practice
must be explained briefly
2 Have strategic plan and performance
programs been taken into consideration
in budget preparations
The activities and projects carried out to
reach the aims and objectives set out in
the strategic plan the indicators to be
followed and the resource needs for
these activates and projects must be
shown in the performance programmes
There these strategic plans and
152
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
performance programmes must be
taken into consideration during the
budget preparations fort he
administrations
3 Do activates carried out in your
administrationunit comply with the aims
and objectives set out in the strategic
plans and performance programmes
Administrations must focus on the aims
and objectives set out in the strategic
plans and performance programmes for
effective efficient and economic use of
resources
4 While setting out the objectives of your
administration and units has it been
ensured that they are SMART
5 Have your units set out within their area
of competency specific objectives in
accordance with the objectives of the
administration
Responses to this question by the units
that are unable to set out specific
objectives (such as support services)
must be considered during the
evaluation
Furthermore specific objectives that
have been set out must be announced
to staff
6 Does your administration have a risk
strategy and policy document which is
approved b Senior Manager and
accessible to all the staff
Administrationrsquos risk strategy must be
reviewed at least once every year and
updated when deemed necessary
7 Are contributions from employees
received in risk management process
Employees feeling a sense of ownership
for risk management (identifying
handling responding to reviewing and
monitoring risks) and regarding risk
management as a part of their works
will produce a strong corporate reflex
against risks
153
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
If answer to this question is ldquoYesrdquo please
explain how you ensure this
contribution
8 Is risk management which covers
identifying assessing responding to and
reviewing risks for your objectives and
aims implemented in your
administration
While identifying the risks on the
achievement of aims and objectives a
methodology and a certain process
must be adopted and it must definitely
be documented (risk register risk
progress report consolidated risk report
and so on)
Measures to mitigate risks taken by the
administrations must be applied within
the framework of action plans
9 Are annual Internal Control Evaluation
Reports prepared in your administration
about how effectively risk management
process works in your administration
These reports must cover information
about what has been done throughout
the year to mitigate risks
TOTAL POINTS - RISK ASSESSMENT
CONTROL ACTIVITIES
CONTROL ACTIVITIES Control activates are the policies and procedures produced to
ensure that the administrationrsquos aims and objectives are achieved and the risks identified
are managed
1 In your administration are efficient
control strategies and methods set out
and practised for each activity and risk
Defined controls must comply with the
risks different control methods must be
applied for different types of risks
Control strategies and methods must be
set out and applied in the form of
periodical reviews control by sampling
comparison approval reporting
coordination confirmation analysis
authorisation supervision review
154
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
monitoring periodical check and
security of assets etc
The controls within the administration
must also cover ex-ante process and
ex-post controls where necessary
2 Is cost-effectiveness analysis made in
your administration in identifying control
activities
The expected benefit and the cost of
the set out control activity must
compared controls with costs
exceeding the benefits must be
identified and less costly alternative
controls must be selected
3 Are there written procedures regarding
your administrationrsquos activities financial
decisions and transactions
There must be written procedures
regarding your administrationrsquos
activities financial decisions and
transactions These procedures and
relevant documents must cover the
initiation implementation and
conclusion phases of the activity
financial decision or transaction
Procedures and relevant documents
must be up-to-date comprehensive in
compliance with the legislation
understandable by and accessible to
the relevant staff
4 Do managers of your administration
carry out necessary controls for
effective and continuous
implementation of procedures
Activities and transactions of the
administration must be carried out in
accordance with the regulations
developed in this area Managers must
systematically check whether these
regulations are complied with or not (in
this regard such control processes as
initials assent control lists and physical
counts can be defined) Within this
framework managers should monitor
whether works carried out by staff are in
155
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
compliance with the regulations or not
Manager instructions must be produced
about how to remedy faults and
irregularities detected
5 Is the principle lsquosegregation of dutiesrsquo
practised in your administration
The tasks of approving implementing
recording and controlling each activity
or financial decision must be carried out
by different people and that the
principle of segregation duties is
complied with must be supported by
written documents
Where segregation of duties is not
possible due to insufficient number staff
the managers must be aware of the risks
and take necessary precautions In such
cases other control procedures must be
established to manager the risk
6 Are necessary measures taken against
the factors that affect the continuity of
operation in your administration
Necessary measures must be taken
against the factors that affect the
continuity of operation such as
insufficient number of staff temporary or
permanent leaves adoption of new
information systems changes to the
methods or the legislation and
emergencies
If the response is ldquoYesrdquo efficient written
procedures trainings guidance and
planning can be provided as evidence
7 Is the system of deputation applied
efficiently in your administration
Where necessary deputies must be
assigned in accordance with the
relevant procedures The person
assigned as a deputy must have the
necessary qualifications Detailed
internal arrangements must be carried
out regarding the deputation
procedures included in the personnel
laws and the qualification required from
the deputies must be defined in detail
156
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
8 Do the staff leaving their positions report
to their successors about status of works
and transactions they have
conducted
Managers must ensure that the staff
leaving their positions prepare a report
on the status of the task and the
operations along with the necessary
documents and submit it to their
recently assigned successors The report
must include the list of the important
tasks being carried out the risks to be
considered as priority list of periodic
tasks and so on
9 Are there defined authorisations for
data and information input and access
to the information system in the
administration
Information system must only be
accessible to authorised staff To this
end regularly updated information
security softwarersquos must be used for
Access to the computer programmes
Arrangements regarding the
designated level of security must be
complied with while working on
documents
10 Are there sufficient back-up
mechanisms and tested disaster
recovery plansaction plans for the
information system
TOTAL POINTS - CONTROL ACTIVITIES
INFORMATION AND COMMUNICATION
INFORMATION AND COMMUNICATION Information and communication includes a proper
system of information communication and registry that ensures necessary information is
communicated to the person employee or manager who needs it in a certain format and
in a timely manner that the objectives are reached and that enables the relevant people
fulfil their internal control responsibilities
1 In your administration is there an
efficient written electronic or verbal
internal communication system that
covers both horizontal and vertical
communication
The response to this question should
157
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
include the meansmethods (in person
via telephone e-mail in writing etc) the
staff use to communicate with each
other or their managers and the
consideration on whether these are
appropriate andor efficient
In order for the employees receive the
information they need to carry out their
uninterruptedly it must be ensured that
they are in touch with managers from all
levels including top management
2 Is there an external communication
system to ensure efficient
communication with external
stakeholders
This system monitors communication and
checks whether the questions can be
answered or not
3 Do the present internal and external
communication systems ensure that the
staff or external stakeholders can
communicate their expectations
recommendations and complaints
For example whether the Law no 4982
on right to Information is efficiently
executed within the administration
requests and complaints are responded
in time should be considered
4 Is it ensured that all the information and
documents regarding the activities of
your administration are accurate
complete reliable useful and
understandable
Information systems must ensure timely
Access to the accurate complete
reliable and understandable
information required while carrying out
the operations
The response to this question must
include a statement whether
mechanisms (decision support systems
archive and document management
systems etc) for ensuring the
aforementioned principles exist
158
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
5 Do the present information systems
ensure that the objectives set by the
administration are monitored and
activities regarding these objectives are
efficiently supervised and assessed
Management Information
System must be designed in a way that
it produces the information and reports
that the managers need during decision
making processes and provide them
with the chance to make analysis
6 Are there reporting mechanisms with
rules and standards set out in line with
the monitoring of objectives supervision
of activities and accountability
purposes
The performance programmes
published financial progress reports that
include the expectations and objectives
and the content of the activity reports
must be in line with the requirements of
the relevant legislation
7 Is there a documentation and archiving
system that complies with certain
standards for the record classification
protection of and access to the
operations and transactions of the
administration
While responding to this question
Standard 15 of Public Internal Control
Standards and the legislation on
archiving and documentation must be
considered
8 Are there available tools to report from
inside and outside the administration
faults irregularities and possible or
ongoing problems
Employees and outer stakeholders must
be informed enough about these tools
There must be a whistle-blowing process
and a procedure for protecting
personnel and they must be informed
about these
Managers must take necessary actions
to prevent discrimination and ill
159
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
treatment against whistle-blowers
TOTAL POINTS- INFORMATION AND COMMUNICATION
MONITORING
MONITORING Internal control system is a dynamic process where the administration has
to continuously adapt to the risks and changes it faces Therefore the internal control
system needs to be monitored in order to ensure that it adapts to the changing objectives
environment resources and risks as necessary The basis for an effective and efficient
monitoring is the design and implementation of monitoring procedures that are relevant to
the administrationrsquos objectives and that assess the important controls regarding
meaningful risks
When monitoring is designed and implemented properly it provides correct and
convincing information on the efficiency of the internal control system identifies internal
control failures on time and notifies the people responsible for taking action and the top
management where necessary This will ensure that the problems faced are corrected
before they harm the objectives of the administration Monitoring is carried out by the
management and internal and external audit
1 Is the internal control system monitored
and assesses at least once a year
Please explain at what intervals the
internal control system in your
administration is assessed and the
methods used
Internal control system must be assessed
via ongoing evaluations or separate
evaluations It is recommended that
these two methods are applied at the
same time(Separate evaluation of the
internal control system can be carried
out by setting up working groups or via
questionnaires)
2 Are processes and methods set out in
your administration to identify and
disclose the shortcomings of internal
control and improper control methods
and to take the necessary actions
If the response is ldquoYesrdquo please briefly
mention the process and method
adopted in your administration It is
recommended that the processes and
methods are put into practice upon the
approval by the Senior Manager Please
give brief information on the responsible
staff notified in the event of an
incomplete or improper control method
160
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
the time limit set for taking action and
how these procedures are monitored
Management fulfils this responsibility via
SDUs and internal auditors
3 Are trainings plenary sessions and
meetings held which will create the
atmosphere in which managers will be
provided with feedback about whether
internal control functions effectively or
not
4 Are the units of the administration
involved in the evaluation of internal
control
If answer is ldquoYesrdquo please explain how
participation is ensured It must be
ensured that units take active part in the
process and the task of evaluating
internal control system must not be
perceived as the responsibility of only
the Senior Manager internal auditor
and SDU
5 Is there internal audit unitinternal
auditor in your administration
6 Is there efficient cooperation among
internal audit unit management and
staff
What has been done to increase the
level of awareness of the manager and
the staff on internal audit activities
What has been done to see the
relations with the internal audit unit and
the expectations Please explain briefly
7 While evaluating internal control are
the opinions of the managers requests
and complaints by
peopleorganisations and the reports
produced upon internal and external
audit taken into consideration
The method to adopt for the collection
assessment and reporting of the
information required for the evaluation
of internal control must be set out
Please refer to the staff responsible for
161
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
assessing the internal and external audit
findings and recommendations for the
evaluation of internal control the time
limits for these assessments and the
management level to which this
information is communicated
Compare the internal and external
audit reports with the results of the
internal control system evaluation by
the SDU for consistency In the event
that any inconsistency is identified the
reasons for this must be questioned
8 Are recommendations from internal
audit and SDU about how to improve
internal control taken into consideration
by management
9 Are action plan(s) where internal control
evaluation results and
recommendations made upon internal
and external audit produced and
implemented Are they followed-up
If the timing is appropriate action plans
can be combined Please give brief
information on the staff responsible for
following-up the action plans and the
method used Furthermore please
provide information on the method
used fort he follow-up of internal audit
reports if there is any With which level
of management are the results of the
follow-up shared and how often Please
explain
TOTAL POINTS ndash MONITORING
GRAND TOTAL
162
Annex 2 Internal Control System Evaluation Report
helliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphellip(NAME OF ADMINISTRATION)
INTERNAL CONTROL SYSTEM EVALUATION REPORT
I INTRODUCTION
11 Mission
12 Aims and Objectives
13 Organisational Structure
II INTERNAL CONTROL QUESTIONNAIRE RESULTS
II1 Consolidated Summary on strengths and aspects open to improvement regarding the entire
organisation relevant to each COSO component
- Control Environment
- Risk Management
- Control Activities
- Information and Communication and
- Monitoring
III OTHER INFORMATION
III1 Internal Audit Reports
III2 External Audit Reports
III3 Other Information Sources
III31 Budget Information
III32 Data on Ex-ante Financial Control
III33 Requests by Individuals andor Administrations
III34 Other Information
IV CHANGE SINCE THE LAST REPORT
IV1 For each COSO component has the position got better or worse and why
V CONCLUSION
V1 Strengths
V2 Aspects Open to Improvement
V3 Recommendations for action
163
Annex 3a Internal Control Assurance Declarations Senior Manager
I RESPONSIBILITY
As the Senior Manager I am responsible for ensuring the establishment delivery and
oversight of an efficient financial management and control system that will contribute to the
achievement of the policies goals and objectives of [the administration] In this regard I declare
that I have taken the necessary measures to make sure that the arrangements of internal control
are adopted by the staff and that the internal control standards are practised
II PILLARS OF INTERNAL CONTROL SYSTEM AND ASSURANCE DECLARATION
I declare that my administrationrsquos budget has been prepared and implemented in line with
the development plan annual programmes strategic plan performance objectives and service
requirements resources allocated from the budget for the achievement of aims and objectives are
utilised in compliance with the planned targets and in accordance with good financial
management principles
In this context I announce that the internal control system provides sufficient and
reasonable assurance that my administrationrsquos revenues expenditures assets and liabilities are
managed effectively economically and efficiently my administration operates in line with the laws
and other regulations irregularities and fraud are prevented in each financial decision and
transaction regular timely and reliable reports and information are acquired for decision making
and monitoring assets are safeguarded against abuse waste and losses
This assurance is based on my knowledge and considerations as the Senior Manager
management information systems internal and external evaluations carried out within the context
of quality assurance development programme studies of the SDU internal and external audit
reports (if available)
In the following part the Senior Manager must explain the support by the management
information systems internal and external evaluations within the framework of the quality assurance
development programme internal and external audit and SDU
Management Information Systems
Please read section no 6113 before completing this part
Internal Audit
Please read section no 6114 before completing this part
External Audit
Please read section no 6115 before completing this part
SDU
Please read section no 6116 before completing this part
164
III RISK MANAGEMENT10
As the Senior Manager I have a key role and responsibility in the development of a risk
strategy in my administration production of a common corporate risk perception adopted by all
employees Recognising that risk management is the most important element of the internal control
system creation of the necessary organisational capacity and embedding risk management into
the general activities is valued
In the following part the authorising officer should address the risk perception of the
administration and its capacity to deal with risk
Risk perception of the administration should summarise
Please read section no 6117 and 6118 before completing this part
Capacity to handle risk
Please read section no 6119 before completing this part
My administration faces a wide range of risks during the course of its activities These risks are
considered in accordance with the principle that the cost of the internal controls to be developed
with control purposes do not exceed the benefit received from the controls A systematic
approach has been adopted in levels of management for the identification assessment
addressing monitoring and reporting of the relevant risks
In the following part the Senior Manager should set out the issues related to the
identification assessment addressing control environment monitoring and reporting of the
administrationrsquos risks
Identification and assessment of the risks
Please read section no 61110 before completing this part
Addressing control environment monitoring and reporting of the risks
Please read section no 61111 before completing this part
IV APPRAISAL OF THE INTERNAL CONTROL SYSTEM
As the Senior Manager during the preparation of the foregoing declaration I also
considered the assurance declarations by the Authorising Officers and Head of SDU The
10 This part must be completed when risk management process starts to function in the administration
165
information and evaluations I have received from these declarations pose an important basis
regarding the assurance I have to provide on the internal control system in my administration
Furthermore [advisory audit risk steering] boardscommittees have been set up within
[the administration] to provide support and guidance for the evaluation of the internal control
system in terms of particularly risk strategy and management Reports prepared by these boards
have made a great contribution to the evaluation on the internal control system
Regarding the main activities of my administration the most distinctive developments that
took place within this reporting term and how these developments have been handled are
summarised below
Please read section no 61112 before completing these parts
Human Resources
Physical infrastructure and assets
IT and communication infrastructure
Data security
New structures and changing fields of activity
Problems faced in the main fields of activity or examples of best practice
Developments regarding weaknesses stated in previous years
166
Other developments
(Date)
Signature
Name
Title
167
Annex 3B Internal Control Assurance Declaration Authorising Officer INTERNAL CONTROL ASSURANCE DECLARATION11
I RESPONSIBILITY
As the authorising officer within my field of competence I am responsible to ensure that my
expenditure orders are in line with the fundamentals and principles of the budget the laws rules
and regulations and other legislation the appropriations are utilised in an efficient effective and
economic manner and that the internal control operates properly
II PILLARS OF INTERNAL CONTROL SYSTEM AND ASSURANCE DECLARATION
I declare that the operations and transactions carried out by my spending unit comply with
the aims and objectives of the administration high financial management principles control
arrangements and the legislation resources allocated with the administration budget to the
spending unit has been utilised in line with the planned objectives and the internal control system
within my unit provides the sufficient and reasonable assurance
This declaration of assurance is based on my own information and evaluations as the
authorising officer and on the management information systems internal and external evaluations
carried out within the context of the quality assurance development programmes studies by the
SDU internal and external audit reports
In the following part the support provided by the management information systems the
internal and external evaluations carried out within the context of the quality assurance
development programmes studies by the SDU should be elaborated by the authorising officer
Management Information Systems
Please read section no 6113 before completing this part
Internal Audit
Please read section no 6114 before completing this part
External Audit
Please read section no 6115 before completing this part
SDU
Please read section no 6116 before completing this part
11 Please read section no 611 before completing this part
168
III RISK MANAGEMENT12
Within the framework of the overall risk perception strategy and awareness of the
administration the capacity to handle risk has been determined for the activities specific to my unit
and the necessary importance has been attached to embedding risk management in its activities
In the following part the authorising officer should address the capacity to handle risk
Capacity to handle risk
Please read section no 6119 before completing this part
My spending unit faces various risks during the course of its activities These risks are
considered in line with the principle where the cost of internal controls to be developed do not
exceed the benefit planned to be gained from them A systematic approach has been adopted in
the spending unit for the identification addressing assessment monitoring and reporting of the risks
faced
In the following part the authorising officer should set out the issues related to the
identification assessment addressing control environment monitoring and reporting of the
administrationrsquos risks
Identification and assessment of the risks
Please read section no 61110 before completing this part
Addressing control environment monitoring and reporting of the risks
Please read section no 61111 before completing this part
IV EVALUATION OF THE INTERNAL CONTROL SYSTEM
The following is the summary of the most significant developments experienced in the
activities of my unit within the period covered by the foregoing report and how these
developments have been addressed by the internal control system
Please read section no 61112 before completing these parts
Human Resources
IT and communication infrastructure
Data security
12 This part must be completed when risk management process starts to function in the administration
169
New structures and changing fields of activity
Problems faced in the main fields of activity or examples of best practice
Developments regarding weaknesses stated in previous years
Other developments
As the authorising officer I hereby declare that we have also carried out some transactions
overriding the opinion of the SDU Information and justifications for these transactions are as follows
There is no such a work I carried out that is not found to be appropriate by SDU
(In this part transactions if any carried out by the authorising officers despite the
negative opinion provided upon the ex-ante financial control If there is no such a
work as mentioned above then expression ldquothere is no such a work I carried out that
is not found to be appropriate by SDUrdquo should be included)
(Date)
Signature
Name
Title
170
Annex 3b Internal Control Assurance Declaration Head Of SDU INTERNAL CONTROL ASSURANCE DECLARATION
As the Head of SDU I declare that the internal control system has been implemented
monitored and my opinions and recommendations have been reported to the Senior Manager to
take the necessary actions in time in order to ensure that the activities in [the administration] are
carried out in accordance with the financial management and control legislation and other
legislation public resources are utilised in an efficient effective and economic manner
Please read section no 612 before completing this part
In the following part the studies should be explained regarding the management
information systems development of internal control system monitoring and review and briefing
and advising by the Head of SDU
Management Information Systems
Please read section no 6121 before completing this part
Development of Internal Control System
Please read section no 6122 before completing this part
Monitoring and Review
Please read section no 6123 before completing this part
Briefing and Advising
Please read section no 6124 before completing this part
Financial Information
Please read section no 6125 before completing this part
I confirm that the information included in the section IIIA-Financial Information of
the Activity Report (year) is reliable complete and accurate
(Date)
Signature
171
Annex 4 Example Of A Complete Declaration INTERNAL CONTROL ASSURANCE DECLARATION
(SENIOR MANAGER)
Name-Surname
Title
I RESPONSIBILITY
As the Senior Manager I am responsible for ensuring the establishment delivery and
oversight of an efficient financial management and control system that will contribute to the
achievement of the policies goals and objectives of the Ministry of Space Exploration In this
regard I declare that I have taken the necessary measures to make sure that the arrangements of
internal control are adopted by the staff and that the internal control standards are practised
II AIMS AND PILLARS OF INTERNAL CONTROL SYSTEM
I declare that my administrationrsquos budget has been prepared and implemented in line with
the development plan annual programmes strategic plan performance objectives and service
requirements resources allocated from the budget for the achievement of aims and objectives are
utilised in compliance with the planned targets and in accordance with good financial
management principles
In this context I announce that the internal control system provides sufficient and
reasonable assurance that my administrationrsquos revenues expenditures assets and liabilities are
managed effectively economically and efficiently my administration operates in line with the laws
and other regulations irregularities and fraud are prevented in each financial decision and
transaction regular timely and reliable reports and information are acquired for decision making
and monitoring assets are safeguarded against abuse waste and losses
This assurance is based on my knowledge and considerations as the Senior Manager
management information systems internal and external evaluations carried out within the context
of quality assurance development programme studies of the SDU internal and external audit
reports (if available)
Management Information Systems
Management information systems has been established in all General Directorates in order
to provide information for managers that enables effective decisions to be made and for
information on changing risks to be monitored in our Ministry However not all of our legacy IT
systems have been fully assessed for security risks As part of the measures being taken to
strengthen data security governance we will ensure that the IT systems supporting our most time
critical business processes are reviewed to establish a known risk position by December 2010 We
will carry out a review of our remaining systems during 2011
Internal and External Evaluations Carried Out Within The Context Of Quality Assurance Development
Programme
Presidency of Strategy Development has carried out one internal evaluation of the effectiveness of
internal control within the context of the quality assurance and development programme The
main findings of this evaluation are
That compliance with internal control standards was good in terms of effective control
activities in order to minimise risk
Internal Control and Risk Steering Board has been set up within the Ministry to contribute to
the evaluation of the internal control system
Unit managers needed to develop their skills regarding ongoing monitoring of internal
control systems
Based on the evaluation findings the Ministry has produced an action plan which is planned to
put into practice as of June 2010
There were no external evaluations carried out within the context of the quality assurance
and development programme but the CHU has declared that this is scheduled for 2013
172
Internal Audit
Our Ministryrsquos Internal Audit Unit continues to operate within the framework of a three-year audit
plan Internal Audit operated to requirements defined in the Public Internal Audit Standards Their
audit programme was focused around the Ministryrsquos key risks of internal control together with
recommendations for improvement The Director of Internal Audit Unit provided me with an annual
Internal Control Evaluation Report which contained an independent opinion on the adequacy
and effectiveness of internal control The conclusion of the Director of Internal Audit Unit was that
the following aspects of internal control should be improved
Awareness of the Deputy Undersecretaries and General Directors on internal control
responsibilities and risk management
Improvement of the present arrangements regarding promotion assignment and
appointment system to make it transparent and competence based
Improvement of communication between the central and provincial organisations of our
ministry
Review of management information systems to update old systems
Improvement of allowances and supplementary payments for personnel going to the
space
It has been decided that a working group consisting of managers from the SDU General
Directorate of Personnel and other relevant units to put these recommendations into an action
plan
External Audit
The TCA has approved the annual accounts of the Ministry
SDU
An evaluation on the internal control system has been carried out with the full participation
from the SDU Spending Unit managers and the staff and a report has been produced and
submitted to the CHU on 30th March 2010 The main findings of the review are listed above under
the heading ldquoInternal and External Evaluations Carried Out Within the Context of Quality Assurance
Development Programmerdquo in this document SDU staff also underwent training in risk management
during this year
III RISK MANAGEMENT
As the Senior Manager I have a key role and responsibility in the development of a risk
strategy in my administration production of a common corporate risk perception adopted by all
employees Recognising that risk management is the most important element of the internal control
system creation of the necessary organisational capacity and embedding risk management into
the general activities is valued
The SDU took the lead in embedding risk management in the organisation by reviewing and
updating the key corporate external and internal risks facing the Ministry each month The SDU also
began an exercise to identify long term risks that may have posed a significant threat to the Ministry
in the future These risks were recorded on a long term risk register and the intention is that they will
be reviewed every six months Should the threat increase then these risks will either be escalated to
my part for appropriate action to be taken
The Internal Control and Risk Steering Board also endorsed an action plan to further embed
good risk management practice within the Ministryrsquos processes and systems and to support
Innovation through well managed risk taking Work to establish this position will continue and focus
on those areas identified as still most in need of improvement This will include giving further
consideration to risk appetite where the focus will be on practical examples of how it can be
applied in practice thus making it easier to communicate its awareness among staff
Guidance was available to all staff on risk management through the risk management
intranet site In addition to a risk management policy specific guidance was available on
undertaking risk self assessment which includes guidance on applying risk management as an
integral part of the Ministryrsquos business planning process Risk management workshops were
available to all staff and practical guidance on its application had been incorporated into a wide
173
range of training courses These courses covered all ranges of staff and were tailored to be
appropriate to their authority and duties
My administration faces a wide range of risks while carrying out its activities These risks are
assessed in accordance with the principle that the const of the internal controls to be developed
with control purposes do not exceed the benefit received from the controls A systematic
approach has been adopted in levels of management for the identification assessment
addressing monitoring and reporting of the relevant risks
The risk management framework for our Ministry operated through the initial identification of
risks as part of the business planning process which threatened achievement of the Ministryrsquos
objectives These risks were then evaluated in terms of impact and probability This process
established the level of residual risk against which the Ministry was exposed and which was
monitored over time as part of performance management Ownership for each risk was assigned
to a named individual Reasonable assurance that risk mitigation activities were appropriate was
obtained through regular management reviews and internal audits of the key activities undertaken
in the Ministry
In order to further embed best practice in risk handling and to ensure a consistent
interpretation of the acceptable extent of residual risk our Ministry will review its risk appetite and
communicate it more effectively across the organisation
IV APPRAISAL OF THE INTERNAL CONTROL SYSTEM
As the Senior Manager during the preparation of the foregoing declaration I also
considered the assurance declarations by the Authorising Officers and Head of SDU The
information and evaluations I have received from these declarations pose an important basis
regarding the assurance I have to provide on the internal control system in my administration
Furthermore Internal Control and Risk Steering Board has been set up within the Ministry of
Space Research to provide support and guidance for the evaluation of the internal control system
in terms of particularly risk strategy and management Reports prepared by this Board have made
a great contribution to the evaluation on the internal control system
Regarding the main activities of my administration the most distinctive developments that
took place within this reporting term and how these developments have been handled are
summarised below
In our investment programmes the underspend reported last year in the spacecraft
development programme has been managed There is now less than 2 slippage in that
programme Underspends have arisen this year in other areas for example
The satellite programme TL 121 m Internal Audit Unit has reviewed the Investment Budget
management and an action plan is being developed to address the audit findings
Astronauts training programme TL 113m due to slower than expected take-up Processes
will be streamlined to reduce barriers and it is expected the budget will be fully used in the
next year
Renovation of launching stations programme TL 16m arising mainly from slippage in
international cooperation projects affecting the expected refurbishment programme
together with some incorrect historical data for tracking capital allocation New systems will
prevent the reoccurrence of this problem
Whilst recognising the above summarised issues good progress has been made in resolving them
and there are plans in place to further enhance internal control system and improve practice As
Senior Manager I provide reasonable assurance that the above issues do not represent a material
threat to operational effectiveness and that the our Ministry complies with the public internal
control standards on risk management internal control and governance
(Date)
Signature
Name
Title
174
GLOSSARY
CONCEPT DEFINITION
Explicit information is the information which can be created expressed obtained and
transferred in accordance with a specific system Aim is the concept which refers to the objectives contained in the strategic
plan that administration aims to attain Information Financial and non-financial data related to internal and external events
and activities which is created obtained and communicated in a
particular form and at a particular time to ensure that people carry out
their duties Information security refers to safeguarding valuable assets in an administration against loss
misuse or damage Information map is demonstration of information kept in units or their systems which can be
shared and expertise and experience of personnel and demonstration of
them on an organisational scheme or map in accordance with
organisational structure Information pool is the accessible area where information obtained in hard form or soft
form is stored and kept ready for re-use Information
architecture Organisation of information with a view to make it accessible
manageable and useful form infrastructure level to end-user level Information stock Financial and non-financial information available in administration at a
particular time Information
technology is a system that controls all activities including communication and
computers which are used for the purposes of collecting storing and
processing of information its transmission from one point to another
through communication systems and computers and to the service of
users Information technology is a concept that is used to refer to all
information services which can be connected through communication
and computer systems Information
management
is a process where information is planned and obtained from any kind of
source internally or externally classified stored communicated to
relevant bodies in a timely manner for interpretation reviewed for
updating and disposed External audit Within the framework of accountability responsibility of public
administrations within the scope of general management it is the activity
of examining the compliance of financial activities decisions and
procedures of the administration with laws administrative objectives aims
and plans and reporting the results to TGNA by Turkish Court Accounts Audit trail It requires the maintenance of records giving the full documentation and
justification at all stages of the life of a transaction together with the ability
to trace transactions from summarized totals down to the individual
details and to trace all reporting stages Inherent risk refers to those risks whose probability and impact cannot be changed
unless particular precautions are taken by administration When risks are
identified for the first time they are at inherent risk level Ethics Ethics is a body of moral principles values and standards which forms the
basis for the behaviours of a person and guides them on how to do works Cost-Benefit Analysis It is the identification and comparison of the costs and benefits regarding
the implementation of a planned work or activity In cases when benefits
outweigh costs the work or activity is considered to be cost-effective SWOT Analysis
is a method in which the administration systematically examine itself and
the conditions having an impact the administration In this framework
strengths and weaknesses of the administration as well as the threats and
opportunities that may occur outside the administration are identified This
is an analysis which forms the basis for strategic planning process Segregation of duties covers the duty of approval implementation recording and control of
175
each activity or financial decision and transaction shall be assigned to
different people Objective These are the specific and measurable sub-aims geared towards
attaining the aims contained in the strategic plan
Performance objectives are out-come oriented objectives administrations
plan to attain in a program period with a view to attaining the aims and
objectives contained in the strategic plan Internal audit is an independent and objective activity of giving assurance and
providing counselling with a view to providing guidance and assessing
whether resources are managed in compliance with principles of
effectiveness and efficiency in order to improve and add value to the
activities of the public administration Internal control is the body of financial and the other controls covering the organisation
method process and internal audit in an administration carried out with a
view to ensuring that activities are conducted effectively efficiently and
economically in line with the administrationrsquos aims its identified policies
and legislation assets and resources are protected accounting records
are kept accurately and completely and financial information and
managerial information is produced in a reliable and timely manner Internal control
assurance declaration is the declaration annually signed by senior managers authorising officers
and heads of strategy development units within the framework of
accountability and transparency to state that processes and transactions
are conducted in line with the principles of good financial management
control regulations and the legislation Internal Control and
Risk Steering Board The Board makes assessments concerning development of process and
methods related to internal control system such as determination of
policies about monitoring internal control practices and introduction of
risk in the administration Whistleblowing is the notification of illegal and unethical behaviours and actions to
internal and external authorities that have the power and authority to
solve the problem by persons with information (employees or
stakeholders) therefore administrations or third persons inside or outside
the administration are not affected Business continuity The plans that aim at ensuring continuity for the activities of the
administration or ensure continuity without any interruption after any
extra-ordinary situations Ex-post controls Are the controls applied by management to administrationrsquos activities
after they have been carried out using pre-identified methods Monitoring Monitoring is the activity of assessing within the framework of compliance
with internal control standards whether internal control system provides
the expected contribution to attaining objectives and aims of the
administration and determining the activities to be carried out in fields
that are open to improvement Residual risk refers to risks remaining after management has taken precautions to
reduce their probability and impact Control activities are actions aimed at reducing the impact andor the likelihood of a risk
occurring and thus increase the probability of attaining the goals and
objectives of the organisation or part of the organisation Financial
Management and
Control
is the development implementation monitoring and improvement of
suitable organisations methods and processes within the of managerial
responsibility to ensure effectiveness efficiency and economy in
obtaining and using resources as well as compliance with the identified
aims and objectives and the legislation Central Harmonisation
Unit is affiliated to the Ministry of Finance The unit develops and harmonises
methods and standards concerning financial and internal control
processes and provided related guidance for public administrations Mission mission is the cause of existence of an administration and its place within
176
the state structure In other words mission is the answer to such questions
as what the public administration does and how and for whom it does
what it does Focus group These are such meetings that are held among a target group composed
of 6-8 people to receive their thoughts and reactions in a detailed and
elaborate manner They are managed by a moderated within the
framework of a flow plan Probability refers to the likelihood that an event may occur Organisational
structure is general system covering all the activities and procedures undertaken to
attain the aims and objectives of the administration Ex-ante financial
control Ex-ante financial control is a control performed to check the compliance
of the financial decisions and operations of administrations regarding their
incomes expenditures assets and liabilities with the budget of the
administration Further checks are carried out with the available
appropriation amount expenditures programme financing programme
and the provisions of central government budget law and other financial
legislation It is also checked whether resources are used effectively
economically and efficiently Implicit information is the information in peoplersquos minds which is not regulated in accordance
with a particular system therefore not easy to transfer and circulate and
the registered information which is not accessible to employees Stakeholders are the people groups and administrations which are relevant to the
administrationrsquos products and services and can directly or indirectly
positively or negatively affect or be affected by the administration Risk can generally be defined as uncertainty of events that may occur in
future or undesirable outcomes and impacts of an event For
administrations risk can be defined as negative or positive effects of
internal and external factors that may occur in future on attaining the
objectives and aims of administrations In risk terminology positive aspects
of risk and wins it may bring along are referred to as opportunity and
negative aspects and losses it may cause are referred to as threat Risk assessment is analysing those factors which can have an impact on attaining the
objectives of administration Transferring risk is the response to the risks by taking some of them away from the
responsibility of the administration and transferring it to others Handling risks is the identification of responses to risks identified and assessed (within the
framework of risk appetite) by public administrations and reducing the
expected threats and benefiting from the opportunities that may emerge
within this context Impact of risk refers to outcomes or effects that risk posing event can produce once it
occurs Risk appetite is the amount of risk an administration is ready to accept (toleratebe
exposed to) at any time before deciding on the need to take any
relevant precautions in line with its strategic objectives mission and vision
In terms of threats it refers to exposure level which can be tolerated and
justified and in terms of opportunities it refers to how a person is ready to
actively take the risk to gain benefits of the opportunity Tolerating risks is a passive method of response given to risks which public administrations
are comfortable to undertake Avoiding risks is a response to risks by removing the activities in which risks are probable
to occur thus eliminating the risks that are probable to occur together
with the activities Controlling risks is a method of response to risks by means of control activities carried out
to keep tolerable risks at a certain level in public administrations
Preventive Controls These are controls carried out to prevent threats that
risk may pose and undesirable outcomes risk may produce once it occurs
Corrective Controls These are controls aiming at reducing the impact of
undesirable outcomes that arise from threats risk poses once it occurs
177
Directive Controls These are controls carried out to prevent the occurrence of
risk or avoid the impact it may produce once it occurs
Detective Controls These are controls applied to identify damages and
losses experienced once the risk is realised Risk profile documented and prioritised overall assessment of the range of specific
risks faced by the administration Risk management is a management tool and all the mechanisms related to identify and
assess risks that may have an impact on attaining aims and objectives of
administration identify responses to risks regularly review and update risks
and responses and monitor the whole process Corporate risk
management is a process which covers the entire administration and
ensures that risk management processes are considered and handled as
a whole Risk strategy the overall organisational approach to risk management as defined by
the Accounting Officer andor the Board This should be documented
and easily available throughout the organisation
Risk Strategy and
Policy Document
(RSPD)
corporate approach to risk management identified by Head of
Administration and senior level policies are called risk strategy and the
document in which this approach and policies are set down in writing is
called Risk Strategy and Policy Document (RSPB) Risk identification is the process of identifying ascertaining categorising and updating risks
that prevent or limit the achievement of administrationrsquos strategic
objectives using previously defined methods
Strategy Development
Unit refers to presidencies of strategy development units departments of
strategy development and directorates where strategy development and
financial services are undertaken They carry out studies to establish
implement and continuously develop internal control systems and report
the study results to the Head of Administration Irregularity Faults errors and negligence stemming from violation of regulations and
provisions related to financial management Delegation of authority is delegation of the responsibility and authority for making decisions to
another authority in writing in the way envisaged in the legislation Fraud Is misuse or insufficient use of documents and declarations for monetary
purposes or non-monetary private purposes as well as hiding information
or deliberate acts performed to abuse the benefit legally obtained and
negligence and illegal use of public power Management
Information system supporting systems which provide proper data for managers and
decision-makers for taking decisions and implementing them with a view
to more effectively attaining the previously identified objectives of the
administration by operating and communicating the information used in
administration
Managerial refers to management being accountable for the decisions they have
made regarding duties assigned as well as for effective use of public
resources to the Parliament Government and public opinion Governance Governance is the way in which organisations are directed and
controlled It defines the distribution of rights and responsibilities among
the different stakeholders and participants in the organisation determines
the rules and procedures for making decisions on corporate affairs
including the process through which the organisationrsquos objectives are set
and provides the means of attaining those objectives and monitoring
performance
Conference call A system of telecommunications technology that enables a number of
people in different locations to hold a discussion using the telephone
4
Internal Auditor 98
Authorising Officer 98
Realisation Officer 99
Accounting Officer 99
Strategy Development Units 99
Central Harmonisation Unit 99
4 INFORMATION 99
41 Characteristics of Information 99
42 Information Management 100
43 Information Security 106
5 MANAGEMENT INFORMATION SYSTEMS (MIS) 108
51 Stages of Establishing MIS 109
6 COMMUNICATION 110
61 Internal and External Communication 111
62 Communication Methods 113
7 WHISTLEBLOWING OF FAILURES IRREGULARITIES AND FRAUD 114
71 Concepts of Failure Irregularity Fraud and Whistleblowing 115
72 Scope of Notifications 115
73 The Responsibility for Detecting Faults Irregularities and Fraud 116
74 Whistleblowing System 116
8 RELATIONS AMONG UNITS 119
81 Information and Communication between the CHU and SDUs 119
82 Information and Communication between SDUs and Spending Units 119
INFORMATION AND COMMUNICATION ANNEXES 120
Annex 1 - Legislation on Information and Communication 120
Annex 2 - Widely Used Methods of Communication 121
Annex 3 Reports Prepared under PFMC Law No 5018 124
Annex 4a Whistle-Blowing Process Related to Ethical Values 125
Annex 4b Whistleblowing and Evaluation Process for Crimes Committed by Civil Servants
126
MONITORING 127 1 Introduction 127
2 Monitoring Internal Control Standards 128
3 Roles And Responsibilities 128
31 Senior Manager 128
32 Internal Audit 128
33 Internal Control and Risk Steering Board (ICRSB) 128
34 Authorising Officers 128
35 Strategy Development Units (SDU) 129
36 Other Managers and Employees 129
37 External Audit 129
38 Central Harmonisation Unit (CHU) 129
4 Guidance by the CHU 130
5 Assessment and Reporting Role of SDUs 131
51 Assessment of Internal Control System by SDUs 131
52 Reporting of Internal Control System Evaluation Results 132
53 Monitoring of Internal Control System Evaluation Reports 133
54 Work to be carried out by SDUs concerning Internal Audit Reports 134
6 Internal and External Audits 136
61 Internal Audit 136
5
62 External Audit 137
7 Internal Control Assurance Declarations 138
71 How to complete Internal Control Assurance Declarations 139
MONITORING ANNEXES 146 Annex 1 Internal Control System Question Form 146
Annex 2 Internal Control System Evaluation Report 162
Annex 3a Internal Control Assurance Declarations Senior Manager 163
Annex 3B Internal Control Assurance Declaration Authorising Officer 167
Annex 3b Internal Control Assurance Declaration Head Of SDU 170
Annex 4 Example Of A Complete Declaration 171
GLOSSARY 174
6
LIST OF ABBREVIATIONS
ARC Administrative risk coordinator
BiMER Prime Ministry Communication Centre
CHU Central Harmonisation Unit
COBIT Control Objectives for Information and Related Technology
COSO Committee of Sponsoring Organisations of the Treadway Commission
DHSDU Declaration by Head of Strategy Development Unit
e- SAC Electronic System Audit and Control
FMC Financial Management and Control
HRM Human Resources Management
ICAD Internal control assurance declaration
ICRSB Internal Control and Risk Steering Board
INTOSAI International Organisation of Supreme Audit Institutions
ISOIEC International Organisation for Standardization International Electrotechnical
Commission
IT Information Technology
MERNIS Central Civil Registration System
MIS Management Information System
PESTLE Political Economic Social Technological Legal and Environmental
RSPD Risk Strategy and Policy Document
SDU Strategy Development Unit
SMART Specific Measurable Achievable Relevant Time-related
SURC Sub-unit Risk Coordinator
SWOT Strengths Weaknesses Opportunities and Threats
TGNA Turkish Grand National Assembly
TSE Turkish Standards Institute
URC Unit Risk Coordinator
UYAP National Judicial Information System
7
INTRODUCTION
From the late 20th century onwards the focal point of governments in the whole world
has been to establish mechanisms to increase performance ldquoGood governancerdquo put
forward to serve this end has recently come to be a guiding principle both for the private
sector and the public sector Within the framework of the principle of good governance such
factors as ensuring accountability for the provision of better quality public services
improvement of transparency delegation of authorities and responsibilities by means of
managerial flexibility outcome-oriented management and budgeting understanding and
meeting the expectations of citizens have come to the foreground
On the other hand provision of quality public services has brought along the need for
the public resources to be used effectively efficiently and economically thus necessitating
the usage of effective tools in public administrations in many areas from organisational
structure to information and monitoring which are related to financial management and
control The most important tool for accountability adopted in this reform process is internal
control
Internal Control Internal control which is internationally used is a system designed to give reasonable
assurance to attain the objectives of a given administration Within the framework of
Committee of Sponsoring Organisation (COSO) which is the mostly widely-known system
among the others internal control aims to ensure compliance of actions and works with the
legislation as well as the reliability of financial and managerial reporting and effective and
efficient asset protection COSO which is made up of control environment risk management
control activities information and communication and monitoring components is such an
internal control model which is also accepted as a reference point by such institutions as the
International Organisation of Supreme Audit Institutions (INTOSAI) and the European
Commission The following figure shows the components of COSO
IN Figure 1 The COSO Cube
8
Our country on the other hand which has been carrying on membership negotiations
with the EU has been going through a reform process since the early 2000rsquos with a view to
strengthen its public internal control system The basic factors of the internal control system
which is recommended by the European Commission to all the candidate countries and is in
compliance with COSO can be summarized as financial management and control (FMC)
system based on managerial responsibility and accountability functionally independent
internal audit activity and Central Harmonisation Unit (CHU) responsible for the harmonisation
of these two areas in the whole public sector
FMC refers in the most general terms to the management and control processes
related to public revenues expenditures assets and obligations In this context public
managers of every level are responsible for the establishment and sustainability of a sound
FMC system to ensure resource-based planning programming budgeting accounting
controlling reporting archiving and monitoring Internal audit on the other hand which
assists the manager in assuming this responsibility and attaining the objectives gives based
on risk management objective assurance and provides guidance regarding the compliance
of the current FMC system with the identified rules and standards Furthermore a full capacity
and quality central harmonisation activity is required in order to identify and develop
methodologies legislation and standards in the areas of FMC and internal audit in public
administrations as well as to coordinate and monitor them and provide the training needed
In the light of the best practice examples our country has taken important steps in
strengthening transparency and accountability in public financial management and ensuring
an effective internal control function Public Financial Management and Control Law No
5018 which is the most important step among the others and adopted in 2003 defines the
functioning of internal control system and the roles and responsibilities of the actors involved
in the system and assigns the Ministry of Finance (MoF) the duty of identifying standards and
methods as well as ensuring coordination and providing guidance in this area As per this
duty the MoF published a Public Internal Control Standards Communiqueacute in 2007 which was
in compliance of the international standards
Financial Management and Control Manual which is an extension of all these works
has been prepared with a view to supporting decision-making and implementation
processes for a better management and thus contributing to the rational usage of public
resources The Manual which has been started to be prepared in 2010 and completed in the
first quarter of 2011 is the outcome of a painstaking work carried out by the Experts both from
the United Kingdom and our country within the framework a twinning project financed by the
European Union
FMC Manual has been designed with a view to ensure the implementation of internal
control standards as a guideline which explains all the basic factors of internal control by
means of methods tools and examples which can be used by all the stakeholders In
addition it is also possible for administrations to use according to their own needs other tools
than this Manual which can be modified and revised in time in line with the changing
circumstances and needs in public administrations however it is foreseen than tools
adopted should not be in conflict with the basic requirements contained in the Manual
This Manual is made up of five main parts based on Internal Control Standards
Following this introduction there is a table showing the main responsibilities of the major actors
in financial management and control
In the first part conceptual explanations regarding ethical values and integrity
mission organisational structure and duties competence and performance of personnel and
delegation of authority which are the milestones of the control environment as well as
information on the legislation and implementing tools are given
In the second part information on the importance and aim of risk management
stages of risk management process and roles and responsibilities of the actors involved in the
process Risk Strategy and Policy Document and communication and reporting tools that can
be used is given
9
In the third part control strategies and methods identifying and documenting
procedure principle of separation of authorities hierarchical controls sustainability of
activities and information processing controls are explained within the framework of control
activities which is closely related to risk management and a set of control activities (approval
authorisation verification reconciliation of accounts etc) are dealt with
In the fourth part the concept of information and its management functioning of
Management Information Systems internal and external communication tools and reporting
mechanisms are handled within the framework of information and communication
component
In the fifth part information on the roles and responsibilities of Financial Management
and Control Central Harmonisation Unit (FMC CHU) in the overall public sector and of
Strategy Development Units (SDU)Financial Services Units in each public administration as
well as the tools used internal control system quality assurance development program roles
of internal and external audit content of Internal Control Assurance Declaration and
guidance on how to fill the Declaration is given within the framework of regular monitoring
and assessment of internal control system
In the last part of the manual a glossary of the concepts used in the manual is given
Users of the Manual Besides for the relevant stakeholders and users it is believed that this Manual will be a
reference document for the followings
Senior mangers responsible for establishing an effective and adequate FMC system as
well as observing and monitoring it
Authorising officers who have responsibility within the scope of their duties and
authorities to ensure the functionality of the internal control regarding administrative and
financial decisions and proceedings
Relevant managers and employees of the Ministry of Finance who carry out the
central harmonisation duty in the area of FMC
Managers of SDUs and financial services experts who have responsibility concerning
the development of internal control system and implementation of the standards
Realization officers and accounting officers who are involved in the financial
processes and accountable to authorising officers
The other public managers who have responsibilities arising from the activities
conducted in the area of FMC in units
All the employees working in public administration
Internal auditors who have the responsibility to assess and report to the Head of
Administration the effectiveness of FMC system
External auditors who responsible for examining the accounts financial transactions
and activities and internal control systems of public administrations as well as whether
resources are used effectively efficiently and economically as well as in compliance with
laws and reporting the results to the TGNA
10
TABLE OF ROLES AND RESPONSIBILITIES
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
MINISTER
Within the framework of the
responsibility for ensuring
effective economic and efficient
utilisation of public resources the
Minister should be aware of the
potential risks to the
administrationrsquos objectives
He ensures coordination and
cooperation with the other
ministries and informs the public
opinion and the TGNA about the
annual performance programme
and activity report of the
administration
Within the framework of the
responsibility for ensuring
effective economic and efficient
utilisation of public resources the
Minister is responsible for ensuring
effective monitoring of the
internal control system
HEAD OF ADMINISTRATION
He defines strategies and policies
for an effectively functioning risk
management system in
accordance with the aims and
objectives of his administration
He explicitly defines tasks roles
and responsibilities He ensures the
participation of the stakeholders
and the public opinion
As the quality of the information
exchange and communication
between the head of
administration and the other
actors has a direct effect on the
accountability of the head of
administration he must inform the
relevant units about the
frequency and methods of
feedback he prefers
He ensures effective
communication among spending
units SDUs and internal audit
He is responsible for observing
and monitoring the functioning of
financial management and
control system
He approves annual internal
control system evaluation reports
and signs the Internal Control
Assurance Declaration
INTERNAL CONTROL AND
RISK STEERING BOARD
The Board develops policies for
improvement of risk management
in the administration and submits
them for the approval of the
Head of Administration The Board
notifies the unit of the policies and
procedures for coordination
purposes ICRSB determines a
particular number of risks which it
deems significant as the key risks
It provides the Head of
Administration with timely and
accurate information about the
effectiveness of internal control
and risk management
It assesses internal control system
evaluation reports prepared by
the strategy development unit as
a result of annual evaluation of
internal control system and
following to defining shortcomings
of the report if any submits it with
the relevant opinions for the
approval of Head of
Administration
11
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
among those risks that are
submitted to itself and reports
whether these key risks function
well or not to the Head of
Administration in regular periods
or whenever it deems necessary
AUTHORISING OFFICER
He acts as the unit risk
coordinator or assigns someone
to act so URC coordinates the
management of the unitrsquos risks
that may have an impact on
objectives of the administration
and provides guidance to this
end
He ensures that tasks authorities
and responsibilities of staff are
defined clearly and in writing and
communicated to all the staff
He ensures that sub-units are
informed about the activities of
each other
He ensures that an effective
communication and archiving
system is established for the
information related to the
objectives and activities of the
unit
He has responsibility for
continuously monitoring internal
control system
He provides necessary
information for strategy
development units regarding the
annual evaluation of internal
control system completes internal
control questionnaire and
annually signs internal control
assurance declaration to be
submitted to the Head of
Administration
HEAD OF DEPARTMENTUNIT
He is responsible for the
coordination of risk management
activities within sub-units (if having
such units or their management
at this level is deemed
appropriate) of the spending units
in administrations He is directly
accountable to URC regarding
risk management
He ensures that an effective
communication and archiving
system within the sub-unit is
established for the information
related to the objectives and
activities
He ensures that tasks authorities
and responsibilities of staff are
defined clearly and in writing and
communicated to all the staff
He is accountable to the
authorising officer
He has responsibility for
continuously monitoring internal
control system
He supports the authorising officer
in providing SDUs with information
Every employee is directly Every employee is responsible for They observe the functioning of
12
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
EMPLOYEES responsible for managing risks in
their fields of duty (identifying
assessing responding to
reviewing and reporting risks
delivering accurate and timely
information to managers
colleagues and stakeholders by
using right communication
means
internal control system and in
case of a problem they inform
senior management and
contribute to the evaluation
process of internal control system
by providing information
STRATEGY DEVELOPMENT
UNIT
It organises trainings on risk
management in the
administration and provides
guidance in this respect
It is responsible for providing the
Head of Administration and the
units with accurate and timely
information In addition it is
responsible for providing the unit
with guidance and trainings on
the area of internal control
It annually assesses internal
control system on behalf of the
Head of Administration It signs
the declaration on functioning of
internal control system with a view
to ensuring effective efficient
and economical execution of
administrationrsquos activities Staff of
Strategy Development Units take
active role in the evaluation
process of internal control systems
and guide the units in completing
the reports regarding evaluation
ACCOUNTING OFFICER
Within the scope of his duty the
Accounting Officer should identify
and manage the financial risks
The Accounting Officer is
responsible for performing
accounting services and keeping
accounting records in a regular
transparent and accessible way
Accounting Officers must
regularly report to the authorising
officer on the accounting
records
CENTRAL HARMONISATION
UNIT
It is responsible for such activities
as making regulations and
chances when necessary
carrying out developmental
activities as well as ensuring
guidance harmonisation inter-
administrational coordination and
reporting
It is responsible for making
arrangements setting out
standards providing guidance
and advice ensuring
harmonisation and coordination
among administrations
monitoring and reviewing the
implementation in the fields of
financial management and
It annually assesses the
functioning of internal control
systems in public administrations
based on Internal Control
Evaluation Reports approved and
submitted by senior managers
and submits the evaluation report
it prepared to the Head of
Administration and the Minister of
13
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
control and internal audit Finance
INTERNAL AUDIT
Internal auditor provides the
Head of Administration with
advice regarding risk
management by making
evaluations on whether risk
management process is effective
and risks are managed in the right
way or not
He examines the functioning of
information and communication
system in the administration and
reports the results to the Head of
Administration There must be an
effective communication system
between
Head of Administration and
internal audit
It has the function to provide the
management with information
about the sufficiency
effectiveness and functioning of
internal control system as well as
making evaluations and giving
recommendations
EXTERNAL AUDIT
Within the framework of
performance management it
can audit the functioning of risk
management processes in
administrations
Within the framework of
performance management it
can audit the functioning of
information and communication
systems in administrations
Court of Accounts can assess
internal control systems in
administrations during the audits it
conducts and give
recommendations
14
15
CONTROL ENVIRONMENT
1 INTRODUCTION
According to the COSO model control environment is creation of the basic
infrastructure for the other components of internal control by providing internal control
awareness for employees working in a particular administration Control environment
generally includes internal control awareness values working styles and procedures of the
administration Basic factors of control environment are summarized below
CE Box 1 Basic Factors of control Environment
Creation and sustainability of a positive and supportive environment for internal
control by the management is of great importance As employees also have their relevant
roles in carrying out internal control all the individuals within the administration need to know
hisher responsibilities and authorities very well Employees need to uphold personal and
professional integrity and ethical values and comply with the current behavioural norms In a
well-functioning control environment the public administration should previously determine its
mission organisational structure and terms of reference and should regularly assess the
performance of personnel
2 Internal Control Standards
Four standards were determined regarding control environment among Public
Internal Control Standards
CE Box 2 Control Environment Standards
Standard 1 Ethical values and integrity
It should be ensured that rules which regulate how personnel behave are known by the
personnel
Standard 2 Mission organisational structure and duties
Mission of the administration and job descriptions for units and personnel should be set out
Risk Management
Control Environment
Control Activities
Info amp Communicattion
Monitoring
Principles of personal and professional integrity
Adoption of ethical values by management and personnel
Supportive attitude of senior management towards internal control
Organisational structure
Professional competence and performance of personnel
Human resources policies and practices
Management philosophy and working style
16
in writing and announced to the personnel and a suitable organisational structure should
be established in the administration
Standard 3 Competence and performance of personnel
Administrations should ensure the compatibility between the competence and duties of
personnel and take actions about performance appraisal and improvement
Standard 4 Delegation of authority
Administration should explicitly identify authorities and limits of delegation of authority and
announce them in writing Authority should be delegated by taking the importance and
risk of authority to be delegated into consideration
This part gives explanations regarding the relevant legislation and standards with a
view to rendering Public Internal Control Standards more comprehensible and to guide the
practices Besides it stresses upon the methods to be applied for ethical values and integrity
principles to be owned by senior management and adopted by personnel which is very
important for a well-functioning control environment Besides criteria are determined for the
assessment of competence and performance of personnel as well as giving explanations on
determination of mission organisational structure and duties Moreover the part explains how
the delegation of authority which is a priority for accountability needs to be conducted
3 LEGISLATION
31 Legal Basis
In utilising of public resources or in providing effective and efficient public services the
principles and procedures of a work financial or non-financial are determined by the
regulations made by laws or the central administration
Internal Control standards provide the minimum and overall framework for managers
for giving an assurance on the provision and sustainability of services In the following
diagram the international and national standards and legislation relating to Control
Environment are given
17
CE Figure 1 Legal Basis Framework regarding Control Environment
Part Five of Law No 5018 regulates lsquointernal control systemrsquo Within this framework in
order to establish an effective and sufficient internal control system the top manager and
the other managers should take necessary action to ensure that the following factors are
implemented
bull Having professional values and an integral management understanding
bull Assignment of financial authorities and responsibilities to informed and competent
managers and personnel
bull Compliance with the standards set
bull Prevention of actions that are opposed to the Legislation
bull Provision of a proper working environment and transparency with a comprehensive
management understanding
The main legislation related to control environment is given below
CE Table 1 Main Legislation on the Control Environment Standards
CONTROL
ENVIRONMENT
STANDARD
RELATED LEGISLATION
1 Ethical Values
and Integrity
Behaviour Principles and Application Principles Law No 5176 on
the Establishment of Civil Servants Ethical Board and Making
Amendments on Some Laws
Legislation on Ethical and Procedures of Civil Servants
2 Mission
organisational
structure and Tasks
Law No 3046
Decree of Law No 217 on the Establishment and Duty Principles
of State Personnel Presidency
Strategic Planning Guideline for Public Administrations
3 Competence
and Performance
of Personnel
Turkish Constitution
Law No 657 on Civil Servants Law No 2802 on Judges and
Public Prosecutors Law No 2914 on High Education Staff Law No
926 on Turkish Armed Forces Personnel Law No 3269 on
18
CONTROL
ENVIRONMENT
STANDARD
RELATED LEGISLATION
Specialized Sergeants Law No 3466 on Specialized Gendarmerie
Law No 4678 on Contracted Officers and Petty Officers to be
Recruited into Turkish Armed Forces
Regulation on Examinations for Those to be Appointed for Public
Duties for the First Time
Regulation on Appointment Conditions for Public Services of
Disabled Persons and Competition Examinations to be Conducted
Special Regulations Prepared by Administrations (expert
coordinator inspector etc)
General Regulation on Training of Candidate Civil Servants
Registry Regulation for Civil Servants
Regulation on Civil Servants to be Sent Abroad for Training
Purposes
General Regulation on the Principles of Promotion and Title
Change in Public Administrations and Entities
Regulation on Promotion and Title Change in Supreme Institutions
and Agencies of High Education
4 Delegation of
Authority
Law No 3046
Law No 2547 on High Education
Law No 5393
Organisational Laws
Communiqueacute Serial No 1 on Authorising Officers
19
4 ETHICAL VALUES AND INTEGRITY
41 What is Ethics
Ethics is a body of moral principles which forms the basis for the behaviours of a
person In other words ethics is the guidelines values principles and standards which help
people determine lsquohow to do worksrsquo Ethics is at the same time a process In this process while
making and implementing decisions actions are carried out upholding particular values
The aim of observing ethical behaviour principles is to prevent corruption and
upholding integrity in a state and community
42 Current Legislation on Ethics
Law No 5176
The Law determines the establishment duty and working principles and procedures for
Civil Servant Ethical Board to determine and monitor the implementation of such ethical
values that civil servants must observe as transparency impartiality accountability and
observing public interests However scope of the law is too narrow that it diverges from its
original aim (Provisions of the Law on President Members of TGNA Members of Council of
Ministers officials of Turkish Armed Forces and officials of jurisdiction are not enforced)
Civil Servants Ethical Board is authorised and responsible for determination of ethical
behaviour principles through the legislations it will prepare conduction of the relevant ex-
officio examinations and investigations as well as conduction of examinations and
investigations upon applications on ethical behaviour violations and notification of the results
to the relevant authorities carrying out studies to settle ethical behaviours in a community
and supporting studies to be carried out in this field
Within the framework of laws the Board can be applied to with allegations of violation
of ethical behaviour principles about the civil servants of at least director general or
equivalent positions in a public administration and institution
Applications to be made with allegations of violation of ethical principles about the
other civil servants are evaluated by the concerned boards of the relevant administrations to
see whether there is a condition that is opposed to ethical value principles or not Results of
the evaluations are communicated to the applicant and to whom it may concern
The Board conducts its examinations and investigations regarding the applications
referred to itself to see whether ethical value principles are violated or not The Board has to
conclude the examinations and investigations to be conducted upon the whistle blowing or
complaint applications in three months at most Results of the examinations and
investigations are communicated to the relevant authorities and to the Prime Ministry in
writing (For further information please refer to ldquoInformation and Communicationrdquo chapter
Legislation on Civil Servants Ethical Behaviour Principles and Application Procedures
Civil servants are liable to observe ethical behaviour principles while fulfilling their duties and
sign the Ethical Contract document Authorised appraisal managers in administrations and
institutions assess the performance and employment records of personnel in terms of
compliance to ethical values
CE Figure 2 demonstrates ethical behaviour principles determined in the Legislation
20
CE Figure 2 Ethical Behaviour Principles
Granting
decleration
of property
Relations with
the previous
civil servants
Accountability
requirement for
managers
Informing
transparency
and
participation
Binding
explanations
and unreal
declerations
Being
economic
Utilisation
of public
properties
and
resources
Prohibiton
of giving
presents and
drawing
benefits
Not abusing
duties and
authorities to
draw benefits
Avoiding
conflict of
interest
Notification
of authorised
bodies
Courtesy
and
respect
Esteem
and trust
Integrity and
Impartiality
Commit
ment to
aims and
mission
Compliance
with service
standards
Service
awareness
for public
Public service
awareness in
fullfilment of
duties
ETHICAL
BEHAVIOR
PRINCIPLES
21
43 Main Ethical Behaviours that are Expected from Civil Servants
Observing all the time high ethical standards and working to increase public belief in
the state and civil servants for public benefit
Behaving in compliance with the ethical values and principles when fulfilling duties
obtaining and using public resources and purchasing goods and services from
outside
Showing respect for colleagues and users of services exhibiting impartial and fair
behaviours
Having a participatory decision-making process by taking the views of colleagues
and users of the services into consideration
Appreciation and announcement of good works colleagues do
Not abusing public authorities and resources for personal benefits and not favouring
relatives or friends in using public services
Being careful about the possible and real conflict of interests
Assuming responsibility for decisions and behaviours
Filling in the property declaration forms in time accurately and without any reserve
Not working in a second job that is prohibited by the Legislation other than his public
service
Not establishing private relationships with the persons and firms that are in connection
with the administration that civil servant works in
Warning other civil servants whose behaviours are not in compliance with the ethical
principles and notifying authorities in case that warning turns out fruitless
44 Ethical Behaviours That are Expected from Public Managers
While fulfilling their duties managers should
Inform all the civil servants of the overall aims main objectives and values of the
administration
Create a positive working environment where behaviour expectations are clearly
defined and violations are identified and corrected if any
Assume all the responsibility for the activities of administration
Take into consideration the merits current behaviours and developmental potential of
personnel while appointing for a position
Behave in a fair equal and impartial way towards all the personnel
Solve the problems and conflicts in a quick and fair manner
Be consistent reliable predictable fair and objective in decisions and behaviours
Set a personal example in terms of ethical principles and values
Maintain the highest standards possible to be followed in the field of efficiency and
effectiveness at work
45 Ethics Training
One of the most important prerequisites of establishing a culture in the administration that
is based on ethical values and principles is ethics training All the personnel of every level that
are employed in public administrations and institutions need to be informed of the ethical
behaviour principles and their responsibilities related to these principles
Administration and institution managers are liable to include ethical behaviour principles
in the basic preparatory and in-house training programs that are implemented for civil
servants
5 MISSION ORGANISATIONAL STRUCTURE AND DUTIES
Mission of an administration is the cause of existence of the administration and its
place within the state structure Organisational structure ensures that duties that are carried
22
out to attain the objectives and aims of the administration are controlled and monitored
Duties that are carried out by the administration are led by the mission and organisational
structure These factors in question which complete each other form an important basis for
the other components of internal control system
51 Mission
Public administrations set out their missions visions aims objectives and strategies in
strategic plans As Strategic Planning Guideline for Public Administrations states mission is the
cause of existence of an administration In this regard mission covers all the services and
activities an administration carries out In other words mission is the answer to such questions
as what the public administration does and how and for whom it does what it does Mission
should be sound realistic and participatory to lead the administration and should be
developed according to the changing conditions and needs It will also be proper to receive
opinions from personnel and stakeholders in forming and updating the mission
The following should be taken into consideration in mission declarations of administrations
The mission should be up-to-date precise and clear
The mission should be determined in line with the established aims of
administration not process of service provision
While determining the mission tasks and authorities granted to the
administration with legal regulations should be taken into consideration
In mission promotion people and entities that the administration provides
services for and the goods and services that the administration offers should
be stated
CE Box 3 Mission Example
For the mission which is very important for public administration to be achieved
personnel should be informed enough about the mission of administration they are affiliated
to Being informed about the mission and adopting it will guide the decisions and activities of
the administration and help the personnel understand their duties within the administration To
this effect firstly mission should be set down in writing and it should be announced to the
personnel and a system should be developed for the mission to be adopted by the
personnel On the other hand job descriptions of the sub-units should be determined in
writing in compliance with the mission and compliance with the mission should be regularly
reviewed
52 Organisational Structure
Organisational structure of the administration is another important factor which
influences the control environment Organisational structure is the provision of a framework
for the attainment of the aims and objectives of administration
In order to establish a proper control environment organisational structure should
Indicate the division of authorities and responsibilities within the organisation
Include accountability mechanisms and relevant reporting line which will ensure
the functionality of these mechanisms
Indicate the coordination and integration points
Carrying out research training and publishing activities developing and supporting
projects for strengthening and increasing the problem-solving capacity of families and for
identification and solution of the problems in cooperation with the institutions and
organisations in the light of scientific and ethical valuesrsquorsquo
(General Directorate of Family and Social Research 2007-2011 Strategic Plan)
23
Organisational structures of administrations are generally determined by the
organisational laws that are prepared in compliance with the framework that is set in Law No
3046 and duties of administrative units (main services consultationaudit and support units)
are shaped in these organisational laws Duties of the sub-units of administrations on the
other hand are determined in administrative regulations such as circulars and regulations
not in the organisational laws
Furthermore organisational structures of public administrations which fall under the
scope of the local administration are determined by Law No 5393 on Municipalities Law No
5216 on Metropolitan Municipalities Law No 5302 on Special Provincial Administration and
Law No 5355 on Local Administration Unions
Mission of the administration is achieved by the activities carried out by the units of the
administration and their sub-units and the units of the local administration Within this
framework duties of both the units and sub units should be in compliance with the mission of
the administration
Relevant chances regarding the organisational structure units and sub-units of the
administration and duties that are carried out by these units and sub-units can be made by
amending organisational law or revising administrative regulations according to the
circumstances within the framework of the reviewing activities in question
53 Job Descriptions
As it is stated in Public Internal Control Standards written definition of duties to be
carried out by units and sub-units of administrations and formation of a task distribution chart
covering duties of the personnel in the administrative units and their relevant authorities and
responsibilities assume importance for the mission of the administration to be accomplished
Within this framework preparation stage of job descriptions is demonstrated below
Public administrations can prepare their job descriptions by following the below given
process
CE Figure 3 Preparation Process of Job Descriptions
Job analysis is a process in which information regarding
the quality of every job carried out in the administration and
working environment the job will be carried out in as well as
working conditions is collected and collected information is
systematically examined and assessed While making job
analysis the followings should be followed
Determination of jobs to be analysed taking into
consideration the organisational structure of the
administration
Determination of the objective
Formation of the team to make the analysis ( it is
essential that the team members to make the
analysis should be selected from inside the
administration However it possible to receive
counselling from outside when necessary)
MAKING JOB ANALYSIS
24
KEY QUESTIONS IN JOB ANALYSIS
What are the requirements of the job (In terms
of knowledge experience and competence)
How is the job done
When is the job done
Where is the job done
Why is the job done
What are the assistive tools for the job
(Equipment)
What kinds of outputs are obtained
Job analysis does not have a value on its own It is only
valuable when it contributes to attaining the objectives of
administration Therefore analysing should start by
understanding the philosophy mission and objectives of the
administration and the role and importance of every unit
within the administration and should continue in this
direction
The findings gathered from the job analysis should be
submitted in a systematic and consistent way and the job
descriptions that are formed according to these findings
should be submitted to the top management for the job
description whose final draft has been completed
At minimum job descriptions should include the following
Unitamp Sub Unit
Name of the job (Name of the position)
Title that the job has
Level of competence (areas of responsibility
information problem solving)
Basic duties and responsibilities
Authorities
Required skills and abilities for the job
Its relation with the other jobs
Approval section and section regarding communiqueacute to
personnel
25
State Personnel Presidency determined standard job descriptions for some
titles (chief programmer warehouse official statistician personnel titled as inspector in the
municipalities etc) In this process it is possible that public administrations receive guidance
form State Personnel Presidency
531 Sensitive Duties
Some of duties that are carried out in public administration assume more importance
because of their nature than the other duties do in terms of esteem of administration risk of
corruption disclosure of secret information etc Therefore integrity of the personnel who
carry out the duty in question is attached more importance
It would be convenient to assess at least the followings while deciding whether a duty
is sensitive or not
Capacity to make important decisions that can impact administrationrsquos objectives
Its relations with the third parties and administrations outside the administration
which can impact decisions
Regular accession to confidential information
Whether financial transactions of high value are involved
The duty requiring special expertise at high levels
Other criteria that can be introduced by administrations
According to the criteria in question administration should determine sensitive duties
develop control mechanisms to mitigate the risks identified and review the chances to occur
at the level of the risk
The following table demonstrates the fields of activity which can be sensitive for
administrations and gives examples regarding these fields
CE Table 2 Examples of Sensitive Duties
Areas of Management Examples for Sensitive Duties
Financial management Accounting
Managing payments
Analysing the financial reports
Job descriptions should be announced to the personnel for
them to learn what they need to do under which rules they
work and what their objectives are
Job descriptions should be reviewed and updated annually
ANNOUNCING JOB
DESCRIPTIONS TO THE
PERSONNEL
UPDATING JOB DESCRIPTIONS
26
Commitment process Membership for the Tender
Commission
Contracting process
Process of examining and accepting
Publishing tender documents
Human resources management Definition of positions
Job description
Recruitment process
Assessment
Implementation of salary system
Information management systems Accession to the system and controls
Security of the systems and key
documents
Developing the system
Support Services Controlling valuable stocks
532 Monitoring the Results of Duties
Administrations should continuously assess sensitive duties and decide what steps to
take in accordance with the changes in the level of the risks (such as renewing controls
identifying new sensitive duties re-evaluating sensitive dutiesrsquo risk levels by taking into
consideration the cost-effectiveness)
Managers carry out the activities of administrations through written or spoken
instructions However it may be difficult for the management to monitor the results of duties
due to such reasons as the structures of units organisational complexity scattered
organisations the number of the personnel being high and duties being varied Managers
should develop such methods as introducing reporting mechanisms and holding regular
meetings to overcome this difficulty
6 COMPETENCE AND PERFORMANCE OF PERSONNEL Good management of human resources aims to ensure the efficiency effectiveness and
productivity of personnel
27
CE Box 4 Humans first
The basic aim is the selection of proper personnel for the fulfilment of the mission of
administration appraisal of personnel career planning for those who are successful and
ensuring they have the basic skills and adequate knowledge with a high sense of
responsibility and identity
61 Transition to Human Resources Management from Personnel Management
As it assumes the responsibility for identifying policies objectives and standards in
human resources management (HRM) top management plays a significant role in HRM
Besides top management should create a transparent and accountable environment
complying with laws and legislation
The expertise that human resources managers have in this area should lead the
other unit managers to apply human resources standards at every level of the administration
Furthermore HRM is a responsibility for all levels of management starting from top
management In line with the policies in question the unit managers when they carry out in
an effective way the tasks given to them by the senior managers should also assume such
duties as orientation and training of the new personnel improvement of their work
performance developing a proper work environment and relations in which they will work in
cooperation boosting the moral and motivation of personnel safeguarding the health of
personnel and improving the working conditions of the personnel
62 Activity Areas in Human Resources Management
The basic functions of HRM can be listed as follows
Conduction of job analyses
Job descriptions
Job requirements
Labour force assessment
Staff analysis
Cost-benefit analysis
Limitations of various legal regulations (Budget Law Decree of Law on General Cadre
Procedure etc)
Recruitment process
SWOT analysis (of the recruitment process)
With the principle lsquogood people make good organisationsrsquo we can say the quality of the
employees of an administration is the quality of the outputs of that administration First of
all it must be kept in mind that employees are humans and a balance must be
established between the needs of administration and employees It is important for
personal motivation that assignments be conducted in line with merits and careers of
employees in every stage from recruitment to retirement The only capital an
administration has which can not be materially measured is human
Humans First
28
Announcements on newspapers internet and administrationrsquos billboards
Developing easy application methods which meet the needs are fair and do not
lead to discrimination
Examination process being open which will give confidence
Merit and career evaluation system
PromotionAchievement criteria
Personnel performance indicators
Appraisal system
Rewarding mechanisms
Training Activities
Training needs questionnaire
Training programs (theoretical and practical)
Abroad trainings and internships
Post-training assessments
Participation in such activities as conferences and workshops which support personal
development
Poor performance management and disciplinary practices
Determining the data on which decisions about non- appropriateness for duty will
based and announcing this to all the personnel
Clearly determining the criteria to terminate duties and announcing these criteria to
the personnel
7 DELEGATION of AUTHORITY Authority refers to the power of administrative bodies to make administrative decisions
and to conduct administrative transactions
Responsibility can be defined as a body of rules and sanctions that those who assume
roles in administrative activities are subject to
Delegation of authority is the transfer of authority and responsibility to make decisions
to another body within the framework of the applicable legislation Delegation of authority
does not remove the managerial responsibility of the delegator
Rigid and traditional administrative structures in which all the authorities as well as
transferring and execution functions gather in a single centre are not preferred In such
administrations motivation of employees and managers of lower levels will be decreased to
own the administration and produce services in line with the objectives of the administration
Administrations on the other hand in which managers delegate all their authorities to
lower levels with insufficient capacity and do not monitor the results are not desirable either
Delegation of authority forms a step for transition form an authoritarian management
understanding to a transparent and accountable management understanding In modern
administrative structures a proper control environment is created employees are assigned
responsibilities and authorities at the level of their duties and employees together with the
lower level managers are included into the decision-making mechanisms In such
administrations working motivation will increase therefore effectiveness and efficiency
indicators will go up with the attainment of the aims and objectives
In relation to delegation of authority authorities to be delegated and their limits are
defined by regulations on various laws The main regulations in this regard are as follows
Law No 3046 on Ministries
Law No 5442 on Provincial Administration
Law No 2547 on High Education
Law No 5393 on Municipalities
Law No 5018 on General Management
Organisational Laws of Administrations
29
71 Determination of Delegation of Authority
Delegation of authority should be carried out according to the hierarchical structure of
the organisation With a top-down approach authorities to be delegated from Minister to
undersecretary (-authorities to be delegated to Head of Administration-) to his deputies and
to heads of units from head of unit to head of department from head of department to
director of branch should be determined in writing and consulted with whom it may concern
72 Delegation of Authority and Work Flow Process
Work flow processes of administrations should be determined and the officials to take part
in the processes and their authorities and responsibilities should be set out These processes
which are determined should be analysed and who to be assigned which authority in the
processes should be determined
What is expected in the delegation of authority is that the official who is to be delegated
the authority should be well-informed of the process and have the quality and experience to
manage the process Employees that are delegated authority are expected to report the
current situation of the process to the delegator and the delegators are expected to seek for
this report
73 Delegation of Authority and Responsibility
We can handle responsibilities in three different categories
Managerial responsibility
It refers to the responsibility to the senior level in hierarchical terms Besides it is
defined as performance responsibility
Delegation of authority will not remove the managerial responsibility of the
delegator
Financial (Compensation) Responsibility
It is the financial responsibility for public andor personal loss caused by using
the authority delegated Financial responsibility to arise from the usage of this
authority will belong to the user of the authority
Legal (punitive) Responsibility
Legal responsibility covers managerial and financial responsibility Legal
responsibilities are defined in the Constitution organisational laws Turkish Penal
Code and special legislations It is a must that all the employees and political
authorities working in the public administration behave with legal responsibility
while carrying out their duties
74 Factors of Delegation of Authority
Those authorities that can be delegated and those that cannot be delegated
should be determined with their limits on senior management level and announced
The basic factors to be taken into consideration in delegation of authority are as
follows
Delegation of authority must be in writing
Legally there are authorities which can not be delegated and these are
not at the administrationrsquos discretion (For example authority to give
disciplinary punishment or the authority of administrative tutelage etc)
Limits of the authority to be delegated must be set out
As long the as the delegation of authority continues the delegator will not
be able to use that authority
That the official delegatingdelegated authority leaving the job will
terminate the authority
30
75 Delegation of Authority and Communication
Employees taking over the authority should periodically report the current situation of
the process to the delegator and the delegator should seek for this report which will provide
feedback to Head of Administration regarding the process This forms an example about
monitoring function
8 INTERNAL CONTROL AND RISK STEERING BOARD
81 Roles and Members of the Board
The Board has a consultation role which will provide additional value for the activities
of administration in development of methods and processes regarding internal control system
such as monitoring internal control practices preparation of action plans and implementation
of the current plans
The Board is formed by the approval of Head of Administration for commencement of
studies on the internal control system within the framework of Action Plan Manual on
Harmonisation with Public Internal Control Standards The Board consists of authorising officers
(or their deputies) under the chairmanship of the deputy Head of Administration and when
the deputy Head of Administration is not available an authorising officer to be assigned by
the Head of Administration will take over as chairman All or some of the authorising officers
are selected for the ICRSB and how many to select should be determined with a view to
provide efficiency in line with the organisational structure When deemed necessary The
Head of Administration can invite those authorising officers who are not members of the
Board to meetings of Board to get their opinions provided that they are not included in the
decision-making Secretarial services of the Board are provided by strategy development
units
The Board periodically convenes Experts from inside and outside the administration
can be invited to the Board if deemed necessary in order to contribute to the objectives and
aims The Board is free within the framework of the duties and responsibilities given to itself in
determination of the dates and content of meetings and notifies the relevant persons of the
relevant arrangements in advance
Decisions are made based on majority voting Each member has only one voting right
including Chairman of the Board However when the voting of both sides is equal the
majority is considered to be the side that the chairman takes Those members who do not
side with the decisions state their justifications for not siding with the decision in writing
Deputy senior manager authorising officers or the deputies they assign should have a single
equivalent voting right in the meetings however the other representatives and experts
whose opinions are received should not have a voting right The Head of Administration on
the other hand should be able to participate in the Board meetings without having a voting
right and should encourage the participation of authorising officers for strengthening internal
control system For meetings which are not participated by Head of Administration briefing
should be made through reporting system
Details about how the Board works should be specified in the relevant legislation
The Board regularly monitors internal communication activities and processes and
revises them when deemed necessary and determines new communication methods to fit
the changing organisational structure
31
CE Figure 4 Information Flow in Internal Control and Risk Steering Board
82 The Boardrsquos Scope of Duty
The Board works to support the accountability of senior management in the fields of
management internal control and especially risk and is authorised to carry out the followings
with the approval of senior manager Within this framework its duties in the field of risk can be
listed as follows
It prepares the Risk Strategy and Policy Document (RSPD) or reviews the available RSPD
and submits it for the approval of senior manager
It determines policies in establishment of the risk management culture in the
administration
It determines the risks of spending units to be managed in partnership and the related
policies and procedures and communicates them to the unitrsquos risk coordinator for
coordination purposes
It determines the risks to be managed in partnership with the other administrations and
communicates them to the relevant administrative risk coordinator to ensure that
necessary precautions are taken for management in partnership with the relevant
administrations
The Board periodically assembles to assess whether risk management process functions
well or not and the level achieved regarding risks and reports the level achieved to the
senior manager
The Board fulfils following duties other than risk management
Assessing internal audit reports and providing guidance for implementation of
recommendation and ideas regarding internal control environment and the other
components in line with the requirements of the administration
Monitoring the activities of the administration carried out within the framework of
strategic plans and policies of the administration by means of periodical meetings
Making decisions on dissemination of good practice examples both inside and outside
the administration as a result of monitoring activities that are carried out
Deputy Head of
Administration
Internal Control and
Risk Steering Board Strategy
Development
Unit
Authorising
Officer
(A) Spending Unit (B) Spending Unit (C) Spending Unit
Authorising
Officer Authorising
Officer
32
33
RISK MANAGEMENT
1 Introduction Administrations utilise the resources allocated for them in order to reach the set out
objectives Activities processes and projects which are carried out for utilisation of these
resources bring along risks Risk management is a good tool for administrations to achieve the
aims they set out in accordance with their missions and visions Box RM1 describes Risk
RM Box 1 Definition of Risk
Risk is the uncertainty of events that may emerge in the future (if positive it is an opportunity if
negative then it is a threat) For the administrations this means that aims and the objectives
they set out to achieve these aims can be affected positively or negatively by internal or
external factors
Risk management covers risk assessment determination of effective control activities
monitoring and continuous improvement of these processes Risk management must be
practised corporately for consistency purposes which brings us to the concept of Corporate
Risk Management Corporate risk management covers the entire administration and ensures
that risk management processes are considered and handled as a whole
2 Risk Management standards Administrations while implementing risk management take into account the following
standards
RM Box 2 Risk Management Standards
3 Benefits of Risk Management for Administrations
The followings are the important benefits of a properly applied risk management in
corporate terms
Helps improve performance of administrations and assists administrations in attaining
their aims and objectives
Helps provide the continuity of services the administration provide and improve the
quality of activities the administration carries out
Info amp Communication
Monitoring
Control Activities
Risk Management
Control Environment
Standard 5 Planning and Programming
The administrations shall establish and announce their activities goals objectives and indicators as well as the
plans and programs including the resources which are required for the realization of above listed elements They shall
also ensure that the activities are in compliance with plans and programs
Standard 6 Determination and assessment of risks
The administrations shall define and assess the internal and external risks that could prevent the achievement of
goals and objectives by performing a systematic analysis and determine the measures to be taken
34
Ensures cost-benefit balance between the risks identified and the controls applied
and therefore increases the efficiency in resource allocation
Helps control the impacts of potential losses and decrease the costs of such losses
Ensures compliance with the legislation and regulations
Helps strengthen decision making mechanisms by supporting evidence and risk-based
decision making
Enhances accountability by supporting the clear definition of tasks roles and
responsibilities within the administration
Helps the administration have a more positive image in the eyes of public opinion
4 Critical Achievement Factors for an Effective Risk Management
For administrations to obtain the expected benefits from risk management the
followings are required
Ownership of the risk management process and determination of a risk strategy
encouraging its implementation in accordance with the mission and vision
Establishment of necessary mechanisms to have a single risk management language
Provision of sufficient information guidance and advice regarding risk management
Simplicity flexibility and practicality of risk management processes and integrated
planning and implementation with the other basic processes (strategic planning
performance management human resources management etc)
Supporting the assessments regarding risks with reliable evidence at all times
Systematic monitoring reporting and evaluation of risk management processes
Increasing within the administration awareness that everyone has an important role to
play in risk management and risk management should be fulfilled as an integral part of
the existent processes
Having an organisational communication strategy and proper and functional
communication channels inside and outside the administration
5 Risk Strategy and Policy Paper Risk Strategy is the organisational approach defined for risk management and top
level policies whereas Risk Strategy and Policy Paper (RSPP) is the document in which this
approach and policies are set down in writing Risk strategy sets out the administrationrsquos
attitudes towards risks and forms a framework for the risk management process The RSPP of
an administration is prepared by the Internal Control and Risk Steering Board (ICRSB) for the
endorsement of the head of administration and should be available to and known by all
staff
The Organisational risk strategy should clearly set out the structures regarding the
management and ownership of risks how to address risks at strategic level and program and
activity levels the structures regarding communication monitoring assessment and getting
assurance the criteria for key risks risk register format and risk measurement criteria Attention
must be paid the risk policies of the organisation comply with national level policy papers
The Risk strategy must be set out to reflect the risk appetite of the administration at
strategic level As risk appetite can change in time based on various conditions (for example
risk appetite may be low in periods of financial crisis) risk strategy of the administration should
be reviewed at least once a year and updated when deemed necessary Box RM3 gives a
basic explanation about Risk Appetite
RM Box 3 Risk Appetite
Risk appetite is the amount of risk an administration is ready to take at any time
(toleratebe exposed to) in accordance with its mission vision and objectives Risk
appetite should be taken into consideration while preparing strategic plans
35
Risk appetite is affected by internal and external environment people business systems
and policies Within this framework risk appetite should be set out with a top down
guidance
It is possible for the administration to set different appetite levels as long as the
administration does not exceed its overall risk appetite limits
Both taking too many risks and taking too few risks may lead to failure Although low risk
appetite is considered to be a reliable management method it may constrain the
administration in terms of creativity innovation and taking advantage of
opportunities
Another prerequisite in risk management is the existence of a common risk language
While producing this common language what is needed is a joint terminology and
mechanisms to disseminate it Otherwise it is not possible to build a strong common
understanding to manage risks
Corporate risk management requires a contribution from all employees Ownership of
the risk management process by the staff (Identifying addressing responding reviewing and
monitoring the risks) and considering it as a part of their jobs can increase the effectiveness of
corporate risk management
In order for the risk management to contribute the achievement of objectives and to
improve management quality and also to reduce costs it should be embedded in the
activities Embedding risk management in the processes means that activities are carried out
as a whole including risk management
Box RM4 gives details of the content of the Risk Strategy and Policy Paper
RM Box 4 Risk Strategy and Policy Paper
6 TASKS AUTHORITIES AND RESPONSIBILITIES Good risk management is only possible if the administration is well organised Clear definition
of tasks roles and responsibilities awareness of staff on the expectations of them within the
framework of policies and practices of the administration existence of horizontal and vertical
communication mechanisms and mechanisms for communication that are outside the
administration are the requirements for a good control environment The assignment of tasks
roles and responsibilities to appropriate competent and authorised people in risk
management will provide a strong infrastructure for risk management in the administration
While it is necessary to define roles and responsibilities all staff are responsible for risk
management Diagram RM1 explains the structure of roles and responsibilities in risk
management
RM Figure 1 Tasks and Responsibilities in Risk Management
RSPP should include at least the following
Aim of risk management
Risk appetite
Compliance with the legislation and binding policy papers
Risk methodology to be adopted
How to determine key risks (criteria)
Organisational structure and duties
Roles and contributions of the employees
Communication Plan
36
61 Head of Administration
This person is defined within the framework of Law no 5018 on Public Financial
Management and Control and is authorised and responsible for risk management at the
highest level
Regarding risk management the Head of Administration
Ensures the establishment of the strategy regarding the management of risks in
accordance with the aims and objectives of his administration at the outset of each year
and approves the Risk Strategy Policy Paper (RSPP) which demonstrates how the strategy
will be implemented and notifies all staff of this in writing
In the RSPP he clearly defines all the tasks roles and responsibilities and the necessary
structures (for example the ICRSB) within the scope of this manual for risk management
Provides the Administrative Risk Co-ordinator (ARC) with necessary support regarding the
risks to be jointly managed with other administrations
Ensures that the proper mechanisms are established to provide for the necessary
sensitivity and participation regarding the management of risks for the public opinion and
the stakeholders
Sets out the strategic actions for the future in accordance with the considerations and
recommendations by the ICRSB and the ARC
Receives assurance on risk management from the ICRSB and presents an assurance
declaration to the Minister on whether the risks are managed effectively
He encourages the consistency of risk management processes
He reviews monitoring of reports and encourages the effectiveness of risk management
He sets an example in terms of his behaviours particularly in strategic risk management
He encourages the employees for identification of risks
He should show leadership in risk management
37
62 Internal Control and Risk Steering Board (ICRSB)
The Board develops policies for the improvement of risk management in the
administration and submits them for the approval of Head of Administration The Board
notifies the units of the policies and procedures On the advice of the ARC the ICRSB
determines a particular number of risks which it deems significant as the key risks among the
risks that are submitted to itself and reports whether these key risks are managed well or not
to Head of Administration in regular periods or whenever it deems necessary
Secretarial services of the board are carried out by the Administrative Risk
Coordinator (Head of SDU) Whenever necessary people with the relevant expertise from
within or outside the administration can be invited to the meetings ICRSB has the authority to
enforce the elements it determined regarding the following duties with the approval of the
Head of Administration
Regarding risk management the ICRSB carries out the following
Preparing Risk Strategy and Policy Paper (RSPP) of the administration or annually
reviewing the already available RSPP and submitting it to the Head of Administration
for approval
Defining policies for establishment of a risk management culture
Ensuring that risks are consistently managed in the administration
Determining critically strategic risks of the administration
Determining the risks of spending units which require a joint management and related
procedures and policies and submitting them to URC for coordination purposes
Setting out the risks that require joint management with other administrations and
ensure that necessary measures are taken for the joint management by notifying the
ARC
Meeting at least quarterly in order to consider whether the risk management processes
in the administration work effectively and assess the current status of risks and
reporting it to the Head of Administration
Ensuring that good practice cases are determined and spread to a larger place
63 Administrative Risk Coordinator
It is advisable that the Head of the SDU takes the role of Administrative Risk Co-
ordinator The ARC is a member of the ICRSB and is responsible to the Head of Administration
for consistency of risk management processes of the administration and their compliance
with the standards
Regarding risk management the ARC
Is responsible for the efficient operation and coordination of all risks processes in all units
Calls the relevant Unit Risk Coordinators (URC) for meeting at least once in three months
Prepares the Consolidated Risk Report (using the report form in this manual) on the basis
of the reports submitted by the URCs and submits this Consolidated Risk Report to the top
management and the ICRSB on a quarterly basis The report should include the ARCrsquos
personal considerations on the key risks
Carries out secretarial services of ICRSB and such tasks as setting out meeting agendas for
the Board keeping minutes of meetings submitting decisions of the Board to Head of
Administration for approval
Discusses the issues on common risk fields with the ARCs of other administrations and
coordinates these within the administration
ARC provides technical support to the units on risk management of the administration
Identifies the needs of units regarding risk management and reports them to the ICRSB
and the Head of Administration before each meeting
Sends feedback to URCs regarding opinions advice and decisions of ICRSB and takes
necessary precautions for the consistency of risk management processes of the
administration
38
64 Unit Risk Coordinator
The Unit Risk Coordinator (URC) is the authorising officer or the person who is determined
by the authorising officer Regarding risk management URC
Coordinates the identification of the unitrsquos risks that may have an impact on the
objectives of the administration and provides relevant guidance at the beginning of the
year URC associates risks that are determined with the activities of the sub-units using
their knowledge and expertise and pays attention to ensure that all important issues are
addressed Important risks included in the risk register are submitted to the ARC to be
presented to the ICRSB for consideration
Reviews the risk registers and relevant reports that are annually prepared on periods (such
as monthly quarterly semi-annually) to be set out by the administration and reports them
to the ARC
Monitors the risks managed and reported by the Sub-Unit Risk Coordinators (SURCs) at unit
level Evaluates the changes on the risks or the arising risks if any and reports them to the
ARC upon the approval from the unit director
Submits an assurance declaration to the ICRSB on whether the risks are managed
effectively
Provides feedback to SURCs regarding opinions advice and decisions of ARC and ICRSB
Determines training needs regarding risk management
65 Sub-Unit Risk Coordinator
The SURC is responsible for the coordination of risk management activities within sub-
units of the units in administrations (if such units exist or it is seen to be appropriate to manage
the risks at this level) and is the person to be determined by the authorising officer Heshe is
directly accountable to URC regarding risk management Sub-unit risk coordinators must be
selected from among those who have the sufficient competence and experience
Regarding risk management the SURC
Coordinates the conduction of tasks of identifying assessing addressing reviewing and
reporting of the sub-unitrsquos risks that are associated with the objectives of the
administration
Reports in line with the risk strategy of administration the recently identified risks that are
related to the activities of the sub-unit those risks with changing scores and the
effectiveness of controls carried out to decrease these risks to the Unit Risk Coordinator
(URC) on periods determined by URC
Is accountable to the URC and furthermore responsible for providing the Administrative
Risk Coordinator (ARC) with requested information and documents
66 Employees
The most important factor for risk management to be successful is the ownership of risk
management by employees Therefore every employee is responsible for managing risks in
their field of duty (identifying assessing responding to reviewing and reporting risks)
Regarding risk management employees
o Contribute to the risk management processes in their respective units by defining
communicating and responding to the expected emerging and changing risks
Manage the risks within their own fields of responsibility through the power and
responsibility assigned to them by the administration
Provide evidence to the SURCURC regarding the effectiveness of the management of
risks in their respective fields
Employees should not hesitate to identify risks and submit them to the relevant risk
coordinator It is important to bear in mind that just one loose screw could cause a plane
crash
39
67 Internal Auditor
The Internal Auditor provides the Head of Administration with advice regarding risk
management by making evaluations on whether risk management process is effective and
risks are managed in the right way or not Internal Audit can also provide advice on whether
any key risks have been overlooked or inappropriately controlled
68 Strategy Development Unit
The Strategy Development Unit (SDU) is responsible for providing training identifying
training needs and facilitating delivery of necessary training They are also responsible for
identifying best practice in risk management encouraging such practice to be shared and
providing guidance where necessary
69 Central Harmonisation Unit
The Central Harmonisation Unit (CHU) carries out such activities as making regulations
on internal control including risk management and activities for the development of risk
management The CHU also provides guidance ensures harmonisation and inter-
administrational coordination and reports on the effectiveness of risk management
7 RISK MANAGEMENT PROCESS
Basically the risk management process should start simultaneously1 with strategic planning
studies In cases when strategic plans should be renewed or amended studies concerning
risks should be carried out with current amendments in mind Within the framework of risks
identified in light of strategic objectives attitude of an administration towards risk
management are set out in the Risk Strategy and Policy Paper with information on risk
appetite involved Within this framework administrations identify risks at strategic
programproject level and operational (activity) level In identifying risks an administration
can start with strategic level (top-down) or activity level (bottom-up) or it can start the risk
management process by implementing both methods together
Figure RM2 shows the Risk Management process
1 If strategic plans are already prepared the risk management process should then begin as soon as possible
40
RM Figure 2 Risk Management process
The administration should manage the risks at strategic programme and operational level as
shown in figure RM3
RM Figure 3 Hierarchy of Risk
Administration level This is the area which covers the whole administration where decisions
related to strategic objectives are made and for which senior management of administration
is responsible Strategic objectives are medium and long term objectives and are associated
Idetification of
risks
Assessment of
risks
Monitoring and
reviewing risks
Responding to
risks
Risk
Managament
strategy
Risk Managament
Process
Idetification of
risks
Assessment of
risks
Monitoring and
reviewing risks
Responding to
risks
Risk
Managament
strategy
Risk Managament
Process
41
with senior level policy documents Therefore while making decisions for the future decision-
makers (top management) have to take into consideration a lot of uncertainties This is the
area where risks have the highest impact Besides this is the area which is affected most by
external risks such as governmental policies general economy and technological
developments This area assumes specific importance as those risks which are not managed
well at strategic level affect the other levels as well
Unit level This refers to units where policies of senior management are implemented and
which are responsible at the highest level for the usage of public resources within the
administration Impacts of such risks last for a shorter period of time comparing to those of the
strategic risks This is the area where units should identify their objectives and manage related
risks for the administration to achieve its strategic objectives This is the area which is affected
by risks both form inside and outside the administration For risks from upper and lower levels
to be assessed and coordinated it is vital that this level be managed well Besides there
should be strong communication in this area
Sub-Unit level In this area there are only those works which are carried out at operational
level with a view to achieving unitrsquos objectives Daily activities of all employees fall within the
scope of this area This is the area where short-term-decisions are made products and
services are produced and fewer uncertainties are experienced This area is affected more
by internal risks than external risks Risks not being managed well at this level may affect the
achievement of strategic objectives
71 Identifying Risks
Risk identification process which is the first stage of risk management is the process of
identifying categorising and updating the risks that prevent or limit the achievement of
administrationrsquos strategic objectives using previously defined methods The following box
suggests some questions to be considered when starting to identify risks
RM Box 5 Questions to be considered when starting to identify risks
The following should be considered while identifying risks
As a generally accepted rule strategic risks that can affect the administration are
determined at the stage of strategic plan preparation and risks identified are included
in the strategic plan
Risks should also be identified at programme and operational level Programme and
operational risks should include all the strategic risks However when identifying the
programme and operational risks we should not limit our scope with strategic risks but
have a wider spectrum
When identifying risks the administration can determine a top-down or bottom-up
method preferably used at the same time
What are the main objectives
What are the key activities
Who are the stakeholders
42
Risks identified should be associated with objectives of the administration It must be
taken into consideration that some risks can indirectly affect the objectives such as
those which damage the reputation of the administration
Risks should be identified systematically with previously determined methods These
methods can vary according to the characteristics of administrations and its activities
In this process administration can either use one or more of the below defined
methods or develop a new method in line with its own needs
Risks identified should be expressed as lsquoxrsquo risk or risk that lsquox may emergersquo It will be
convenient to register them this way in the risk register (see Annex 3 for the risk register
form)
Assess whether risks identified are internal or external risks
o Internal risks are the risks stemming from the events directly controlled by the
administration itself Internal risks can be grouped into three as strategic risks
program risks and activity risks
o External risks on the other hand are the uncertainties arising due to the
events that are out of the control of the administration which hampers or
prevents the achievement of objectives While identifying external risks it will
be useful to classify them by their subjects (Generally PESTLE analysis is used
see Box RM7)
After risks are identified their owner or the person to be responsible from them must
be defined and this information must be included in the risk register
Since risk identification is a dynamic process emerging risks should be identified and
changes to the existing risks should be consistently followed-up
RM Box 6 Factors and methods to be taken into consideration during the process of
identifying risk
The following box explains the PESTLE and SWOT analysis
HHHooowww dddooo III iiidddeeennnttt iiifffyyy rrriiissskkksss
Firstly decide how to identify the risks namely at strategic
level operational level or both
Identify and categorise the risks (social cultural political
scientific etc) taking into consideration the threats
opportunities and the scope
Decide on the required human resource tools and methods
Mostly the following methods are used to identify risks
However administrations can determine different methods
other than these methods in light of their needs
o PESTLE analysis (see Box RM7)
o SWOT Analysis (see Box RM7)
o Brainstorming (this method can be used both for
identification and assessment See Annex 1)
Group risks as internal and external ones
Make a stakeholder analysis (identify the risk tolerance
position and attitude of the stakeholders )
Repeat the identification regularly and in periods of change
43
PPPEEESSSTTTLLLEEE AAAnnnaaalllyyysssiiisss Pestle Analysis is the identification of risks by making assessments based on the
following categories
Politic
Economic
Social
Technologic
Legal
Environmental
Example
o Politic change of governmental priorities
o Economic inflation rate going above the expected levels
o Social population growth rate going much above the
expected levels
o Technologic information process infrastructure not being set up
o Legal cases in courts turning against
the administration
o Environmental an earthquake strike
SSSWWWOOOTTT AAAnnnaaalllyyysssiiisss (((IIInnn---hhhooouuussseee aaannnaaalllyyysssiiisss)))
SSStttrrreeennngggttthhhsss
WWWeeeaaakkknnneeesssssseeesss
OOOppppppooorrrtttuuunnniii tttiiieeesss
TTThhhrrreeeaaatttsss
EEExxxaaammmpppllleee
SSSttt rrreeennngggttthhhsss SSSpppeeeccciiiaaalll iiissseeeddd pppeeerrrsssooonnnnnneeelll
WWWeeeaaakkknnneeesssssseeesss OOOlllddd ttteeeccchhhnnnooolllooogggyyy
OOOppppppooorrr tttuuunnniii ttt iiieeesss EEEcccooonnnooommmiiiccc gggrrrooowwwttthhh
TTThhhrrreeeaaatttsss SSSuuuddddddeeennn pppooolll iiicccyyy ccchhhaaannngggeee
For detailed information refer to Strategic Planning Guideline for Public Administrations SPO June
2009
RM Box 7 PESTLE and SWOT analysis
44
What could go wrong in the achievement of
objectives
What are the critical achievement factors
Who are our stakeholders and what can their
negative or positives impact be on our activities
What are our risk categories Tables diagrams etc
What are our weaknesses
Which assets assume more critical importance
What areas are open to irregularities and fraud
Which events or situations can hamper our
activities
What are our most critical sources of information
In which areas do we spend most
Which activities or processes are more
complicated
In which areas are we subject to penal sanctions
What are the legal requirements
What are the resource limitations
The following two boxes give some tips for the process of risk identification and some questions to
ask
RM Box 8 Tips for Risk Identification
RM Box 9 Questions to ask in the process of risk identification
WWWhhhaaattt aaarrreee ttthhheee TTTiiipppsss
Whether there is available information regarding the risks and how
accurate it is if any should be taken into consideration
A working group including different fields of expertise would
increase the likelihood of identifying new risks
Using brainstorming method yields effective results (See Annex 1)
Having open communication lines and acting farsighted are the
key points
45
72 Risk Assessment
Risk assessment refers to analysing the factors that may have an impact on the
achievement of administrationrsquos objectives and evaluating the seriousness of the risk in terms
of impact and probability While assessing risks in addition to the potential events the
administration can face aspects which are specific to the administration (for example size of
the administration complexity of activities legislation it is subject to in relation to its activities
its political priorities public interest) should be considered
After risks are identified comes the stage where the risks are measured and prioritised
Prioritisation is listing down the risks in accordance with their priority in line with the scores they
are given Risk assessment helps decide whether to respond to identified risks and if so select
the best response with regards to the costbenefit balance
The following box gives some questions to be considered before starting the risk
assessment process
RM Box 10 Questions to be considered before starting the risk assessment process
Three important principles in risk assessment are
1 Identifying the impact and probability of each risk In assessment probability and impact
are analysed Probability refers to the chance of an event to occur at a particular period
On the other hand impact is the outcome or the effect produced
Three categories are used while assessing risks low risk level (shown in green) medium
risk level (shown in yellow) and high risk level (shown in red) These colours as in the
traffic lights facilitate understanding the degree of importance of the risks These are
shown in the following diagram
Probability and impact of the risks can also be shown using numbers In the following
diagram Point 1 indicates that there is almost no probability for that risk to occur while
point 10 means that it is almost certain that it is going to occur In terms of impact
point 1 is used where the outcome of the realisation of a risk has little importance
whereas point 10 means that this outcome is highly important Risks are scored
between 1 and 10 for their probability and impact (See Annex 5) In assessing impacts
and probabilities of risks one of the methods to be used is voting method (See Annex
2)
Risk maps are made use of to see the severity of the risks better A basic
demonstration of risks on the risk map is given in the following diagram
What are the objectives
What are the present controls
What are the possible results if the risk occurs
Do activities of some other administrationsunits affect my
risk
Who are the stakeholders and what is their level of
experience and expertise
46
RM Figure 3 Risk map
2 Assessing the risks on the basis of inherent risks and residual risks
Inherent risk refers to the amount of risk before it is managed or any action is taken
These inherent risks are transferred to the risk register (see Annex 3 for the Risk Register
form) after assessing their probability and impact In assessment as has been
suggested above the probability and the impact of the risk is scored between 1 and
10 Multiplication of the scores of probability and the impact indicates the risk score
The administration at this stage must decide on the risk appetite It must also be set
out which risks placed between which numbers are low medium or high risks in
accordance with the designated risk strategy of the administration and the risk map
of the administration must be produced in this framework (See Box RM3 Risk Map)
After risk score has been set risks are prioritised starting from the one with the highest
score Responses to be given to risks are determined Controls are identified and
applied considering the methods of responding to risks
The management must identify the level of the remaining risk after the control
activities it carries out to manage the risk Residual risk refers to the remaining risk after
an action has been taken to mitigate the probability and impact of a risk If the level
of the residual risk is still higher than the risk appetite the efficiency and competence
of the present control activities must be questioned and if deemed necessary
responses to be given to the risks must be reviewed The following box gives an
example of inherent and residual risk
RM Box 11 Example of inherent and residual risk
3 Recording the risks
Recording the risks contributes to the prioritisation of the risks and therefore to the
efficiency of the allocation of resources and to production of evidence for the decisions
taken helps people to understand their responsibility within risk management facilitates
the acquisition and communication of information to the right people at the right time
Activity using a car
Inherent risk having an accident because you are inexperienced
Control action getting a licence taking driving courses
Residual risk another inexperienced driver crashing into your car
47
via the reporting mechanism and enables the reviewing and monitoring processes of the
risk
Risk records are reported in two stages Risk Register (see Annex 3) used in the
identification and registry of risks Consolidated Risk Report (see Annex 4)used for the
reporting of risks to the senior managers (see Annex 7 for an example of a completed Risk
Register)
The following box gives some tips for the risk assessment process
RM Box 12 Tips for risk assessment
RM Box 13 Example of the Risk Assessment process
Measure the impacts and probabilities of the risks identified for a
particular period of time
While determining the impact score assess the impact the risk will have
on the objective that is foreseen to be hampered
Utilise proper methods in the assessment
Bear in mind that risk assessment of a job can best be made by the
person who does this job
Note that activities of other administrationunit can have impacts on
your risks and risks are not independent of each other
Utilise such table as risk maps to be able see all the risks together
Prioritise risks in line with the risk scores (Impact X Probability)
48
You are going to deliver training on your subject of expertise
Your Objective Audience understands the subject you explain
You identify your risks
Risk 1 As you arrive late you may not have sufficient time to deliver the training
Risk 2 You may deliver your presentation using an inappropriate approach as you do not know who
the audience is
Risk 3 You may have difficulty in supporting what you explain as you donrsquot have the softcopy of the
presentation
Letrsquos see the likelihood of the Risks 1 2 and 3 and how it would affect your objectives if they occur
RRRiiissskkk 111 Likelihood The traffic would be bad at that hour In addition you have a lot of other things to do that day
Likelihood 7
Impact You can arrive late but you know the subject very well Even if you deliver it in very short time it still
would be understandable for the audience The impact of arriving late on your objective is 3
Risk Score 7x3 = 21
RRRiiissskkk 222
Likelihood In the letter you have been told what the subject is but not who the audience is and you donrsquot have
the chance to ring someone and learn Likelihood 5
Impact If you are to deliver the training to the experts who already know the issue you get into details but if
your audience is made up of people who donrsquot know anything about it you only draw the general framework
If you cannot learn who the audience is and you deliver the training in detail while the audience is unaware of
the subject and they would not understand or you give little information to the people who already know about
it they would not learn anything new The impact of using the wrong approach in the delivery is 9
Risk Score 5x9 = 45
RRRiiissskkk 333
Likelihood You generally carry your computer around You also have habit to carry your pen drive in your
bag after saving your studies in it Likelihood 2
Impact Even if you donrsquot Project the presentation on the screen you know the subject very well You could
still effectively deliver it to the audience The impact of not having the soft copy with you on your objective 3
Risk Score 2x3 = 6
As shown in the risk map
Imp
act
10 10 20 30 40 50 60 70 80 90 100 9 9 18 27 36 45 54 63 72 81 90 8 8 16 24 32 40 48 56 64 72 80
7 7 14 21 28 35 42 49 56 63 70 6 6 12 18 24 30 36 42 48 54 60 5 5 10 15 20 25 30 35 40 45 50
4 4 8 12 16 20 24 28 32 36 40 3 3 6 9 12 15 18 21 24 27 30
2 2 4 6 8 10 12 14 16 18 20 1 1 2 3 4 5 6 7 8 9 10
1 2 3 4 5 6 7 8 9 10
Likelihood
Prioritisation
1 Risk 2 (Risk Score 45)
2 Risk 1 (Risk Score 21)
3 Risk 3 (Risk Score 6)
(Note that risks are not always assessed according to the scores Some strategic risks should be taken into
consideration even if they have a low score Emergency precautionsplans should be available You may not
always foresee what will happen Your plans should be flexible Therefore you will be able to handle the
situation when something unexpected emerges
49
73 Responding to Risks
Responding to risks refers to setting out the responses to the risks identified and assessed within
the risk appetites by the public administration and mitigating the potential threats or taking
the arising opportunities Before deciding on the method to respond to risks a costbenefit
analysis must essentially be carried out The objective desired to be reached by responding
to risks is to mitigate the likelihood of the risk and its impact and achieving the foreseen
objective in the most efficient manner
Box RM 14 Questions to consider in responding to risks
The following figure shows within the framework of risk appetite how inherent risk turns into
residual risk as a result of responses controls actions (also see Box RM3 Risk Appetite)
RM Figure 4 Risk Indication Table
(OGCrsquos Risk Dashboard from HM Treasuryrsquos publication named Thinking about Risk)
Figure RM4 demonstrates the followings Columns 1 and 5 Control activities successfully decrease the inherent risk so that the
remaining risk called the ldquoresidual riskrdquo is reduced to the same level as risk appetite
Such points where the risk appetite and residual risk of an administration overlap are
ideal situations in terms of risk management (cost-effect)
What is the level of risk
What happens if no response is given to the risk
Which risks must be controlled
Which risks can be transferred
What are the consequences of resorting to risk aversion as a public
administration
Is the opportunity good enough to take the risk
50
Columns 2 3 and 4 Control activities decreased the risk However residual risk is still
higher than the risk appetite (tolerable level) This shows that effectiveness and
adequacy of the controls implemented should be questioned and more control
activities should be implemented
In column 6 as the inherent risk is equal to risk appetite risk is tolerable However
these risks should be monitored just as the other risks because of the possibility of
changing
In column 7 on the other hand control activities decreased residual risk below the risk
appetite This shows that more than necessary controls are implemented and
resources are not used efficiently In these over-control cases control activities should
be decreased to a level at which residual risk is equal to risk appetite
There are four methods of responding to risk and these are shown in the following diagram
Figure RM5
RM Figure 5 Methods of responding to risk
Tolerating This is a passive method of response given to the risks which public administrations are
comfortable to undertake In the following cases risks can be accepted
If the inherent risk is within the limits of risk appetite then it is accepted
When it is understood that cost of the actions to be taken (controlling transferring or
avoiding) for an intolerable risk would exceed the potential impact of the risk then the risk
is accepted
Some risks are out of the control of the management Certain risks do not disappear
unless the activity is terminated whereas terminating an activity is not always possible or
desirable
Treating This is a method of response given to a risk by means of control activities carried out
with a view to keeping risks at a tolerable level (risk appetite) in public administrations
This method can be applied using the five following controls
Preventive Controls
Corrective Controls
Directive Controls
Detective Controls
Emergency Plans
Methods of responding to risk
Tolerating
Treating
Transferring
Avoiding
51
For detailed information refer to the Control Activities chapter
Transferring This is the response given to the risks by taking some of them away from the
responsibility of the administration and transferring it to others (Even if the risks are
transferred the responsibility cannot be transferred and they need to be managed under
the control of the administration because it is the administration that will be affected when
the risks are realised)
Risk transfer is carried out using the following methods
Completely and partly transferring the activity to another administration
Transferring its operation to third parties using a procurement method
Transferring it by means of insurance (when appropriate)
Avoiding if the risk we have to take is too big to manage and there are alternatives to the activity
performed it is possible to terminate this activity For example deciding not to build a factory
which is expected to cause too much air pollution or deciding not to purchase the computers
that are planned to be purchased because of budgetary cut
The following box summarises the process of responding to risk
Box RM 15 Process of responding to risk
While managing risks opportunities they bring along should also be taken into consideration
Alongside negative impacts risks can also lead to opportunities In order to be able to take these
opportunities that would make additional contribution to the achievement of administrationrsquos
objectives the administration must have designated strategies Taking the opportunity is not an
alternative method to respond to risks rather it is a method to be applied additionally
Opportunities are taken in the following cases
When the cases of taking the opportunity and reducing the threats coexist For example
making health and scientific researches to find a cure of a disease (Disease threat will
decrease and there will emerge the opportunity at the same time that cost will decrease
with less people going to hospitals)
When opportunities emerge before the negative event occurs For example using a new
technology to be able work better or reaching to a greater number of people via e-state
The following box gives some tips for use when responding to risk
List the Threats and Opportunities according to the analysis results
Define your attitude considering the content of the risk
Tolerate
Control
Transfer
Avoid
Ensure that the benefit that the response will provide is higher than the cost it will bring
52
RM Box 16 Tips for responding to risk
Prioritising risks helps decide on which risk to respond first
As a public administration while determining the responses to be
given to risks recipients of the services and the impacts on them
must be considered
Stay away from over-control measures while responding to risks
Over-control harms the efficiency of the administration as much
as insufficient controls do
The possibility that acting in coordination with other
administrations in responding to risks may be more efficient must
be considered
53
Your organisation has decided to buy a new IT system
You identify your risks
Risk 1 The new system has inadequate response times
Risk 2 Data is not transferred accurately from the old IT system to the new system
Risk 3 You do not have the capability to operate the new IT system
Risk 4 The new IT system does not work
What responses can you give to these risks
RRRiiissskkk 111
Tolerate You have been assured that the new system has a five second response time
which is similar to the current system so you decide that it does not need to be quicker
RRRiiissskkk 222
Treat You need to introduce controls to make sure that data is transferred accurately
Preventive controls Testing done on the new IT system before it is introduced to
ensure that data is not corrupted on transfer
Corrective controls Testing is done comparing data transferred from the old system
to the data on the new system This control activity corrects the errors
Directive controls Requirement that IT staff working on developing the new system
have adequate skills and experience
Detective controls testing is done after one year of operating the new system to see
if standing data transferred from the old system is accurate
Emergency plan You should make sure that you can revert to using the old system in
the event that the new system does not have properly transferred data
RRRiiissskkk 333
Transfer You outsource the running of the new system to another organisation which has the
relevant expertise
RRRiiissskkk 444
Avoid If it is detected during testing that new IT system is not working you quit buying this
system and search for an alternative IT system
Take the opportunity
Your new IT system allows you to operate more efficiently freeing up staff time to do other
activities
The following box gives an example of the process of responding to risk
RM Box 17 Example of the process of responding to risk
54
74 Reviewing Risks
Risks can change in terms of their impact and likelihood due to various changing conditions
or measures taken Furthermore it is also possible that new risks areas are formed due to
changing conditions Therefore all the aspects of risks identified and the risk management
process should at least be reviewed on a regular basis Reviews can be carried out on
frequencies to be set by the administration according to the level of importance of the risks
In the event that extraordinary developments take place and this has a serious impact on the
risks Administrative Risk Coordinator (ARC) upon the spoken or written instruction by the
head of administration organises an emergency meeting for the Internal Control and Risk
Steering Board to assess the risks For example natural disasters economic crises early
election resolutions are extraordinary developments
Reviewing the risks and reviewing the risk management process are two different processes
and the fact that one of them is carried out does not necessarily mean that the other is
carried out as well Whereas each risk is reviewed by its respective owner the risk
management process is reviewed by the Head of Administration and or ARC Reviewing
risks regularly would provide flexibility in adapting to the changing conditions
Risks are reviewed as follows
Whether risks still exist new risks have arisen the likelihood or impact of a risk has
changed or not is reviewed
The priority should be given to key risks (those with the highest probability and impact)
during a review Other risks should be reviewed later
While reviewing strategic risks first and foremost amended policy papers if any
developments in the other counties expectations of the public for that period
Internal Audit Reports Inspection Reports External Audit Reports and other relevant
reports and documents should be considered
Under the light of the developments if there have been any changes to the risk
profile the risk register of the administrationunitsub-unit must be reviewed
The change must be communicated to the risk coordinator at the next senior level
within five working days
By reviewing the prioritisation of the keymain risks the assessment results should be
submitted within five working days by the ARC to the ICRSB in a revised Risk Report
The results of the assessment will be discussed by the ICRSB and the report is then
submitted to the Head of Administration by the ARC
Conclusion and evaluation part of the report must definitely include remarks on
whether the risks management process provides the necessary assurance and
whether new measures are needed or not
o Do we give reasonable assurance on the successful management of
risks
o Do we give reasonable assurance on the effective implementation of
the control activities
The process of reviewing risks is summarised in the box RM18 and questions to consider are
listed in box RM19
55
RM Box 18 Process for reviewing risk
RM Box 19 Questions to consider in the risk review process
75 Communication and Reporting
Communication within the context of risk management refers to accurate and timely
conveyance of the right information to the relevant people through various mechanisms at
the right time Communication is a vital process which needs to be effectively applied in all
phases of risk management
The following are important to communicate
The administrationrsquos objectives policies and procedures
The risk management strategy
The numbering system in the risk assessment stage and measurement mechanisms
Which controls are convenient in responding to risks
How well risks are managed in reviewing risks
It is important to bear in mind that this vertical and horizontal communication is mutual
(communication-feedback)
Set out a review period depending on the characteristic of the activity
Frequently review the first critical risks
During the review assess the probability and impact of the risks for that
period
Decide whether the risk is still a threat
Identify whether new risks have arisen for that period
The condition of the control activities must be reviewed according to the
change in the risk It would be appropriate to eliminate an activity which
became pointless as the risk has disappeared
Record the identified findings on the risk register
Report the risks of every level
Changes regarding the risks are reflected on the risk register however in
emergencies the managers must be informed as soon as possible
What are the changes in the environmental conditions
What are changes that impact on the operation of the activity
How do the changes affect the administration
Are present controls sufficient to address the changing situation
Is there sufficient evidence that the controls are effective
It would be useful to take into consideration the policy papers of
the government and the administration while assessing risks
56
To ensure effective communication the issues in Box RM20 should be considered
RM Box 20 Issues for effective communication
In addition to internal communication efficient communication lines are needed with the
partners where the services provided requires partnerships and with the citizen of NGOs who
are affected directly or indirectly by the services provided by the administration Therefore
while the administration is producing its Risk Strategy and Policy Paper it should prepare an
efficient communication plan which regulates the internal and external communication and
share it with all stakeholders
Reporting has a direct impact on the decision making processes in risk management The
reports should be as short and accurate as possible demonstrate the evidence regarding the
evaluations they should be relevant and submitted to the relevant people where necessary
Reporting must be carried out within the administration both vertically and horizontally It
should be explicitly set out who will report to whom and with what frequency in risk
management process Reporting will be done in the forms to be determined by
administrations and in pre-determined periods by at least using the information contained in
the forms shown in the Annex to this Manual When deemed necessary administrations can
develop different forms other than the forms contained in the Manual
Who will communicate with whom in which format
Who is responsible to whom about what
How the communication should be with high levels
How the communication with the Minister works
Who will communicate what information to which levels
How to ensure the accuracy of information
The expectation of top management from the employees regarding risk
management should be clearly defined and conveyed to all employees
57
Administrationrsquos Mission
Strategic Plan and Performance
Programme Budget
Annual Management Plan Activities Processes Projects
Identify
Measure (impact x
probability)
Prioritise
Tolerate
Control
Transfer
Avoid
Operational Level
Unit Level
Administration Level
Risk Assessment
Assess Manage Monitor
Risk Register
Control Activities
Mo
nito
ring
an
d E
valu
atio
n
Take the opportunities
Within the scope of this chapter of the manual Risk Management can be demonstrated via
the following diagram
RM Figure 6 Risk Management Process
76 Learning
Learning needs to be enriched through systematic training tools and disseminated to the
target groups using the most effective method Depending on the target group such
methods as conferences seminars workshops trainings hands-on trainings internships
exchanging information via various communication channels sharing best practices failures
or mistakes would facilitate learning the risk management processes and establish a basis for
the risk management practices in corporate sense
58
Addressing risks largely depends on experiences Previous experiences and making everyone
aware of the successful and unsuccessful practices via a strong communication network
would facilitate more effective and faster addressing of risks In particular conveying the
positive and negative experiences about the emerging risks and the methods to handle
these to the stakeholders and learning what could go wrong can only be ensured if a
method that focuses on learning from mistakes is adopted and learning experiences are
shared Therefore it will be useful to use the peer review method within the administration In
this method units learn how the others at the same hierarchical levels manage risks and they
can adopt good practice examples in their own units
Sharing risk management experiences with external stakeholders especially organisations
experienced in this field could not only help the administrations develop new methods but
also ensure a more efficient use of risk management resources
59
RISK MANAGEMENT ANNEXES
ANNEX 1 Using the brainstorming method to identify assess and record risks
Step 1
Collect together in the same room all members of the Unit of Sub Unit or all staff who work on
a project or on a business process Identify an appropriate facilitator (see box RM 21) to
guide brainstorming workshop The brainstorming would be most effective if it is facilitated by
an independent person who has experience at facilitating brainstorming
(Note this can also be done by collecting all senior managers in an Administration to
brainstorm strategic risks)
Requirement for step 1 all attendees of the brainstorming should be fully familiar with the Sub
Unit Unit projectbusiness processAdministration respectively
RM Box 21 Role of the facilitator
Step 2
Once all brainstorming attendees are assembled as per step 1 firstly clarify what the
objectives of the Sub UnitUnit projectbusiness processAdministration respectively are
These may be included in the strategic plan or for sub units may not previously have been
identified Think widely ndash are there other objectives that are not included All attendees
should agree that these are the objectives before proceeding to Step 3
Step 3
All attendees at the brainstorming should brainstorm ndash what are the risks to the achievement
of each of the objectives identified in step 2 This can be done as one group or for larger
brainstorming sessions in pairs or sub-groups Risks identified by the brainstorming should be
recorded in the risk voting form in Annex 2 (columns 3 4 and 5) clarifying which objective(s)
might not be achieved if the risk happens
Step 4
Once all risks are identified all brainstorming participants should vote on what they think the
likelihood and impact of the risk are using the guidance for scoring in the risk management
chapter of this manual These votes should be recorded on the risk voting form In line with
the number of participants number of the related columns can be increased (Columns 678
and 101112) (For scoring impacts and probabilities see Annex 5 Risk Assessment Criteria
Table)
Encourage the workshop attendees to all participate in identifying risks
Watch out for duplication of similar risks (if 2 risks are very similar considering
amalgamating them)
Ensure that all attendees vote on impact and likelihood of the identified risks
Encourage attendees to challenge each otherrsquos scores defend their own or
change them if they think appropriate
Ensure that the risk scores are accurately entered in the spreadsheet and
prioritised
Action plan the response to risks starting with the highest priority
For each response ensure responsibility is allocated to a named individual
Ensure for each response that a review and reporting date is identified (exact
date)
60
Step 5
Once initial votes are recorded on the risk voting form where there are large variations
between the highest and lowest score for likelihood andor impact for a particular risk the
individual(s) who gave the highest score should first of all justify why they gave the high score
and try to convince the others why they should increase their score The individual(s) who
gave the lowest score should then justify why they gave the low score and try to convince
the others why they should decrease their score After these justifications have been given
an opportunity should be given to all who were convinced by any of the justifications to
change their score
Step 6
The risks identified should be listed in decreasing order of the multiple (Column 14) between
the average impact (Column 9) and average probability score (Column 13) from the
brainstorming The participants should be asked if the result is what they expected Does
what they considered to be their most significant risk have the highest score If not look at
the voting again and consider if it needs to be changed
Step 7
Once brainstorming participants are satisfied with the prioritisation of the risks complete the
other columns of the risk register (Annex 3) starting with the highest priority risk
Step 8
If the risk which is written in column 5 in the Risk Register arises from an event which will occur
at a particular date (eg elections) column 6 in the Risk Register namely time frame column
can be completed by writing how much time before the date risk is expected to materialize
(eg a month three months etc) Column can be left blank if timing is not important
Step 9
When identifying control activities consider whether the risk level is within the risk appetite for
that particular risk or not what control(s) would be most cost-effective and would mitigate
the risk best by reducing the impact andor the likelihood of the risk materialising Also
consider what the existing controls are whether these are currently effective and whether
they can be improved or it would be more cost-effective to introduce new additional
control(s) in addition to or instead of the existing control(s) Complete the related columns in
line with explanations in the table (Columns 1112 in the Risk Register)
Step 10
Form will have been fully completed when the other columns are completed taking into
consideration the instructions in Risk register Form
The following Box gives some suggestions for ground rules for brainstorming
RM Box 22 Suggested ground rules for brainstorming
There is no such thing as a bad idea
One person speaking at a time
Active participation
Keep to the timetable
The facilitator is in charge (if there is one)
Open discussion but no personal criticism
61
ANNEX 2 Risk Voting Form This form is used to calculate the risk score after risks are identified
62
ANNEX 3 Risk Register This is a form used to report the status after risks identified at administrationunitsub-unit level are recorded
RISK REGISTER
AdministrationUnitSub-unit
Date 20
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Se
ria
l n
o
Re
fere
nc
e N
o
Str
ate
gic
Ob
jec
tiv
e
Un
its
Ob
jec
tiv
e
Risk Identified
Tim
e fra
me
Pro
ba
bility
Imp
ac
t
Ris
k s
co
re(R
)
Ch
an
ge
(Dir
ec
tio
n o
f ri
sk)
CurrentNewAdditional
control activities
Sta
rtin
g d
ate
Risk
owner
Monitoring
and
Reporting
Risk
45
-100
9-4
4
Reason 1-8
Columns
1 Serial no shows the sequencing in the risk register
2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to This
code does not change as long as risk continues to exist The same code is not given to another risk
3 Strategic Objective This is the column in which code of strategic objective related to risk which is demonstrated in strategic plan is
written
4 Units objective If risk register is completed at unitsub-unit level objective of unit which is directly or indirectly related to strategic
objectives of the administration and can be affected by the risk is written in this column if risk register is completed at administration level
63
then this column is left blank
5 Risk Identified Description of the risk Reason Reasons which cause the risk to occur
6
Time frame If the risk arises from an event which will occur at a particular date (eg elections) this column can be completed by writing
how much time before the date risk is expected to materialize (eg a month three months etc) Column can be left blank if timing is not
important
7
Probability Probability value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be
useful to list related control activities actions taken and related regulations In this way probability that risk will materialize
notwithstanding the actions taken can be determined
8
Impact Impact value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be useful
to list related control activities actions taken and related regulations In this way what the impact of the risk will be if it happens
notwithstanding the actions taken can be determined
9 Risk Score (R=IxP) risk score determined by multiplying probability and impact scores in the Risk Voting Form (Annex 2) (between 1-100 )
See below for an explanation of the colours to use
10
Change (Direction of risk) This is the column in which the change in the status of the risk is shown in light of the previous risk register It can
be shown according to the administrations preference in writing such as updownstable or by means of direction signs If there is no
previous risk register then it is stated as New
11
CurrentNewAdditional control activities Current control activities are written in this column It is assessed whether these activities are still
needed or not If not they are removed It is also assessed whether current control activities are appropriate or sufficient If calculated risk
score is above the desired level taking into consideration the current control activities then new or additional control activities which are
planned are written in this column
12 Starting date The exact date that newadditional control activities will start to be implemented
13
Risk owner is the person responsible for managing the risk and implementing the foreseen control activities It is the risk owner who
collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures that
evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement control
activities The risk owner also reports risks and updated risk registers to the next senior level
14 Monitoring and Reporting When to review and to whom to report risks are written in this column
Colours
High risk
Medium risk
Low risk
No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient information
64
Note In the event that a new risk is identified during the year the employee identifying this risk reports it to senior manager If manager decides
this is a risk which needs to be managed then this risk is registered in the risk register form and approved by the relevant manager
ANNEX 4 Consolidated Risk Report
This is the form which enables corporate risks of an administration to be submitted to senior manager as a report composed of a few pages
CONSOLIDATED REPORT
(Corporate Risks)
AdministrationUnitSub-unit Date 20
1 2 3 4 5 6 7 8
Se
ria
l N
o
Re
fere
nc
e N
o
Str
ate
gic
Ob
jec
tiv
e
Risk Identified
Status
Risk Owner Explanation
Previous risk
score and colour
Current risk score
and colour
45-100 45-100
9-44 9-44
1-8 1-8
Columns
1 Serial no shows the sequencing in the risk register
2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to
This code does not change as long as risk continues to exist The same code is not given to another risk
65
3 Strategic Objective This is the column in which code of strategic objective related to risk which is demonstrated in strategic plan is
written
4 Risk Identified Description of risk
5 Previous risk score and colour shows the status of risk in the previous Consolidated Risk Report
6 Current risk score and colour shows the status at the date of the report
7
Risk owner is the person responsible for managing the risk and implementing the foreseen control activities It is the risk owner who
collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures
that evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement
control activities The risk owner also reports risks and updated risk registers to the next senior level
8 Explanation Information about the effectiveness of control activities and foresight for the future are given in the explanation section
Colours
High risk
Medium risk
Low risk
No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient
information
66
ANNEX 5 Risk Assessment Criteria Table
Va
lue
Ra
ng
e
Probability
Impact
Strategy Activities Financial Compliance with
Legislation
10
High
Risks which are almost
certain to occur within
5 years Taking into
consideration the
structure of the
administration they
generally arise form
policies and
procedures The wider
the activity area of the
administration the
more likely it is that the
risky event occurs
Risks which
can have a
major impact
on attaining
strategic
objectives
These are risks
which are
generally
faced in the
long term but
can cause
the
administration
to divert form
its objectives
in case of
occurrence
Risks which cause the
administrationunitsub-
unit not to provide the
service it has to provide
in an effective and
efficient way belong in
this category
Risks which will cause
heavy financial loss for
the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
which are above the
acceptable level
should be accepted as
a high risk
Risks which will cause a
big obligation upon the
administrationunitsub-
unit in case of
intentional or
unintentional non-
compliance with the
legislation Such risks
can be seen in areas
where the legislation is
too complicated and
unclear
9
8
7
6
Medium
Risks which are likely to
occur within 5 years
These are generally
such risks that the
administrationunitsub-
unit or administrations
with similar structures
Risks which
can have a
certain level
of impact on
attaining
strategic
objectives
Risks with a certain
level of impact on the
competence of the
administrationunitsub-
unit to provide the
service it has to provide
in an effective and
Risks which will cause a
certain level of
financial loss for the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
Risks which will create
a certain level of
obligation upon the
administrationunitsub-
unit in case of
intentional or
unintentional non-
5
67
4
have faced formerly efficient way belong in
this category
which are within the
acceptable level
should be accepted as
a medium risk
compliance with the
legislation
3
Low
Risks with low
probability of
occurrence within 5
years These are
generally such risks that
the administration
unitdepartment faces
very rarely These are
risks with almost no
likelihood of
occurrence
Risks which
can have the
least impact
on attaining
strategic
objectives
Their impacts
are generally
little and
cover a
limited area
Risks with little impact
on the competence of
the
administrationunitsub-
unit to provide the
service it has to provide
in an effective and
efficient way belong in
this category
Risks which will cause
little financial loss for
the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
which are below the
acceptable level
should be accepted as
a low risk
Risks which will cause a
little obligation upon
the
administrationunitsub-
unit in case of
intentional or
unintentional non-
compliance with the
legislation
2
1
Unknown
In case that there is no
idea about the
likelihood of the risk
occurring within 5
years the risk is shown
in blue until it can be
clearly identified with
larger data
The impact of
a risk likely to
occur on
strategic
objectives of
the
administration
could not be
determined
The impact of a risk
likely to occur on the
activities could not be
determined
The financial impact of
a risk likely to occur
could not be
determined
The impact of a risk
likely to occur in case
of non-compliance
with the legislation
could not be
determined
Risk has recently emerged no data was obtained regarding its status and there is no sufficient data for analysing the new risk or it is a risk which
previously occurred but there is no sufficient data for the analysis Information should be gained as soon as possible so that an analysis can be
made and an opinion formed
68
ANNEX 6 Case Study Example of Inherent and Residual Risk
Case study example to illustrate the concepts of inherent and residual risk and also to
illustrate how a risk owner can obtain information from several different control owners to
monitor the extent to which the risk they are responsible for is successfully mitigated by the
existing controls
The scenario concerns a storage warehouse for gold bars a risk owner who was the Store
manager a risk that gold bars are stolen and 4 controls
a) An IT system control giving bars in and out and a balance held for each working day ndash
daily printouts sent by the IT manager to the risk owner
b) An independent company comes in once a month to perform a stocktake count of gold
bars in the warehouse which they reconcile with the relevant printout of stock from the IT
manager ndash any variances in stock held was investigated and explanations provided where
possible ndash the independent company provides a monthly report to the risk owner on results of
the work they have done detailing any unexplained variances (which could potentially be
incidences of theft)
c) Security guards ndash professionals guarding access to the warehouse 24 hours a day and 7
days a week ensuring that only authorised staff have access to the warehouse and that all
bags are put through a metal detector on leaving to ensure gold bars are not being
smuggled out (gold bars are too heavy to be easily hidden on the person) On recruitment a
criminal record check is made on the security guards to ensure that they do not have prior
convictions for theft Security guards report weekly to the risk owner on their work and
d) An alarm system ndash any incidences of it being set off are sent in a report by the security
guards to the risk owner Regular (weekly) checks on the alarm systemrsquos functioning are
carried out by the security guards with success of the check included in their reports to the
risk owner
The inherent risk in the absence of the above 4 controls would be considered high (a high
probability that bars would be stolen and a high impact as gold bars are expensive) This
would be above the risk appetite and consequently the above 4 controls would be
designed to mitigate the risk of the gold bars being stolen with the foreseen effect of the four
controls being that the residual risk would be reduced (Note all four control measures
combined would mitigate only the probability of the gold bars being stolen not the impact)
The risk owner would gather evidence as to their effectiveness of the four controls If they
were found to be effective he would consider whether the risk had been successfully
mitigated to within the risk appetite (likely answer Yes unless a further new control or a
strengthening of the existing controls was considered necessary if the risk appetite was very
low due to the high impactthe organisation is very risk averse)
If one or more of the 4 controls is found by the risk owner to be ineffective it is likely that the
risk would still be at a level above the risk appetite and so the risk owner would need to
escalate the issue to his line manager suggesting methods for further mitigating the risk
(either by introducing an additional control or by strengthening the control(s) that had been
found to be ineffective)
69
ANNEX 7 Case Study Example of completed Risk Voting Form Risk Register and Consolidated Risk Report
70
71
72
CONTROL ACTIVITIES
1 Introduction Control activities (also referred to as controls) are actions aimed at reducing
the impact andor the likelihood of a risk occurring and thus increase the probability
of attaining the goals and objectives of the organisation or part of the organisation
For an effective control the introduction of the control activities depends on the
completed risk assessment The management must plan organise and direct
sufficient control activities to obtain reasonable assurance that the tasks and goals
will be achieved Control activities cover both financial and non-financial controls
and they should be designed and implemented as a whole for all the activities of the
administration
This section of the manual within the framework of internal control standards
looks at how procedures should be developed as control activities to ensure that risks
to achieving administrative objectives are managed effectively
2 Control Activities Standards Administrations while identifying and implementing their control activities
take into account the following standards
CA Box 1 Internal Control Standards
Standard 7 Control strategies and methods
The administrations shall determine and implement control strategies and methods
which aim to achieve the objectives and are suitable for risk response
Standard 8 Determination and documentation of procedure
The administrations shall prepare and update written procedures which are required
for administration activities as well as financial decisions and transactions and
arrangements relevant to these areas and also give the relevant personnel access to
these documents
Standard 9 Segregation of duties
With a view to reducing fault flaw error irregularity and corruption risks the duties of
approval implementation recording and control of financial decisions and
transactions shall be allocated among personnel
Standard 10 Hierarchical controls
The administrators shall systematically control the compliance of the works and
transactions with the procedures
Standard 11 Continuity of activities
The administrations shall take necessary measures for continuity of the activities
Standard 12 Information system controls
The administrations shall develop control mechanisms in order to ensure the continuity
and security of information systems
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Environment
73
3 Planning Process of Control Activities Control activities can be regarded as the ability of administrations to get
through the challenges they experience in carrying out their activities Control
activities should be designed within the framework of cost-effectiveness analysis in a
way to directly facilitate attainment of objectives Ideally when introducing control
activities the heads of organisations must take into account the expected benefit
from them as well as the costs of their introduction and implementation Control
activities should ideally be introduced in the processes and systems at the time of
setting up these processes and systems because the introduction of control activities
at a later stage is more expensive and less efficient
It is important for effectiveness of controls that control activities be
understandable applicable and consistent A good control strategy should take into
account how to implement the controls as well as identifying them At this juncture
administrative financial and physical capacity of an administration should be taken
into consideration
Another important point to pay attention to in planning control activities is the
evaluation of effectiveness of controls implemented Such issues as whether the aim
of implementing the control is commensurate with the targeted results and whether
the expected cost is in parallel with the actual cost should be evaluated
Furthermore regular review of control activities in the light of changing circumstances
is also an important factor in terms of effectiveness-evaluation
Administrations should take into consideration the following basic
requirements in identifying control activities
CA Box 2 Basic Requirements Planning of control activities
In order to be effective control activities must be
adequate (the right control in the right place at the right level and
commensurate to the risk involved)
cost-effective (the costs of implementing a control should not exceed its
benefits)
comprehensive understandable and directly related to the control objectives
documented clearly
evaluated as a whole so that they are consistent in their operation
carried on until effectiveness is evaluated
4 Classification of control activities The control activities are generally classified as follows Administrations should
implement the following basic requirements as minimum standard however they
can implement additional control activities depending on the nature of the risk
4 1 Preventive controls
These are the controls to be carried out to mitigate the likelihood and prevent
as much as possible the undesirable outcomes that may emerge when risks occur
For example ex-ante financial control operations applying the principle of
segregation of duties to prevent fraud or irregularities
74
CA Box 3 Basic requirements Preventive Controls
The security of physical and intangible rights (intellectual assets etc) and records
physical safeguarding of assets
recording financialmanagement information
access controls such as passwords identity cards guards and
segregation of duties in order to avoid conflicts of interest
42 Corrective Controls
These are the controls aiming at reducing the impact of the undesirable
outcomes that stem from the threats the risks pose For example placing provisions
regarding the reimbursement of unduly payments in the agreements setting the
period of guarantee in advance
CA Box 4 Basic requirements Corrective Controls
identifying methods for the purpose of recovery from loss or damage which
would effect the activities negatively
appropriate actions are taken for the correction or elimination of the identified
differences
43 Directive Controls
These are the controls applied to reach a certain end For example provision
of trainings on protection against possible threats using protective materials (masks
special clothes etc) preventive medical practices (giving messages for washing
hands in periods of epidemics publishing private leaflets)
CA Box 5 Basic requirements Directive Controls
an approved organisation chart that is constantly up-dated to reflect
organisational changes
manuals or written procedures brochures booklets posters and other similar
documents on implementation
established clear and documented definitions of the responsibilities and tasks for
resources activities program projects objectives and targets
assigning tasks and responsibilities by taking into account their relevant skills and
experiences
delegating authority based on the organisational structure and responsibilities to
do the jobs effectively and it should be documented
establishing effective means of communication throughout the organisation
and
establishing clear reporting methods
44 Detective Controls
These are the controls applied to identify the damages and losses
experienced once the risks are realised For example conformity controls carried out
after spending has been made to identify the responsibility controls performed to
detect negligence by experts or authorities
75
CA Box 6 Basic requirements Detective Controls
periodic countsphysical inventories
comparison of the countinventories with the records
methods for the identification and analysis of differences
5 Methods of control activities The main methods of controls are mentioned below Administrations may also
implement different ex-ante and ex-post control methods based on the requirements
of their organisational structure and field of activity
Ex-ante controls are the controls put into practice in the light of the
appropriate procedures before the activity takes place whereas Ex-post controls refer
to the controls performed by the management through the use of pre-identified
methods after the activities take place
CA Box 7 Tips for control activities
The following box gives some issues to be considered when control activities are
identified
While determining the control activities and allocating resources for them
it may be necessary to give priority also those risks with high probability and
low impact and rating low in the prioritization list which is formulated
according to the risk scores
Preparing emergency plans as well as control activities for those risks with a
very high probability and impact assumes great importance
Reducing both the realization probability and impact of internal risks is
possible with control activities
Reducing the realization probability of external risks on the other hand
may not be under the control of the administration However mitigating
the impacts of risks is possible with a proper risk management
While responding to risks over-controlling should be avoided Both over-
control and under-control can undermine the effectiveness of the controls
According to the content of the risk several control methods can be used
at once if deemed necessary
Have the costs and benefits of implementing the control activities been
analysed
Have the new control activities been piloted to see if they are having the
desired effects
Are the control activities effectively operating as planned Is the required
evidence on controls collected and analysed periodically
After a reasonable period of time are the new control activities and
existing controls that are being continued functioning as expected And
do you report this to the manager risk coordinator
76
CA Box 8 Factors to be determined when identifying control activities
51 Authorisation and approval
Managers should introduce appropriate rules and procedures for decision-
making authorisation and approval taking into account the following Decision-
making and approval shall be carried out only by authorised persons Authority
means that the operations are initiated only by persons acting within their powers
Observance of the order of authorisation requires employees to act in accordance
with directions and within the limits set by the manager of the organisation or the
legislation The procedures for authorisation should include specific conditions and
delegation of powers by managers to employees for performance of particular
activities The approval is endorsement (certification) of transactions data or
documents whereby processes actions proposals andor consequences thereof are
completed or validated
52 Segregation of duties
To minimise the risk of errors irregularities and violations and their non-
detection managers should introduce rules stipulating that different employees be
responsible for the implementation of two or more key stages of an operation
process or activity To ensure effective checks and to strike a balance in the
implementation of an operation the responsibilities shall be segregated in a manner
which precludes an employee from being responsible simultaneously for the approval
(decision-making) implementation accounting and control
In organisations with fewer staff this segregation is more difficult to implement
In such cases the manager may consider the possibility of combining two of the
specified activities and compensate the non-application of this control mechanism
by another eg rotation of employees rotation of duties or additional management
checks Thus the risk of a single person dealing with more than one key aspect of an
operation process or activity for an unjustifiably long period of time could be
reduced
53 Double signature system
The double signature system is a procedure to ensure the accuracy of the
data included in the document The method is applied in non-financial processes
such as provision of information to the top management (reports information notes
statistics etc) and appointment orders and before financial obligations such as
signing of contracts and making payments (payment order etc) This makes it
Which unitWho will conduct the activities
Deadlines of the activities
Necessary resources for the activities to be conducted
Critical achievement factors
How to document the activities
Monitoring processes for the activities
77
possible that especially in financial transactions the person responsible for the
accounting entries knows about pending obligations or payments and performs due
accounting procedures The double signature system gives assurance that the
procedures are carried out by authorised staff
54 Reconciliation of data
Procedures should also guarantee that data from different documents and
sources are matched for ascertainment of consistency For example accounting
entries relating to bank accounts are reconciled with corresponding bank
statements invoice data are matched with those in the warehouse receipt etc
55 Supervision procedures
Supervision procedures should be carried out on a daily basis by line
managers on assignment of work and its performance Assignment of work by the line
managers does not reduce their own responsibility for the performance of the work
Line managers should give staff the necessary directions and instructions in order to
ensure understanding and avoid errors and frauds in the discharge of their duties
Line managers should also apply these procedures to assure themselves that the tasks
assigned are carried out correctly
56 Ex-ante financial controls
Ex-ante financial control is a control performed to check the compliance of
the financial decisions and operations of administrations regarding their incomes
expenditures assets and liabilities with the budget of the administration Further
checks are carried out with the available appropriation amount expenditures
programme financing programme and the provisions of central government budget
law and other financial legislation It is also checked whether resources are used
effectively economically and efficiently The purpose of ex-ante control is for the
managers to obtain reasonable assurance of the compliance of such
decisionsactions with the legislation and the performance programme2
57 Procedures for accounting operations
Procedures should ensure that accounting for all financial transactions on a
given date is complete true accurate and timely Their purpose is to support the
taking of correct decisions from which financial consequences arise These
procedures should be developed in accordance with the relevant legislation and
public accounting standards
2 Please see regulation on procedures and principles on internal control and ex-ante financial control for
further details
78
58 Anti-corruption
There should be rules and procedures for warning examination detection
and reporting of administrative weakness discrepancies and violations which create
conditions for corruption frauds and irregularities
Anti-corruption procedures include
preventive controls
a system for checking detecting and reporting early indications of corruption
frauds and irregularities
whistleblowing procedures (for more information please refer to Information
and communication section) and
a set of procedures for reporting irregular activities to the external competent
authorities such as the Prosecutorrsquos Office
59 Access to assets and information
Managers must ensure that only authorised persons responsible for the
safeguarding andor use of assets and information have access to them The
restriction of the access to assets reduces the risk of their misuse or their wrongful
utilisation and protects the organisation from losses The degree of the restriction
depends on the vulnerability of the assets and information and the risks of loss or
misuse When determining the vulnerability of assets the manager shall consider their
value transportability and the possibility for them to be exchanged for cash
510 Documentation archiving and storing of information
Procedures for documentation archiving and storing of information shall be
introduced to support the performance of operations taking of correct managerial
decisions and control of the processes in an organisation Documentation involves
developing written evidence of decisions made events occurred actions and
transactions performed etc The documentation must be complete accurate and
timely
The documentation procedures include those for document circulation
describing the order for circulation and use of documents produced and received
The documentation procedures must allow tracing of every document action
process in the organisation stating precisely who performed what how and when
the purpose and type of actdocument issued as a result thereof
According to the terminology adopted by the European Commission this
comprises an audit trail Its establishment helps achieve
transparency
tracing of the processes in the organisation from their initiation till completion
and
tracing the segregation of functions by decision-making performance
accounting and control
The audit trail shall state what procedures and transactions exist who the
responsible persons are what documents are drawn up what systems for
management and control of data flows exist and what the form of presentation of
the results is
Archiving procedures must ensure chronological and systematic filing of
documents about past events decisions and actions concerning the organisation
There should be specific guidelines describing in detail the procedures for archive
establishment completion use and destruction
79
The procedures for storage of information shall ensure physical preservation of
the information media (paper andor electronic) as well as preservation of the
content without change so that the information provides a true and fair view of the
facts decisions and actions relating to the organisation
511 Business continuity (or emergency plans)
Adequate measures are in place to ensure continuity of service in case of
business-as-usual interruption Business Continuity Plans are in place to ensure that
the entity is able to continue operating to the extent possible whatever the nature of
a major disruption
512 Control activities related to Information Technology (IT)
IT systems entail specific types of control activities which should be introduced
in organisations by their managers These mechanisms for information systems control
consist of two major groups general control mechanisms and applications control
mechanisms (applications controls)
General control mechanisms are applicable to all operations and contribute
to their proper implementation The applications control mechanisms include both
procedures programmed in the software product itself and procedures that must be
carried out manually in order to exercise control over the processing of different
operations The general control mechanisms are needed for the functioning of the
applications control mechanisms Absence of sufficient general controls cannot be
offset by applications controls
Usually general control mechanisms are used in information analysis and
processing centres for installation and maintenance of software products for
definition of access to information
controls for information analysis and processing centres ndash they include the
organisation and planning of worksthe intervention of the respective
administratorsoperators procedures for saving and subsequent use of
information back-up and contingency plans
software controls ndash these refer to the acquisition installation and maintenance
of software products necessary for the maintenance of the entire system and
for processing of software applications
access definition controls ndash these ensure protection against unauthorised
access Access definition restricts users by allowing them to use and perform
operations only with particular software products thus ensuring segregation of
responsibilities
General software controls built during the development of the system entail
detailed application tests and allow checking of the appropriateness of the rationale
of the program and whether all errors will be detected After the system is built the
controls for access and maintenance of the system give assurance that nobody can
use or make changes in the applications without the appropriate authorisation and
that all the necessary changes are made in accordance with the established
procedure for authorisation and approval
The applications control mechanisms support internal control preventing entry
of wrong data in the system detecting and correcting errors based on automated
procedures for control over data form and content The prevention and detection of
these errors is programmed in the respective application The applications control
mechanisms analyse the data on-line (simultaneously with their entry in the system)
80
provide ongoing information in case of detected error and ensure immediate
correction
The use of both types of controls provides assurance that the information is
analysed and processed completely correctly and accurately
513 Assessing costs and benefits of control activities
After initial selection of control activities to reduce the impact of risks risk
owners should evaluate the costs and expected benefits of the control activity If the
costs of the control activity exceed the expected benefits the control activity should
not be selected
81
6 Practical Stages For Control Activities Practical steps for control activities are briefly indicated in the following table Since control activities are linked to r isks points on risk
management are provided in stages 1 2 and 3 whereas points on control activities are provided in stages 4 and 5 For further details on stages 1 2
and 3 please refer to the risk management chapter
CA Table 1 ndash Stages for control activities
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
Identify objectives
Identify risks to
achieving objectives
Select method of
responding to risks
Accepting
Controlling
Transferring
Avoiding
Taking the
opportunity
Select control
method(s)
Preventative
Detective
Corrective
Directive
Select type of control activities
authorisation and approval
segregation of duties
double signature system
reconciliation of data
supervision
ex-ante controls Checking
compliance with the law
accounting covering all financial
processes
anti-corruption
access to assets and information
documentation archiving and
information storage
business continuity and
information technology
Or
Refer to CA Annex 2 List of common
control activities
82
83
7 Steps to identify and implement control activities
Step 1 Administrations when assessing their risks review their systems and processes to determine
whether they have existing controls to mitigate their risks
(Administrations where risk management will be implemented in the framework of the principles
mentioned in this manual for the first time should list and evaluate all the existing control activities
Those control activities that donrsquot match the objectives and the risks of the administration should be
terminated)
Step 2 Administrations assess whether these existing controls are effectivesufficient in terms of
mitigating risks
Step 3 If there are no existing controls or the existing controls are not effective sufficient new
andor additional control activities are determined (To help you decide which control activities to
select you may refer to the list of control activities at Annex 2) In this steps it will be useful to
consider the following
It may be appropriate to select more than one control activity
Any new control activities you select must be evaluated for cost-effectiveness and
Appropriate control activities should be tested beforehand
Step 4 New control activities are not foreseen for those high risks that are managed
effectivelysufficiently with the existing controls and the existing control activities should continue
Step 5 Risk owners once the risk register has been approved have to put in place the new control
activities and also ensure that monitoring of both new controls and existing controls that are being
continued at the predetermined starting date
Step 6 Stakeholders are notified in writing about the control activities and whether they are
working effectively
Step 7 Risk owner while reporting the risks in the of the Consolidated Risk Report (Risk
Management Annex 4) will notify the manager risk coordinator how well the new control
activities and existing controls that are being continued are working This reporting involves writing
a summary of what has happened identifying the impact of the new control activities and existing
controls that are being continued and attaching any evidence to the report as an annex
84
Control Activities Annexes
Annex 1 ndash Examples of some common risks and controls
Common Risks Possible Control Activities
Risk management
Risks are not being managed effectively
and so the organisationrsquos objectives may
not be achieved
Risk workshops are organised to
determine risks allocate owners
determine controls and how their
operation is monitored - corrective
Cash management
Cash holdings could be stolen Cash is kept locked away and access
to it is strictly controlled - preventive
There is segregation of duties for staff
who have access to cash -
preventive
Cheques and other payment forms
are serially numbered ndash preventive
Asset management
Assets could be stolen Physical controls - for example using a
safe - preventive
separation of duties authorisation
levels passwords - preventive and
tagging of goods reconciliations
stock counts - detective
Document control
Documents received could be lost Keeping a register that shows where
all the received documents are filed -
preventive
Due to document control procedures not
being clear and specific decisions not
being taken on time
The document control procedure defines the
controls needed to
approve documents for adequacy
prior to issue
ensure that changes and the current
revision status of key documents
(strategic plan performance
programmes etc) are identified
ensure that previous versions of
applicable documents are available
at points of use
ensure that distribution of sensitive
and classified documents is
controlled and
identify documents that should be
archived - All preventive
Planning and budgeting
Budget resources may be spent
inappropriately
Effective planningbudgeting process ndash
preventive
85
Common Risks Possible Control Activities
Staff have received training in budget
preparation ndash preventive
Comparison of interim and final
accounts and activity reports with the
strategic plan performance
programme and the budget ndash
detective
Financial information may not be
accurate and complete
Financial information being stored or
reported on the computer -
preventive
Procurement
Error and fraud could occur in the
procurement process
Separation of duties between staff
making decisions staff selected for
the tender commission and staff
involved in payments - preventive
Applying ex-ante controls to the
award decision before the signing of
the contract ndash preventive
Random checks on transactions by
authorised staff ndash detective
Identifying purchasing thresholds -
preventive
Requirement to seek the ex-ante
approval of a senior manager or the
Minister for some high-value
procurements (Double signature
system) - preventive and
Regular rotation of staff who have
critical responsibilities in the
procurement process - preventive
Stores
Unauthorised removal of goods from
store
Physical stock checks to inventory
records ndash detective
Goods ordered but not delivered on time
or partially delivered
Including penal provisions in the
contract regarding any failure to
deliver goods on time ndash corrective
Comparison between invoices goods
delivery notes and the contract ndash
detective
Revenue management
Delays in submitting tax statements on
time and the failure to collect revenues
on a timely basis
Incentives for timely submission of tax
statements (advance warning
posters etc) - directive
Incentives for on-line submission of tax
statements - preventative
Penalties for late submission ndash
preventative
Contingency planning
Major lsquoincidentrsquo destroys important data A Business Contingency Plan exists
86
Common Risks Possible Control Activities
has been tested and kept up to date
- preventive
IT security
Unauthorised staff may obtain access to
computerised data
Personal identifiers and passwords ndash
preventative
Review of on-line access and
transaction logs ndash detective
Master files may be changed
inappropriately
Supervisor authorisation required on
forms indicating data to be changed
- preventive
Supervisor does not have change
access rights - preventive and
Supervisor verifies changes against a
printout of changes - detective
87
Annex 2 List of common control activities
Category Control Activity
Risk management
Appropriate risk
management policies
procedures techniques
and mechanisms exist for
each of the organisationrsquos
activities
Management has ensured that all relevant objectives
and associated risks for each significant activity have
been identified in conjunction with conducting the
risk assessment and analysis function
Management has identified the actions and control
activities needed to address the risks and directed
their implementation
Implementing control activities
The control activities
identified as necessary are
in place and being
applied
Management has ensured that
Control activities described in policy and procedures
manuals are actually applied and applied properly
Managers and employees understand the purpose of
internal control activities
Nominated staff review the functioning of established
control activities and remain alert for instances in
which excessive control activities should be
minimised
For existing control activities look out for
Guidance ndash it is likely that there will be official
guidance about how to carry out your work
Documentation ndash there may be standard document
control procedures to ensure that new documents
are registered and filed changes to documents are
recorded and documents no longer in use are
archived
Checking the work of others ndash this is a basic control
activity that can involve a supervisor or manager
checking the work of staff staff in one section
checking the work of staff in another section or
computer checks There may also be a requirement
for transactions to be checked by the SDU under the
ex ante control regulation
Security ndash protecting documents cash and assets
and
Contingency arrangements - ensuring the
continuation of essential services in the event of a
service failure
Performance monitoring
Senior management track
outturn in relation to its
operational and
performance plans
Top management are involved in developing annual
performance plans and targets and measuring and
reporting results against those plans and targets
Top management regularly review actual
performance against budgets forecasts and prior
period results
Top management take appropriate corrective action
88
Category Control Activity
when progress reports indicate that performance is
significantly out of line with plans
Operational managers
review actual
performance against
targets
Managers at all activity levels review performance
reports analyse trends and measure results against
targets
Managers review and compare financial budgetary
and operational performance to planned or
expected results
Appropriate control activities are employed such as
reconciliations of summary information to supporting
detail checking the accuracy of summarisations of
operations and checking the reliability of data
sources and data systems
Comparisons are made relating different sets of data
to one another so that analyses of the relationships
can be made and corrective actions can be taken if
necessary
Investigation of unexpected results or unusual trends
leads to identification of circumstances in which the
achievement of goals and objectives may be
threatened and corrective action is taken
Analysis and review of performance indicators and
results are used for both operational and financial
reporting control purposes
Quality of performance measures and indicators
The organisation monitors
the quality of
performance measures
and indicators
The organisation periodically reviews and validates
the propriety and integrity of performance measures
and indicators
Performance measurement assessment factors are
evaluated to ensure they are linked to mission goals
and objectives and are balanced and set
appropriate incentives for achieving goals while
complying with law regulations and ethical
standards
Actual performance data is continually compared
against planned goals and differences are analysed
to establish whether the right things are being
measured in the right way
Human resource management
The organisation
effectively manages its
workforce to achieve
results
A clear and coherent shared vision of organisationrsquos
mission goals values and strategies is explicitly
identified in the strategic plan annual performance
plan and other guiding documents and that view
has been clearly and consistently communicated to
all employees
The organisation has a coherent overall manpower
planning strategy as evidenced in its strategic plan
performance plan or separate manpower planning
document and that strategy encompasses
manpower planning policies programs and
practices to guide the organisation
The organisation has a specific and explicit workforce
89
Category Control Activity
planning strategy linked to the overall strategic plan
and that allows for identification of current and future
manpower planning needs
Senior leaders and managers support teamwork
reinforce the shared vision of the organisation and
encourage feedback from employees as evidenced
by actions taken to communicate this to all
employees and the existence of opportunities for
management to obtain feedback
The organisationrsquos performance management system
is given a high priority by top-level officials and it is
designed to guide the workforce to achieve the
organisationrsquos shared visionmission
Procedures are in place to ensure that staff with
appropriate competencies are recruited and
retained for the work of the organisation including a
formal recruiting and hiring plan with explicit links to
skill needs the organisation has identified
Employees are provided with information training
and tools to perform their duties and responsibilities
improve performance enhance their capabilities
and meet the demands of changing organisational
needs
Qualified and continuous training is provided to
ensure that internal control objectives are being met
Meaningful honest constructive performance
evaluation and feedback are provided to help
employees understand the connection between their
performance and the achievement of the
organisationrsquos goals
Information processing
The organisation uses a
variety of control activities
suited to information
processing systems to
ensure accuracy and
completeness
Edit checks are used in controlling data entry
Accounting for transactions is performed in numerical
sequences
File totals are compared with control accounts
Exceptions or violations indicated by other control
activities are examined and acted upon
Access to data files and programs is appropriately
controlled
Physical Control Over Vulnerable Assets
The organisation uses
physical controls to secure
and safeguard vulnerable
assets
Physical safeguarding policies and procedures have
been developed implemented and communicated
to all staff
The organisation has developed a disaster recovery
plan which is regularly tested updated and
communicated to staff
The organisation has developed a plan for the
identification and protection of any critical
infrastructure assets
Assets that are particularly vulnerable to loss theft
90
Category Control Activity
damage or unauthorised use such as cash
securities supplies inventories and equipment are
physically secured and access to them controlled
Assets such as cash securities supplies inventories
and equipment are periodically counted and
compared to control records and exceptions
examined
Cash and negotiable securities are maintained under
lock and key and access to them strictly controlled
Forms such as blank checks and purchase orders are
sequentially pre-numbered and physically secured
and access to them strictly controlled
Mechanical check signers and signature plates are
physically protected and access to them strictly
controlled
Equipment vulnerable to theft is securely fastened or
protected in some other manner
Identification plates and numbers are attached to
office furniture and fixtures equipment and other
portable assets
Inventories supplies and finished itemsgoods are
stored in physically secured areas and protected from
damage
Facilities are protected from fire by fire alarms and
sprinkler systems
Access to premises and facilities is controlled by
fences guards andor other physical controls
Access to facilities is restricted and controlled during
nonworking hours (alarms CCTV etc)
Separation of duties
Key high risk and sensitive
duties and responsibilities
are divided or segregated
among different people
to reduce the risk of error
waste or fraud
No one individual is allowed to control all key aspects
of a transaction or event
Responsibilities and duties involving transactions and
events are separated among different employees
with respect to authorisation approval processing
and recording making payments or collection of
income review and auditing and the custodial
functions and handling of related assets
Duties are assigned systematically to a number of
individuals to ensure that effective checks and
balances exist
Where feasible no one individual is allowed to work
alone with cash securities or other assets
The responsibility for opening mail which contains
cash is assigned to individuals who have no
responsibilities for or access to files or documents
pertaining to accounts receivable or cash accounts
Bank accounts are reconciled by staff who have no
responsibilities for cash receipts disbursements or
custody
91
Category Control Activity
Authorisation for transactions or events
Appropriate staff is
authorised for transactions
and other significant
events
Controls ensure that only valid transactions and other
events are initiated or entered into in accordance
with management decisions and directives
Controls exist to ensure that all transactions and other
significant events are authorised and executed only
by employees acting within the scope of their
authority
Authorisations are clearly communicated to
managers and employees and include the specific
conditions and terms under which authorisations are
to be made
The terms of authorisations are in accordance with
directives and within limitations established by law
regulation and management
Recording transactions and events
Transactions and other
significant events are
properly classified and
promptly recorded
Transactions and events are appropriately classified
and promptly recorded so that they maintain their
relevance value and usefulness to management in
controlling operations and making decisions
Proper classification and recording take place for
each transaction or event
Accountability for and access restrictions to resources and records
Access to resources and
records is limited and
accountability for their
custody is clearly
allocated
The risk of unauthorised use or loss is controlled by
restricting access to resources and records only to
authorised staff
Accountability for resources and records custody and
use is assigned to specific individuals
Access restrictions and accountability assignments for
custody are recorded and periodically reviewed
Periodic comparison of resources with the recorded
accountability is made to determine if the two agree
and differences are examined
How frequently actual resources are compared to
records and the degree of access restrictions are
functions of the vulnerability of the resource to the risk
of errors fraud waste misuse theft or unauthorised
alteration
Management considers such factors as asset value
portability and exchangeability when determining
the appropriate degree of access restrictions
As a part of assigning and maintaining accountability
for resources and records management inform and
communicate those responsibilities to specific
individuals within the organisation and ensure that
those people are aware of their duties for appropriate
custody and use of those resources
Documentation
Internal control Written documentation exists covering the
92
Category Control Activity
transactions and other
significant events are
clearly documented
organisationrsquos internal control structure and for all
significant transactions and events
The documentation is readily available for
examination
The documentation for internal control includes
identification of the organisationrsquos activity-level
functions and related objectives and control activities
and appears in management directives
administrative policies manuals and other guidance
Documentation for internal control includes
documentation describing and covering
management information systems data collection
and handling and the specifics of general and
application control related to such systems
Documentation of transactions and other significant
events is complete and accurate and facilitates
tracing the transaction or event and related
information from authorisation and initiation through
its processing to after it is completed
Documentation whether in paper or electronic form
is useful to those involved in controlling evaluating or
analysing operations
All documentation and records are properly
managed maintained and periodically updated
General computer controls
The organisation
periodically performs a
comprehensive high-level
assessment of risks to its
information systems
Risk assessments are performed and documented
regularly and whenever systems facilities or other
conditions change
Risk assessments consider data sensitivity and
consistency
Effective computer
security controls are in
operation and are
monitored
The organisation has developed a plan that clearly
describes the organisation-wide security plan and
policies and procedures that support it
Senior management have established a structure to
implement and manage the IT security program
throughout the agency and security responsibilities
are clearly defined
The organisation monitors the security planrsquos
effectiveness and makes changes as needed
- Corrective actions are promptly and effectively
implemented and tested and they are continually
monitored
Effective computer
access controls are in
place and are monitored
Information resources are classified according to their
criticality and sensitivity
Resource classifications and related criteria have
been established and communicated to resource
owners
Resource owners have classified their information
resources based on approved criteria and with
regard to risk determinations and assessments and
have documented those classifications
93
Category Control Activity
Resource owners have identified authorised users
and their access to the information has been formally
authorised
The organisation monitors information systems access
investigates apparent violations and takes
appropriate remedial action
The organisation has established physical and logical
controls to prevent or detect unauthorised access
Application software
development and
change controls are in
place and are monitored
Application software modifications are properly
authorised
All new or revised software is thoroughly tested and
approved
The organisation has established procedures to ensure
control of its software libraries including labelling
access restrictions and use of inventories and
separate libraries
All key activities are monitored
Effective system software
controls are in place and
are monitored
The organisation limits access to system software
based on job responsibilities and access authorisation
is documented
Access to and use of system software are controlled
and monitored
The organisation controls changes made to system
software
There is effective
separation of duties for IT
operations
Incompatible duties have been identified and policies
implemented to segregate those duties
Access controls have been established to enforce
segregation of duties
Controls ensure the
continuity of IT services
The criticality and sensitivity of computerised
operations have been assessed and prioritised and
supporting resources have been identified
The organisation has taken steps to prevent and
minimise potential damage and interruption through
the use of data and program backup procedures
including offsite storage of backup data as well as
environmental controls staff training and hardware
maintenance and management
Management have developed and documented a
comprehensive IT service contingency plan
The organisation periodically tests the contingency
plan and adjusts it as appropriate
Computer application controls
Source documents are
controlled and require
authorisation
Access to blank source documents is restricted
Source documents are pre-numbered sequentially
Key source documents require authorising signatures
For batch application systems batch control sheets
are used providing information such as date control
number number of documents and control totals for
key fields
94
Category Control Activity
Senior management or independent review of data
occurs before it is entered into the application system
Data entry terminals have restricted access
Master files and exception reporting are used to
ensure that all data processed are authorised
Completeness controls All authorised transactions are entered into and
processed by the computer
Reconciliations are performed to verify data
completeness
Accuracy controls The organisationrsquos data entry design features
contribute to data accuracy
Data validation and editing are performed to identify
erroneous data
Erroneous data is captured reported investigated
and promptly corrected
Output reports are reviewed to help maintain data
accuracy and validity
Control Over Integrity of
Processing and Data Files
Procedures ensure that the current version of
programs and data files are used during processing
Programs include routines to verify that the proper
version of the computer file is used during processing
Programs include routines for checking internal file
header labels before processing
The application protects against concurrent file
updates
95
Annex 3 - Illustrations for cost benefit analysis
Example 1
You are considering hiring a junior clerk to carry out a 100 per cent check on all payments
your spending unit makes (checking each agrees to the supporting documents) to ensure the
correct amount is paid This is an ex-ante control as the check is made prior to the payment
You estimate that this task will occupy the junior clerk for 100 per cent of their working time
Cost of the junior clerk 2500 YTL a month (1200 salary plus 1300 contribution to overheads
eg heating the building)
Scenario A
Benefit your experience of such a checking control is that it will find on average errors of
overpayment of 3000 YTL a month
Decision ndash this control activity is cost effective and the junior clerk should be employed to
do this checking
Scenario B
Cost same as above
Benefit your experience of such a checking control is that it will find on average errors of
overpayment of 2000 YTL a month
Decision ndash this control activity is not cost effective and the junior clerk should not be
employed on a full time basis to do this checking You can rely on other controls instead
Possibilities
Focus checking on only the highest value or riskiest payments ndash this will only employ the clerk
for 50 per cent of their time If you estimate that it will find on average errors of
overpayment of 1600 YTL a month (ie over 50 per cent of the clerkrsquos cost) this is a better
alternative control or
Donrsquot do any checking ndash rely on separation of duties control (different clerk raises payment
to the one that enacts the payment) to prevent fraudulent overpayments
Example 2
You do not currently employ any public relations expert
In the absence of any control on dealings with the press you assess the risk of reputational
damage as being high likelihood and high impact
Cost of the expert in public relations 4500 YTL a month (2500 salary plus 2000 contribution
to overheads eg heating the building)
Scenario 1
96
You have a low risk appetite in terms of reputational damage and consider that the benefit
of all dealings with the press going through the expert in public relations will successfully mitigate
the risk to within your risk appetite (by considerably reducing the likelihood of reputational damage
through ill-advised comments being given to the press) You consider that this risk mitigation is so
important to your administration that it justifies the employment of the expert in public relations
Decision you employ the expert in public relations
Scenario 2
You have a high risk appetite in terms of reputational damage and consider that the risk of
reputational damage through ill-advised comments being given to the press without employing the
expert in public relations is equal to or less than your risk appetite for this risk You thus consider that
the benefit of employing the expert is outweighed by the cost You therefore consider that it is not
cost-effective to employ the expert in public relations
Decision you do not employ the expert in public relations
Action as you are equal to or less than your risk appetite for the reputational risk you need
not select an alternative control activity but you should continue to review in the future as the
decision may be changed if your risk appetite reduces or your assessment of the likelihood andor
impact of the risk increases
97
INFORMATION AND COMMUNICATION
1 INTRODUCTION Information and communication as the fourth component of the five components of COSO
internal control model ensures the relation between control environment risk assessment and
control activities through sharing information and communication and has an important role in
increasing the functionality and operational competence of internal control system which is
regarded as a tool for attaining organisational objectives and aims as it regulates information flow
within the administration
Aim of this chapter of the manual is to give information within the framework of internal
control standards about structures and practices related to use of information and communication
mechanisms and to provide guidance for users about reporting registry and filing systems and
methods to be used in notifying faults irregularities and corruptions with a view to ensuring that
administrations carry out their activities in line with their objectives as well as accounting for their
activities
Communication refers to transformation and conveyance of information within the organisation
vertically and horizontally and externally via proper mechanisms to relevant people
administrations and bodies Administrations must aim to establish an effectively managed and well
coordinated communication system for the information that meets the information needs of
managers staff and the public
In the event that information and communication systems do not function as expected
managers and staff may came up against the risk of not being able make timely and right
decisions not being able to implement those decisions and ultimately not being able to achieve
the objectives In this regard information should be accessible useful timely accurate complete
and up-to-date
2 Information and Communication Standards Information and communication includes the information communication record system which will
ensure transfer of required information to the person personnel and the administrator who need
the information in determined format and in a time period which enable the concerned to fulfil
internal control and their other responsibilities
IC Box 1 Information and Communication Standards
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Environment
Standard 13 Information and communication
The administrations shall have a suitable information and communication system with a view to ensuring that the
performance of the units and the personnel is monitored decision making processes operate soundly and
efficiency and satisfaction in providing service
Standard 14 Reporting
Goals objectives indicators and activities of the administration and the results of them shall be reported in
accordance with the principles of transparency and accountability
Standard 15 Record and filing system
The administrations shall have a comprehensive and up-to-date system where the works and transactions
including incoming and outgoing documents are recorded classified and filed
Standard 16 Notification of faults irregularities and corruptions
The administrations shall develop methods which will ensure that the faults irregularities and corruptions are
notified in a specific order
98
3 ROLES AND RESPONSIBILITIES IN INFORMATION AND COMMUNICATION
Minister
Ensures coordination and cooperation with other ministries and informs the public opinion and
the TGNA about the annual performance programme and activity report submitted to him by the
administration
Head of Administration
The Head of Administration (Head of Administration) must publish an announcement via the
internal communication network or an official letter on what to do before the preparation of such
documents as strategic plan performance program activity report Risk Strategy and Policy Paper
which need to be prepared in way which will ensure attainment of pre-identified objectives in the
fields the administration is responsible for
Another duty of the Head of Administration is to sign the internal control assurance declaration
and inform the public opinion and the Minister
As the quality of the information exchange and communication between the Head of
Administration and the other actors has a direct effect on the accountability of the Head of
Administration the Head of Administration must guide the relevant units about the frequency and
methods of feedback he prefers
The Head of Administration must take notice whether the current information system meets the
needs during the set up and integration of new information systems If a new system is to be set up
it must be designed by taking integration with the other information systems into consideration
Internal Auditor
As prescribed by the Law no 5018 the internal auditors work to assess the internal control system
under the head of administration In this regard internal auditors report whether internal control
system functions properly or not to the Head of Administration Therefore to be able carry out their
duties internal auditors should be given unlimited access to every kind of information they need
Setting up of such a mechanism is up to the robust communication and flow of information
between the internal auditors and Head of Administrations
The Head of Administration is entitled to take preventive or corrective actions and develop new
control activities based on the report submitted by the internal auditor or request additional reports
Authorising Officer
Authorising Officers must ensure that tasks powers and responsibilities of staff are defined
clearly and in writing and communicated to all staff In this framework a chart of duties which
demonstrate the functional reporting network must be produced and communicated to the staff
A communication network that ensures quick and timely access by the staff and managers to the
activities and the results must be used In this regard the organisational chart of the administration
can also include a diagram which shows the tasks of the sub-units and the responsible and
authorised staff on the intranet and internet Authorising Officer must ensure that sub-units are
informed about the activities of each other
Authorising officers
must ensure that an electronic communication and archiving system is used effectively for
the accurate and reliable acquisition storage and communication of the information
needed regarding the objectives activities and indicators that are relevant to their
respective units from among those included in the strategic plan and performance
program of the administration
must provide for the regular announcement of the status of realisation regarding the
performance objectives and indicators related to their respective units and the grounds for
the data on the webpage of the unit and
must provide information for periodical reporting to the SDUs that will be carried out by
authorising officers (information about objectives and risks of the unit status of realisation
etc)
99
should transfer timely complete and accurate information and documents regarding
financial transaction processes to the Accounting Officer and set up mechanisms to store
records and statistics
Realisation Officer
Realisation officers who are responsible for issuing spending orders must periodically brief the
authorising officer of the spending process In this regard information on the spending order being
complete accurate understandable and reliable plays a significant role in realisation officers
fulfilling their tasks as requested from them
Accounting Officer
The Accounting Officer is responsible for performing accounting services and keeping accounting
records in a regular transparent and accessible way Accounting Officers must regularly report to
the authorising officer on the accounting records
Strategy Development Units
SDU managers must review the information included in the activity reports performance
programmes and strategic plans by holding periodic meetings with the authorising officers of other
units Personnel of SDUs must obtain the information that is needed in the field of financial
management and control through these persons
Necessary coordination for the formation of the team to carry out the studies on the
establishment and development of Information Management Systems within the administration is
provided by the SDU
In fulfilment of the coordination duties of SDUs which are defined by laws Principles and
Procedures of Internal Control and Ex-ante Financial Control Strategy Planning Guideline
Legislation and Manual on Performance Programs to be Prepared in Public Administrations and
secondary and tertiary regulations such as Budget Preparation Manual must be taken into
consideration
SDUs must have webpage where they have forums good practice examples frequently asked
questions to ensure communication with internal and external stakeholders in order to carry out
their tasks more effectively
Central Harmonisation Unit
While carrying out its tasks in the filed of information and communication
CHU sets up a common (web-based) network where information can be shared
They organise trainings panels and conferences for the actors that take part in the field of
internal control
CHU members are assigned to be responsible for particular administrations to enhance
information and communication with SDUs of administrations They communicate SDUs and
provide them with information and guidance via official letters call centres telephone
forums etc
Please refer to the CHU Handbook for further details on the roles and responsibilities of CHU
Besides practices and methods in the area of information and communication given this
manual public administrations must also take into consideration those regulations in the legislation
which are directly related to the area of information and communication These basic regulations
are contained in IC Annex I
4 INFORMATION The prerequisite for reliable and proper information is immediate recording and suitable
classification of all operations and transactions Internal control includes obtaining classifying
recording utilising and reporting both financial and non-financial information
41 Characteristics of Information
Characteristics that the information which is used in public administrations must have are given
below
100
Timely Information should be obtained and transferred in the right time by the right
personnel
Related Information should be related to every activity work or action
Available Information holdings should be available to those who require them the moment
they need it and also later Technology should be available to users in order to facilitate
obtaining storing transferring and using information
Comprehensible The description of information holdings must have the same meaning for
users at all levels of the administration In addition information that is shared with external
stakeholders must be clear and meaningful for the users
Usable Information must meet the needs of its users in relation to the purposes for which it
was received
Complete Both the content and form of information should be complete in order to
provide for efficient and effective use of information holdings
Accurate Information must be able to reflect the points regarding the aims objectives and
activities it is related to accurately and correctly
Up-to-date Information must be up dated and related to the needs A lack of up-to-date
information can impair decision making and program delivery Managers and personnel
should take necessary actions to keep information up-to-date
42 Information Management
Information management is a process where information is planned and obtained from any
kind of source internally or externally classified stored communicated to relevant bodies in a
timely manner for interpretation reviewed for updating and destroyed The stages of this process
are complementary to each other In any stage there may occur a need to take into consideration
the phases of the previous or next stage
101
IC Figure Information Management Process
421 Planning Information Need
Planning stage starts with identifying strategic aims and objectives and performance
objectives as well as identifying information needs to achieve these objectives This stage includes
the assessment on who needs what information when and why how they can acquire it at all level
from the operational to the strategic activity level in order for the administration to maintain its
operations effectively
In the planning stage the following factors must be taken into consideration
Internal and external information users must be defined and classified Information
needs of users must be determined Information holdings must be examined to see
whether the current information need of the users can be met using them
While novel databases and information systems are designed the risk for the information
to be disseminated to the public must be considered
The benefit and cost of information in terms of the users must be analysed
The information need for new legislative strategic and operational aims must be
defined along with the relevant information system requirements furthermore the
person and the time to do this work must be set out
Emerging information needs must be compared to the present information and
information systems within and outside the administration
For increasing the value or productivity or decreasing the cost of the systems in use
such methods as combining information systems using novel technologies and standard
practices can be referred to
Value of information is not only about how it is used and kept but also about how and when
it is going to be destroyed Many factors such as legislation information policies and needs may
Planning
information need
Organising
information
Creating and
collecting
information
Reviewing and
keeping
information
Utilising and sharing
information
INFORMATION
MANAGEMENT PROCESS
102
have an impact on how long to keep that information Information which is being kept should be
destroyed in accordance with the relevant legislation after necessary approvals have been
received
422 Creating and Collecting Information
While producing and collecting information first of all the value of the information for the
administration must be set out and it should be made sure that the people in need of information
do have access to it on time
Information collection and creation process should focus on the followings and information
collected or created must have the capacity to meet the needs of the administration To this end
The holdings must be periodically reviewed in order to determine if the information that is
created or collected continues to meet the identified needs and it must be followed up
whether users really use the information Great deal of information can still be
unnecessarily collected for a reason that was identified in previous periods If the
administration decides to stop collecting that information firstly it must set out whether
any individual or program would be affected
Quality and scope of information as well as its relation to the defined needs and whether
it meets the needs or not should be understood in regular reviews In addition implicit
information of the staff must be turned into explicit information and incorporated into the
information inventory The information produced as a result of the process studies must be
classified starting from the most frequently used to the least
Information must be compiled in information pools to be created This information must be
clear and understandable The information in the pool must be open to access upon
being classified in accordance with the information hierarchy such as strategic and
operational Management of the information pool must be carried out by a team who
are competent in the processes to be formed within the administration
Legislation or policies may demand that certain information be collected by an
administration Therefore information that is collected must meet legislative and
institution-specific policy requirements
Information collection must be coordinated To this end
all information collection activities must be accounted for including all regions and
organisational units and information collected must be accessible
the administration must ensure that information collection conforms to the applicable
standards
information must be periodically reviewed in order to ensure that the requirements of the
relevant legislation are respected This might be done during the annual update of
personal information and
before information is created or collected existing information holdings must be reviewed
to determine if the information needs can be satisfied by existing holdings or readily
accessible external information sources
The following are the leading sources of information
instructions approvals invoices transaction orders petitions
interactions between clients vendors or other the ministries and agencies
planning documents-budgets forecasts work plans blueprints (technical or
engineering designs)
drafts schemes of information architecture
reports policy briefing notes other documents supporting the activities and
justifications
meeting documents-agendas records of decision
commission documents job descriptions member lists
requests for information and the responses emails forms used to collect responses
templates related instructions responses in every format
103
client records applications evaluations emails phone calls
every kind of data in electronic medium and
information resources which could provide additional information
Collecting Information from PublicPrivate Sector
The response burden should be minimised to the lowest level possible in this process To this end
the administration should determine from whom it will receive information at what
frequency and in what detail as well as what burden this process will create upon
respondents and
there should be cooperation with other administrations in such issues as undertaking joint
collection or information sharing
The forms should meet all statutory and policy requirements To this end
all the forms in both paper and electronic media must be reviewed before they are put
into use to ensure that applicable requirements are met Furthermore the responsible
person must be assigned
423 Organising Information
The aim of organising information is to establish a link between the operations of the
administration and usage sharing retrieving archiving and destroying of information and facilitate
the process for administrations and the other stakeholders
The following steps must be taken for an efficient information organisation
it must be ensured that users both internal and external to the administration are satisfied
with their access to information Methods should be established to measure user satisfaction
(such as user surveys and questionnaires applied after completion of certain services as well
as periodically applied questionnaires)
the custodians of information holdings (eg Data Processing Departments Library Services
etc) must identify the information needs of users and improve their services to better meet
the needs of users for quick and easy access eg shortening response time using efficient
and effective technology for transmission designing a user-friendly system
information must be available for public dissemination and communicated to the public
where and when appropriate For instance establishing such structures as e-libraries to
facilitate public access
information available for use by the other administrations must be checked to see whether
they are subject to any legal or policy constraints
administrations must have an up-to-date publications catalogue which must be deposited
in the administrationrsquos library Published material must be catalogued according to
established standards and
all the documents published by the administration must be accessible on webpage of the
administration
Registering Filing and Archiving of Information
Registry and Filing
To ensure an effective management any kind of document including electronic ones internal
communications operations and transactions must be recorded classified filed and archived
there must be a comprehensive and up-to-date system for this
If meaningful and valuable information for the control of activities and decision making is
desired all the operations and transaction must be instantly recorded
In order to ensure the quality of information and reporting fulfilment of internal control activities
and responsibilities and effective and efficient monitoring activities all transactions need to be
completely and clearly documented
These documents should be easily accessible where needed
104
The documents of the internal control system should include structure and policies of the
administration types of activities related objectives and control procedures
The process of registry should be applied in a way that it will cover all the stages of a
transaction including the start and approval stages until their final classification This is also the case
for the regular updating of documents
Regardless of the media they are received in (such as paper fax e-mail or electronic)
documents should be recorded and kept within the framework of a registry plan which is suitable
at least to one official file
Registry procedures must be communicated to staff in writing
In this context Standard Filing Plan no 20057 issued on the Official Gazette no 25766 dated 24
March 2005 prepared under the coordination by the Prime Ministry General Directorate of State
Archives must be taken as the basis to establish a common method for all public administrations to
file all the documents including electronic ones and ensure fast and easy access to them where
necessary
Ensuring standardisation in the filing system would help achieve harmony within the institution
and if it can be disseminated among all organisations it would form a basis for an efficient and
effective communication system across the country
Standardisation of Filing services would
ensure that documents about same issues are codified using same numbers in all
organisations
facilitate easy and fast access to the right information and documents requested and
make sorting classifying keeping the documents and putting them into service easier as
standard file numbers will refer to the same issues in all organisations
ensure integrity and easiness in the establishment of a tidy fast effective and efficient
system of document and file and communication
provide infrastructure for the automation of documents and correspondences and
establishment of information networks among organisations and
facilitate internal and inter-organisational file and operation tracking The document or
information looked for would be easily found in a short period of time
The task of carrying out studies on the registry usage and archiving of electronic documents
has been assigned to the General directorate of State Archives upon Decision no 7 dated 9
September 2004 of the e-Transformation Executive board in accordance with the Prime Ministry
Circular number 200816 on Electronic Document Standards published in the Official Gazette
number 26938 and dated 16 July 2008 and TSE Standard number 13298 has been published This
Standard is a main source for electronic document management systems to be used by all public
organisations
Electronic document management systems to be established by the administrations will comply
with the TSE Standard no 13298 and furthermore inter-organisational sharing of electronic
documents produced will be carried out by the criteria on electronic document sharing services as
set out on the web address wwwdevletarsivlerigovtr
Archiving Services
Archiving services include identification of the materials the administrations and the staff have
that will become archive materials in the future their protection against any losses preservation
under proper conditions utilisation in accordance with national interests cropping and disposal if
not deemed necessary to maintain Principles and procedures on archiving services have been set
out in the Regulation on State Archiving Services published in the Official Gazette number 19816
and dated 16 May 1988 and amended by the Official Gazette number 25735 and dated 22
February 2005
As per this regulation administrations have to take necessary precautions to protect
information and documents against disasters theft fire etc set out the procedures for the
preservation of confidential documents take the measures to ensure that the documents remain
legible in the future inform the managers and the staff about the proper periods of preservation for
the documents
105
424 Using and Sharing Information
Using and sharing information is crucial in terms of accountability and transparency for those
who take part in the activities of the administration and other stakeholders
Information is an asset which renews itself turns into a new form and becomes more valuable
as it is communicated and shared Therefore regular communication and circulation of
information within an administration is a principle of information management Sharing
administrative information reflects a cycle in which the information is communicated to the
relevant persons administrative works are notified reactions of the personnel is received reactions
are assessed evaluated and communicated back to the relevant persons
The following must be considered while using and sharing information
Comply with privacy security and legal restrictions
Whenever possible use electronic media to share information resources (email repositories
websites and so on)
Ensure that information remains complete accurate up-to-date relevant and
understandable
Verify the accuracy and reliability of information (especially when conducting web-related
research)
Take advantage of administrative investments in information resources (magazine and
journal subscriptions databases online library services and so on) while respecting
copyright licensing and intellectual property rights
When retaining information that has been lsquocopiedrsquo indicate the source whether it is from
an information resource already saved in organisation repository from a publication or
from a website
Furthermore transferring information from those who leave their jobs to those starting a new job
is crucial to the continuity of the activity in an administration In this context the following should be
taken into consideration
106
IC Table 1 what to do when leaving and starting a job
When leaving a job When starting a new job
Discussing your responsibilities with your manager
when leaving the job and determining and
monitoring the internal policies for the administrative
closure of your business processes
Providing pertinent information about everything
you leave for your successor explaining why it will
be needed
Backing up all the information in the electronic
medium related to job and transferring it to
information pool
Transferring the documents under your responsibility
to the relevant successor
Creating a list of job-related website addresses a
summary of ongoing projects and related contact
information and an inventory of information
resources (including file numbers) that will help your
successor get used to his or her new job
Returning or extending the deadline of the material
that was borrowed from the library
Removing former employeersquos name from distribution
lists
See if any electronic and
paper information resources
of business value have been
transferred to your custody
Take note of any instructions
or messages you receive
regarding access to
electronic tools such as a
shared drive business system
or repositories
Familiarise yourself with your
information management
responsibilities and practices
Take part in training sessions
on information management
and recording
Add new employeersquos name
on the distribution list
425 Reviewing and Protecting Information
Organisations must periodically review such main processes of information management as
planning producing collecting defining accessing and using information and share the results
with managers
Therefore attention must be paid to the following
Store the information in a manner that preserves its form and status keeping its structure
context and content intact
Mark each information resource according to its proper security classification either on the
paper or electronic document
Protect classified and protected information by ensuring it isnt left in waste or recycle
containers and by storing it in locked desks or cabinets after work hours and during
extended periods of absence
Implement effective access control procedures ensuring that classified and protected
information is only made available on a need-to-know basis to those who are authorised to
access it
The level of protection must be consistent with the level of risk
Take the requests for access and usage from other users into consideration and assess their
compliance with the legislation
Periodically back up the information for protection purposes
43 Information Security
Information can be stored on paper it can be kept in the electronic format or transferred
verbally as well Regardless of its form information must be properly recorded and protected
Information security means safeguarding valuable assets in an administration against loss misuse or
damage
The aim of information security is to ensure the following
Safeguarding data integrity
Preventing unauthorised access
Respecting privacy and secrecy
107
Continuity of the system
431 Information Security Management System
Information security management system is a systematic approach adopted for the organisationrsquos
sensitive information that needs protection to be managed properly and the main objective of this
system is the safeguarding storing and making the sensitive and critical information available
where necessary
Setting Up an Information Security Management System
In order to establish an information security management system
Primarily the decision must be taken on whether the system will cover the entire
organisation or a part of it
Secondly a policy that sets out the objectives must be introduced
Finally a systematic risk assessment approach must be adopted and potential risks
must be identified mitigated as appropriate
Requirements of an Information Security Management System
The following are the requirements for an efficiently operating Information Security
Management System
Support and ownership by top management and managers of the administration must be
ensured
Information management should not be regarded as merely a technical issue and a job
only for the Data Processing Department The system must have the potential to reach its
objectives with active participation by all staff of the administration
Establishment of an information security management system must not be regarded as en
extra burden and waste of time
ElementsPrinciples of Security
The risks of compromise to information security for example hacking need to be defined and
controls to mitigate those risks should be introduced If these controls are absent or ineffective that
will considerably decrease the efficiency of the information security system
The main principles of security are confidentiality integrity availability authentication non-
repudiation responsibility and Access control For more detailed information see Turkish Standards
Institute TSE-17799 ldquoInformation Security Management Standardrdquo document Furthermore there are
other international models aiming to ensure the security of electronically produced information
such as COBIT e-SAC (Electronic System Audit and Control) and System Trust while you can also
explore the standards ISOIEC 27001 and ISOIEC 27002 (International Organisation for
Standardisation)
Also please refer to ldquoRegulation on the Principles and Procedures Regarding the Implementation
of the Law on Electronic Signaturerdquo based on the Law on Electronic Signature number 5070 and e-
Transformation Turkey 2005 Action Plan ( Action 5 Current systems at public institutions particularly
central institutions using critical information will be analysed and information security policies and
measures will be developed accordingly and (Action 33 The needs of disaster management of
public information system will be identified and recommendations will be developed )
For preserving and storing documents that are kept in written environment please refer to the
section lsquo423 on organisation of Information Registry Filing and Archiving System
432 Information Security Control Activities
In order to set the level of importance of an item of information the degree of the effect on
the administration that stems from the risk of harm made on the ldquoconfidentiality integrity and
availabilityrdquo of the item of information must be defined in the first place The harm that can be
made on these three security features of information systems may have different degrees of effect
For instance disclosure of top secret information can cause serious harm on an administration while
it may not be that harmful if that information becomes unavailable
108
The risks to information security identified must be analysed and ranked and the cost of the
control activities to be established and operated to mitigate those risks must be in proportion to the
value of the information protected and the risk identified after examining potential threats For
some ideas of suitable control activities see the Control Activities chapter
IC Figure 1 Process of Control Activities for Information Security
The image above is an example of security related control activities It demonstrates 4 different
attacks As can be told from the image attack [1] is immediately prevented at the stage of
prevention while attacks [2] [3] and [4] are not Of the attacks that manage to survive the
prevention process attack [2] is identified at the stage of detection and eliminated Attacks [3]
and [4] manage to pass the detection stage At the stage of response which is the final stage that
has been designed in accordance with the level of tolerance decided attack [3] is eliminated
while attack [4] which survives all stages damages the system passing through all security
processes
5 MANAGEMENT INFORMATION SYSTEMS (MIS) Management information systems are computer-assisted systems (consisting of
computer hardware and software) which should ideally provide timely strategic information
needed by managers in the form they demand it so they can make the right decisions on an
informed basis
The aim is the transmission of the right and complete information to the right people in the
proper format (form report table graphics etc) A labour force is needed to run update and
maintain the systems MIS give information on how the administration is performing in terms of
financial information information regarding the staff information of the movableimmovable
assets performance information information from the organisationrsquos document archive etc
against key performance indicators MIS may also give information on risk management
Information should be registered classified calculated summarised reported stored Back up
copies of the system should be kept in case the system crashes If these processes are not done
systematically managers may have incorrect information and thus make the wrong decisions While designing MIS first the civil servants must understand the importance of acquiring and
recording reliable and accurate information and be aware of their responsibilities in this regard
then business processes related to the production of information must be defined completely and
clearly and finally support from IT must be obtained
Some organisations have dispersed information systems however the existence of such structure
does not necessarily mean they have MIS In some cases information is not related and integrated
with all the actions and units of an administration Data recorded by different units in different
Response Identification Prevention
109
systems is stored independently of the other units Duplication of information in different units of the
administration is an inefficient use of resources Data being entered into a central computerised
system ensures that managers should have access to information which covers all the
administration
The resistance to information sharing in administrations is a significant problem It is not possible to
transmit the accurate and timely information which management needs in the administrations
where information is not shared which is an obstacle for MIS Hence a culture of information
sharing should be encouraged
51 Stages of Establishing MIS
In the development of management information systems SDUs undertake the task of
coordination and provide technical assistance to the spending units The following process can be
followed by the SDUs and the spending units in establishing MIS
511 Establishment of the MIS Working Group
A participative method should be adopted in the establishment of MIS in administrations and the
work programme should be produced for a working group to be formed with the participation of
representatives from all the spending units under the coordination of the SDU and tasks should be
distributed
512 Preparation of the MIS Working Plan
In the working plan
To begin with a comprehensive need analysis should be carried out to identify which type
of information the management may need
Upon the completion of the need analysis data provider units for the MIS should be
identified This will provide a significant infrastructure for the information map to be
produced
The properties the current information system of the administration and related problems
and solution recommendations should be disclosed what needs to be done to solve the
problems and what is aimed should be determined and structures should be set up in the
administrations to support production and sharing of information
Cost and benefit aspects of the system planned to be established should be considered
The potential risks relating to MIS should be identified and a risk management process
should be carried out The control activities to be applied for the risks with high significance
and likelihood should be determined
A good MIS must be flexible enough to keep up with the changes occurring inside and
outside the administration Besides success criteria of the system such as inclusion of early
warning mechanisms should be determined
In the medium term a corporate information map must be prepared that will cover the
entire organisation Preparation of a corporate information map would ensure quick access
to the information and expertise needed Information map must be produced primarily at
unit level and then at individual level considering their level of expertise and experience
While forming such a structure organisational charts or documents for distribution of tasks
within the units at a more special level can be made use of Production of the corporate
information map and its proper operation would ensure that the following question is
responded easily
ldquoWho knows whatrdquo
For instance quick identification of who (which department which employee etc) has
information about staff budget or archives and of the relation among this information will
be ensured
Establishment of MIS can be initiated by pilot implementations in the units Using pilot
implementations as a starting point and ascertaining how the system works will ensure
economy both in terms of time and cost and labour force Potential mistakes to be made in
110
the further stages of the process can be prevented by eliminating the shortcomings and
correcting the mistakes observed during the pilot implementations
513 MonitoringAssessment
Periodic reports must be produced and presented to the top management during the
establishment of MIS to show the progress in the development of the system Action must be
taken against the problems identified at this stage to ensure performance of the activities as
planned
Studies about the fulfilment of MIS services in administrations must be carried out upon the
approval and under the supervision of head of administration Furthermore the head of
administration must inform the related units on the working method adopted
An MIS needs to be dynamic to keep pace with changes in technology or in the demands
for information by management
514 Related Legislation
Law no 5436 which amends Law no 5018 prescribes the establishment of SDUs and assigns them
with the task of providing the services related to MIS
In the Regulation on the Working Principles and Procedures of SDUs providing the services
regarding MIS and carrying out studies for the establishment of the system are listed among the
tasks of the SDUs
6 COMMUNICATION Communication is the exchange of information among individuals andor organisations to support
service delivery decision making and sharing carrying out and coordinating activities It plays a
central role in the development of a robust internal control system and helps management to
make decisions by providing feedback on how all the components of internal control are working
An administration needs information at all levels to achieve its objectives and manage risks
In this context information flows can take place both horizontally and vertically as well as from
outside the organisation
Information must be properly communicated within an administration to the managers
andor staff in need of it on a timely basis in order for them to fulfil their responsibilities and ensure
coordination with other units External communication with the beneficiaries suppliers and
stakeholders such as other public administrations is also essential for effective internal control
Communication can be verbal written or electronic or a combination of the three Where
verbal communication is deemed sufficient documenting only the important verbally
communicated information would be useful so records of key information are kept and can be
subsequently referred to by those who are given access to it
IC Box 2 Communication Channels
Management should establish communication channels that
provide accurate information at the right time
meet individual demands
inform employees of their roles and responsibilities
support reporting
allow employees to make recommendations for improvement
give messages that top management can understand enabling them to
make decisions
inform employees of the importance of internal control and of decisions
taken
are both internal and external and
have the right target group
111
61 Internal and External Communication
Administrations should consider the following general issues regarding their internal and external
communication
The public should be provided with timely accurate clear objective and complete
information about policies programmes services and activities
The language used should be comprehensible and plain Turkish
Administrations should be visible accessible and accountable to the public for the services
they provide
Various means and methods should be utilised in communication and information from a
variety of sources should be engaged to meet different needs
Communication needs should be regularly identified
Administrations should receive opinions from internal and external stakeholders while setting
out objectives and aims and formulating processes and should establish mechanisms to
assess these
Public administrations should work cooperatively with stakeholders when necessary in order to
ensure efficient communication
Services should be provided in a fair quick and responsive manner
Administrations should have the capacity and equipment to follow up innovations in
technology in the field of communication and allocate necessary resources to do so In this
context activities carried out should be proportionate to resources allocated and results
expected
IC Table 2 Communication Principles and Procedures
Internal
Communication Principles Method
Top management and employees should
understand the internal communication
system and be well aware of their
responsibilities
Internal communication activities and
processes should be reviewed regularly and
revised where necessary New
communication methods should be adopted
to stay in line with the changing
administrative structure
It must be ensured that staff
communicate their considerations
recommendations and questions to top
management
Staff should be regularly informed about
the operation of the internal communication
system what to do and the responsibilities in
writing or electronically (including
information and communication system for
risks)
Necessary mechanisms (Intranet
internet announcement boards compliant
and suggestion boxes top manager briefings
etc) should be established to inform the
employees about the mission vision and the
objectives of the administration
Communication between managers and
employees should be clear and cooperative
in order to achieve the goals and mission of
the administration
Staff objectives should be made
consistent with those of the administration
A more effective communication should
be ensured between Senior management
and personnel
Regular meetings and an electronic
mechanism that enables the SDUs to
coordinate spending units and produce
statistical data via necessary analysis
Recommendations and ideas of
personnel should be heard and action taken
to address them when appropriate
To this effect in-house communication
seminars and training programs should be
organised
Vertical communication A reporting system should be established
112
Personnel should convey the necessary
timely complete and accurate information
to their managers in time for the managers to
make decisions and achieve objectives
Personnel should notified by their
managers when in which scope in what
way and from which unit the information is
demanded
Managers should inform the staff about
the policies goal and objectives of the
administration
within the administration which flows from
staff to managers (minutes of meetings unit
activity reports exchange of information on
a weekly or daily basis in person or
electronically a reporting system that
enables the managers to monitor daily
activities etc)
Regular meetings between management
and internal auditors timely submission of
internal audit reports to top management
Horizontal Communication
Refers to the effective sharing of
information among employees of the same
hierarchical level in order to carry out the
tasks and activities in the administrations
Personnel and units to share
information should be announced to staff
and the duty to share information should be
included in the job descriptions of the
relevant personnel and units
Managers should hold regular meetings
to exchange ideas on their respective fields
of competence and the problems and
suggestions regarding management
Establishment of a system to monitor
meetings and activities of people of the
same level
Creation of an e-mail group for the
people from the same hierarchical level
Strengthening data processing
infrastructure and ensuring active operation
of units
Ensuring that top management have
more effective communication with
employees
Internal communication seminars and
training programmes should be organised
EXTERNAL
Communication Principles Method
The accessibility of the citizens to the
information and services of the
administrations should be enhanced
Services delivered by administrations within
the framework of ldquoe-staterdquo should be shared
with the other relevant administrations and
citizens (MERNIS UYAP etc)
The administrationrsquos website which provides
the necessary documents should be
established and some services should be
provided via this website 247
Documents and services provided online
should be updated regularly and the
administration should assign certain people
to manage the design and content of the
website
Furthermore English broadcast for the
access of foreign users to information will be
useful
Mechanisms should be set up to enable
citizens to express their complaints and
suggestions (forum frequently asked
questions activation of use of Information
Acquisition System and BIMER etc)
Administrations should inform the press
about issues deemed important for decision
The press should be invited to important
conferences and seminars
113
makers and the public
Services provided by the administration
should be advertised on TV or the internet
The head of administration should inform
the public annually about the performance
programme and activity report of the
administration and these should be
published on the administrationrsquos website
Active operation of the press and public
relations units should be ensured
62 Communication Methods
A communication system is made up of methods and records produced to determine
acquire change and transfer useful information Staff must be able to communicate with all the
units in the organisation including sharing risky information
With the advancements in technology numerous and various communication means are
now available in public administrations The most widely used means of communication are
detailed in IC Annex 2
621 Reporting
Reports are crucial tools for the establishment of an effective internal control system as they
facilitate the monitoring of control effectiveness
Managers should take reports submitted to them into consideration when making decisions
In this context accurate and succinct reports that have been prepared on time would help the
managers Furthermore communication and reporting is an important element of risk
management (see Risk Management Chapter)
Administrations should communicate financial and non-financial information and results
regarding their policies programs activities and projects to the relevant persons and bodies in
writing or verbally at particular times Within this framework vertical and horizontal reporting lines
within the administration should be determined in writing Furthermore each administration should
also take into consideration external reporting mechanisms
IC Figure 3 shows the mechanism of vertical reporting among the hierarchical stages
regarding the decisions and works at the strategic programming and operational levels and the
mechanism of horizontal reporting among the personnel of the same level Vertical reporting is the
reporting of personnel to managers Horizontal reporting on the other hand is the necessary flow
of information among the people and units that are on the same level
IC Figure 3 Reporting Lines
ObjectiveActivity
Other staff
Medium-
level managers
VERTICAL
REPORTING
Strategic
Operational
Top
Management
114
Examples of horizontal reporting within an administration
Staff attending a training program sharing with colleagues the report they prepare
about training results and
Minutes of Meeting shared with other units
Examples of vertical reporting within an administration
Consolidated Risk Report submitted to senior management
Minutes of Meeting copied to a senior manager for their information
Internal Audit Reports submitted to senior management and
Quarterly Reports Semi-Annual Reports submitted to senior management
Examples of reporting outside the administration
Internal Control System Evaluation Report prepared by the SDU and submitted to the
CHU and
Annual activity report for an administration prepared by the Head of Administration
published to the public and copied to the Turkish Court of Accounts and Ministry of
Finance
IC Box 3 Basic Principles for Effective Reporting
IC Annex 3 details the reports prescribed to be prepared as per the Public Financial
Management and Control Law No 5018 and the applicable regulations in the framework of the
principles of financial transparency and accountability
7 WHISTLEBLOWING OF FAILURES IRREGULARITIES AND FRAUD One of the most important elements of accountability and transparency is the existence of
a mechanism that ensures that staff and stakeholders are able to effectively express their concerns
Article 279 of Turkish Penal Code states that if a civil servant learns by means of the position
he holds that a crime which necessitates investigation and prosecution was committed and
neglects or delays notifying the competent authorities of this crime he will have committed a crime
It should be explicitly determined and announced to staff which reports will be
prepared by whom at what frequency and when they will be prepared and who
they will be submitted to and who will control them Reports must be in compliance
with tasks responsibilities and the principles of financial transparency and
accountability
The information included in the reports must be accurate up-to-date succinct
objective complete relevant and sufficient
Reports should use a common and clear language that everyone can understand
Reports must be produced at certain periods and on a consistent basis so that
comparisons can be made between years
Reports should attract the attention of readers be easy-to-read-and-understand
and include sufficient and appropriate visual material
All reports should have a conclusion and evaluation section
Desired format for the report should be determined in advance by
administrationunit requesting the report and notified to the relevant
administrationunit
HORIZONTAL
REPORTING
115
himself
71 Concepts of Failure Irregularity Fraud and Whistleblowing
Failure refers to an unintentional action against the legislation
Irregularity and fraud on the other hand refer to the behaviours of the administrationrsquos staff
or third parties on purpose against the present rules in order to achieve unfair or unlawful gain
Whistleblowing is the notification of illegal and unethical behaviours and actions to top
management third parties outside the management or authorised bodies or persons (who can be
inside or outside the administration) by the persons with information (employees or stakeholders)
Failure to blow the whistle can cause damage to the administration
In line with the above given information administrations must determine distinct methods for
evaluating irregularities fraud and failures they have been notified about
It should be borne in mind that person who makes the notification may be left alone
isolated his or her career may be undermined or he may not be taken seriously Therefore any kind
of biased or discriminative conduct against the personnel or third parties that blow the whistle
should be prevented
72 Scope of Notifications
There are three basic types of whistleblowing and complaints in public administrations
Those regarding the violation of ethical values
Those regarding faults irregularities and fraud
Complaints by civil servants regarding administrative actions and processes
implemented against them by managers or administrations
721 Whistleblowing and complaint in cases of violation of ethical values
Whistle blowing mechanisms are defined in the No 5176 Law on Establishment of Civil Servants
Ethical Board and Making Amendments on Some Laws and Legislation on Ethical Behaviour
Principles and Procedures for Civil Servants
Under this legislation cases of ethical behaviour violation by the director general and by those
who have a title at this level are notified to Ethical Board while cases of violation by the other
employees are notified to the relevant administrative manager to be directed to the
administrationrsquos disciplinary board Within this framework administrations carry out the process to
ensure compliance with the law
A flowchart showing the detailed process for whistleblowing and complaint in cases of violation
of ethical values is at Annex 4a
722 Whistleblowing and complaint regarding irregularities and fraud
Law no 4483 defines the procedures to be followed in cases of crimes committed by civil
servants by means which are in relation to their duties Accordingly cases of whistleblowing or
complaint about civil servants are filed processed and concluded under this Law
In cases when a complaint by a person is not processed he can appeal to administrative
court if he wishes The administration has to record all the cases of whistleblowing or complaint
processed or not
A flowchart showing the detailed process for whistleblowing and complaint in regarding
irregularities and fraud is at Annex 4b
723 Complaints by civil servants
Proceedings relating to complaints by civil servants regarding administrative actions and
processes implemented against them by their managers or administrations are carried out within
the framework of Article 21 of Law No 657 and Legislation on Complaint and Application Rights of
Civil Servants
116
73 The Responsibility for Detecting Faults Irregularities and Fraud
The responsibility for identifying and preventing failures irregularities and fraud rests with
management and all employees Under the ethical behaviour culture of the administration the
necessary actions should be taken to prevent failures irregularities and fraud under the supervision
of the responsible managers
74 Whistleblowing System
For employees to communicate their concerns and for these concerns to be taken seriously
administrations should have the related regulations that comply with their structures as well as
reporting mechanisms In these regulations the following should be included
the subject-matter of a whistleblowing
how to protect the confidentially of and provide security for a whistleblower who has good
faith
the stages of the whistleblowing procedure (first to manager then head of unit head of
internal audit head of human resources unit or head of financial services unit head of
administration)
how cases of whistleblowing are evaluated by the administration and what actions are
taken (examination inside the administration or official investigation etc)
information given with a view to informing the whistleblower about who the subject matter
concerns whether he can contact that person as well as about evaluation progress andor
results
Within this framework administrations should announce to the personnel all the ways of
whistleblowing and complaint
In cases of whistleblowing and complaint the identity of the whistleblower should be kept
confidential so that they are not exposed to discrimination
Administrations should receive cases of whistleblowing and complaint in the electronic
format via their web sites as well as in writing Besides administration should set up mechanisms to
facilitate it for the external stakeholders to whistleblow or complain and announce it on their
billboards and websites
Administration should not set up different mechanisms other than the preliminary
examination procedures that are determined in Law no 4483 for cases of whistleblowing and
complaint regarding corruptions and irregularities As a result of the preliminary examination the
situation whether investigation permit is given or not should be notified both to the Chief Public
Prosecutorrsquos Office and the whistleblower with a detailed justification and the letters regarding
these notifications should be kept in the whistleblowing files
For an effective whistleblowing system following basic requirements are taken into
consideration
117
IC Box 4 Basic requirements for Whistleblowing
IC Box 5 Issues to consider while evaluating whistleblowing notifications
Are the behaviours or actions in the administration unlawful
Are the behaviours or events taking place in the administration against the ethical
values (morals professional ethics etc)
When the whistleblowing is not in compliance with the procedure it must still be
definitely evaluated as long as it is based on concrete evidence
Seriousness and importance of the issues put forward should be taken into
consideration
There should be good will and public benefit
There should be a reasonable belief that the information and the allegations the
information includes are completely true and may uncover malpractice
Top management should announce the procedures for dealing with whistleblowing
and complaint from inside and outside the administration
Administrations should determine for central and local units who notifications will be
referred to
Methods must be developed for anonymous notifications from staff and third
persons (Telephone in a way that ensures evidenced delivery internet application
provided that forms given are completed anonymous letter suggestion boxes
etc)
Written spoken or electronic cases of whistleblowing should be recorded in a
separate folder by the authorised unit or person regardless of whether they are
based on enough evidence or not
Discriminative treatment towards whistleblower should be prevented
Periodical meetings should be held with staff in which their views should be heard
and their trust should be won in regard to reporting malpractices within the
administration
All the communication channels should be left open to ensure that personnel can
blow the whistle
In the event that the personnel that are proved right after examination and
evaluation process of the whistleblowing they should be rewarded by means of
secret methods to be determined by the administration
118
IC Figure 4 Whistleblowing Process
Whistle blower
Is it illegal
Is it unethical and immoral
Is it based on concrete evidence
Do I have good will
Do I draw benefit
from this
sec
ure
co
mm
un
ica
tion
ch
an
ne
ls (e-m
ail
ad
dre
sses te
leo
ph
on
e
nu
mb
ers
sec
ure
co
mm
un
ica
tion
ch
an
ne
ls (e-m
ail
ad
dre
sses te
leo
ph
on
e
nu
mb
ers
Unitperson to evaluate the case of
whistle blowing
Evaluation Criteria
Disciplinary Board Inspection BoardAudit
Unit
Chief Public Prosecuter
(investigation request is
from outside the
administration)
Authorising officer
119
IC Box 6 Current Legislation relating to whistleblowing and complaint
Law No 5651 on Publications on the Internet and Suppression of Crimes Committed by
means of Such Publication
Law No 4982 on the Right to Information
Law No 3628 on Declaration of properties bribes and combating fraud
Law No 3071 on Official Letters
Ethics Law Regulation and Prime Ministry Circular
Principles and Procedures on the Complaint and application rights of Civil Servants
Compliant regulation under Public Procurement Law No 4734
8 RELATIONS AMONG UNITS
81 Information and Communication between the CHU and SDUs
The extent to which the tasks the CHU carries out are effective and efficient depends on the level
of communication it achieves with SDUs
The CHU must develop organisational communication mechanisms to ensure transfer of information
to the SDUs This could either be done via a call centre to be established within the CHU or
particular CHU staff (client representatives) can be matched with particular SDUs This would
enable CHU staff to better know the unit they are responsible for and therefore make evaluations
and problem solving easier This would also improve the influence of the CHU on other units
Furthermore ensuring face-to-face communication between CHU and SDU staff and organising
periodic meetings andor conference calls to review the internal control system can be another
method of information transfer
The CHU must set out the critical arrangements that are relevant to the SDUs using participative
methods where the participation of SDUs must be ensured Furthermore the level of participation
by the SDUs will enhance the level of communication
82 Information and Communication between SDUs and Spending Units Ensuring coordination with spending units for the adoption of various elements such as preparation
of activity reports and performance programmes and implementation of internal control which are
important elements of Public Financial Management is the responsibility of SDUs An effective and
efficient organisational communication with spending units would also contribute to the smooth
progress of coordination process
SDU staff and spending units must be matched Each member of SDU must be in constant
communication with the spending unit they are responsible for and transfer the necessary
information to the spending units periodically Spending units must also assign the
departmentbranchunit staff to be in continuous communication with Strategy SDU Such
matching plays a crucial role in the transfer of consistent and accurate information both from the
SDUs to the spending units and from the spending units to the SDUs
Furthermore these information flows must also be reviewed in the meetings to be held regularly
(advised frequency minimum monthly maximum quarterly) by the spending unit officials and SDU
managers and the actions to be taken and required development must be discussed in these
meetings
In the event that it is necessary for the SDUs to make decisions which would affect the spending
units officials from spending units must be able to get involved in this process depending on the
level of the decision
120
INFORMATION AND COMMUNICATION ANNEXES
Annex 1 - Legislation on Information and Communication
Regulation on the Principles and Procedures to be applied in Official
Correspondences by the Prime Ministry
Regulation on the Prime Ministry State Archiving Services published in the
Official Gazette number 19816 dated 16 May 1988
Regulation on Public Servants Ethical Behaviour Principles and Principles and
Procedures for Application
Regulation on Declaration of Assets published in the Official Gazette no 20696
dated 15 November 1990
Regulation on the Complaints and Application by Public Servants Assets
published in the Official Gazette no 17926 dated 12 January 1983
Prime Ministry circular on Standard Folder Plan no 20057 dated 24 March
2005
(Manual to be prepared by Central Harmonisation Unit can be included
including the FMC Manual)
Prime Ministry circular dated 19 March 2007 on Civil Servants Ethical Board
Regulation on Complaints under the Scope of the Law no 4734 on Public
Procurement (The arrangements to be made by the CHU including the FMC
Manual can be covered in this part)
Law no 406 Telegraph and Telephone
Radio Law no 2813
Law no 3071 on Official Letters
Law no 4982 on the Right to Information
Law no 5070 Electronic Signature
Law no 5651 on Publications on the Internet and Suppression of Crimes
Committed by means of Such Publication
Law no 5369 on Provision of Universal Service and Amendments to Certain
Laws
Law No 5176 on Establishment of Civil Servants Ethical Board and Making
Amendments on Some Laws
Law No 4483 on Trying cases against Civil Servants
Law No 3628 on Making Declaration of Property and Fight against Bribery and
Corruption
Law no 5809 on Electronic Communication
121
Annex 2 - Widely Used Methods of Communication
Means Objective Advantages Disadvantages
Meetings Informing
Receiving
opinion
Making joint
decisions
Relatively cheap
A method that
people are
accustomed to
Contribute to the
culture of
participation
Open to discussion
and dialogue
Opportunity to come
up with solutions to
problems in the
administration
Difficulty to measure the
success and value of the
method
Possibility that results may not be
useful
Possibility that a minor group
may dominate the meeting in
case of bad management
Reports
Informing
Receiving
opinion
Making
decisions
Evaluation
Informs the target
group about the
subject in a sound
manner
Facilitates decision-
making process of
the manager
Possibility to access
accurate up to date
relevant and
adequately detailed
information
Requirement for qualified staff
Its production is time consuming
Brochures
Periodicals
Informing
Promotion
Opportunity for
creative design
Comprehensible
Particular and wide
target groups
Opportunity to
establish long term
relation with target
group
Opportunity to make
regular up-dates
regarding the subject
Limited feedback
Difficulty to measure the impact
on target group
Questionnaire
Interview
(letter
telephone
face to face)
Receiving
opinion
Evaluation
A method that
people are
accustomed to
Opportunity to reach
a wide group
Opportunity to select
particular target
groups
Scientific methods
can be used
Expensive time consuming
Requirement of in-detail
information to use the method
accurately
Possibility that responding rate
may be low
Possibility that the subject may
not be examined enough
122
Means Objective Advantages Disadvantages
Press releases
and
conferences
Informing
Receiving
opinion
Cheap
Easy to organise
Opportunity to
communicate to
many people
Difficulty to understand whether
the subject reached the target
group or not
Difficulty to measure the success
and value of the method
Difficulty to examine the subject
thoroughly
No feedback or limited
feedback
Brainstorming Exchanging
ideas
Making joint
decisions
Obtaining many
ideas regarding a
subject
Contribution to the
culture of
participation
Cheap flexible easy
to organise
Possibility that results may not be
useful
Possibility that the subject may
not be examined enough
Workshop Informing
Receiving
opinion
Making joint
decisions
Opportunity to set up
new networks
Fun for participants
Chance of finding
solutions to problems
Cheap flexible easy
to organise
Chance of examining
the subject
thoroughly
Opportunity to select
particular target
groups
Easier participation
because of unofficial
atmosphere
Non-scientific
Possibility that results may not
useful
Possibility that a minor group
may dominate the meeting
Possible to receive wrong results
with a small and randomly
selected group
Conference Informing
Receiving
opinion
Making joint
decisions
Opportunity to
become creative
and flexible
Opportunity to work
together with
different groups
Opportunity to set up
new networks
Opportunity to select
particular target
groups
Opportunity to
examine the subject
thoroughly
Opportunity to
discuss different
Expensive time consuming
Possible to receive wrong results
with a small and randomly
selected group
Raising different expectations
Possibility that result may not be
useful
Possibility that a minor group
may dominate the meeting in
case of bad management
123
opinions and ideas
Means Objective Advantages Disadvantages
Focus Group Receiving
grouprsquos
opinion with
the
leadership
of a
moderator
Faster and cheaper
compared to one-to-
one interview
Opportunity to
discuss different
opinions and ideas
Spoken discussion
accelerates the
process that outputs
are reflected in
writing
Possibility that useless information
may emerge in case of bad
moderation
Quality of participators affect
the quality of data
Conference
Call
Making joint
decisions
Finding
common
solutions to
problems
Opportunity to
discuss different
opinions and ideas
Opportunity to
examine the subject
thoroughly
Experienced
decision-makers and
persons with deep
information
accumulation
coming together
Possibility that results may not be
useful in case of bad
management
Expensive time consuming
Possibility that a minor group
may dominate the meeting in
case of bad management
Websites and
intranet
e- mail
Informing
Receiving
opinion
Cheap
Easy to organise
Opportunity to reach
many people
Effective information
sharing
Need for updating
Problem that unfavourable
people may get access
124
Annex 3 Reports Prepared under PFMC Law No 5018
Name of report Responsible unit Submitted to
Unit Activity Report
(Art 41 of Law no 5018)
Spending Units- Authorising
Officers Head of Administration
Local Administrations Activity
Report
Spending Units- Authorising
Officers Head of Administration
Administration Activity Report
(Art 41 of Law no 5018)
Head of Administration
(General budget
administrations special budget
administrations and social
security institutions)
Ministry of Finance Court of
Accounts and Public Opinion
Local Administrations Activity
Report
(Art 41 of Law no 5018)
Head of Administration
(Local Administrations)
Ministry of Interior Court of
Accounts Public Opinion
General Activity Report
(Art 41 of Law no 5018)
Ministry of Finance
(Directorate General for Budget
and Fiscal Control)
Court of Accounts and Public
Opinion
Local Administrations General
Activity Report
(Art 41 of Law no 5018)
Ministry of Interior Court of Accounts Ministry of
Finance and Public opinion
Administration AR General AR
Local Administrations General AR
(Art 41 of Law no 5018)
Court of Accounts (Expressing its
own opinions considering its
external audit results)
TGNA
Draft Law on Final Accounts
(Art 42 of Law no 5018)
Ministry of Finance (DG Public
Accounts) TGNA Court of Accounts
External Audit Overall Assessment
Report
(Art 68 of Law no 5018)
Court of Accounts TGNA
Corporate Financial Status and
Expectations Report
Public Administrations under the
scope of General Management Public Opinion
Central Government Budget
Realisations and Expectations
Report
Ministry of Finance
(Directorate General for Budget
and Fiscal Control)
Public Opinion
Financial Statistics
(Art 52 53 54 of Law No 5018)
Ministry of Finance (DG Public
Accounts) Public Opinion
In the production and submission of the Activity Reports above Law no 5018 and the
principles and procedures set out in the Regulation on Activity Reports Prepared by Public
Administrations are taken into account
In preparation and declaration of the financial statistics of public administrations Law No 5018
and the principles and procedures set out in General Communiqueacute on Financial Statistics of
General Management are taken into consideration
125
Annex 4a Whistle-Blowing Process Related to Ethical Values
Application
Registry (Relevant unitperson)
If related to
EVALUATION
Written petition
electronic mail or oral
application that is
recorded
Registration in the
document registry
system (written
electronic)
a separate folder
system for notification
applications
NOTIFICATION
To the relevant person
(person who whistle-blowing
is about)
To the relevant
administration (conduction
of the work within the
framework of Law No 657)
To whistle-blower
NOTIFICATION
If it is decided that ethical
behavior principles have
been violated
To Prime Ministry
To Public Opinion (Published in official gazette
If it is not detected that
ethical behavior principles
have been violated
- To the Prime Ministry
- To whom it may concern
If related to Director
General and upper
level positions than
Director General
If related lower level
positions than Director
General
Ethical Board Head Office of the
Relevant
Administration
Disciplinary Board
126
Annex 4b Whistleblowing and Evaluation Process for Crimes Committed by Civil Servants
Application
Registry (Relevant unitperson)
Head of the relevant unit
Written petition
(person or a
particular event
serious allegations
name family
name signature
domicile address)
Registration in the
document registry
system (written or
electronic - a
separate folder
system for
notification
applications)
Preparation of preliminary examination report and submission of it to the
body authorised to give the permit
NOTIFICATION
Directly Chief
Public Prosecutor
Other positions or
civil servants
Requesting investigation permit
from body authorised to give
the permit (Article 3 of Law No
4483
Making notification to body
authorised to give the
investigation permit (Article 3 of
Law No 4483
Body authorised to give the
permit starting the preliminary
examination (44835)
Permitting the
investigation about the
complaint whistleblowing
or subject matter of the
allegation
Not permitting the
investigation about the
complaint whistleblowing
or subject matter of
allegation
OBJECTION
(to the Court of Appeals
or regional administrative
court by the civil servant
about whom investigation
is conducted)
to the Chief Public
Prosecutorrsquos Office
to the civil servant
about whom the
investigation is
conducted
to the whistleblower
OBJECTION
(to the Court of Appeals
or regional administrative
court by the Chief Public
Prosecutorrsquos Office or
complainant)
127
MONITORING
1 Introduction
Monitoring is the assessment of the internal control system in terms of harmonisation with the
internal control standards to see whether it makes the expected contribution to the achievement
of goals and objectives of an administration It is the identification of the actions regarding the
aspects open to improvement Within this framework monitoring is an integrated process in which
capacity is assessed in interaction with the other components of internal control system
M Figure 1 COSO Monitoring Process
The main elements of monitoring are formation of a sound infrastructure for monitoring
designing and implementing monitoring procedures assessment and reporting of the results
Monitoring if designed and carried out properly provides the administration with the
reasonable assurance that the internal control system operates efficiently An efficient monitoring
helps
Timely identify and eliminate the problems in the system of internal control
Produce more accurate and reliable information to be used in decision making
Produce correct and timely financial statements
Confirm regularly that the internal control system is effective
Present evidence for the internal control assurance declarations
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Activities
128
Monitoring internal control systems requires participation Question forms internal and
external audit reports and requests and complaints from individuals andor organisations and the
opinions of unit directors must be benefited from during monitoring
2 Monitoring Internal Control Standards Monitoring includes all sorts of monitoring activities performed with the aim of quality
assessment of internal control system
M Box 1 Internal Control Standards
Standard 17 Assessment of internal control
The administrations shall assess their internal control systems at least once a year
Standard 18 Internal audit
The administrations shall ensure a functionally independent internal audit activity
3 Roles And Responsibilities
31 Senior Manager
The main responsibility for monitoring internal control system rests with Senior Manager This is
also emphasized in Article 11 of Law No 5018 and it is stated that Senior Managers are responsible
for observing and monitoring the functioning of financial management and control system
The Senior Manager fulfils this responsibility through internal auditors and Strategy
Development Units (SDU)
Approving the internal control system annual assessment report prepared by his
administration the Senior Manager ensures the submission of it to Central Harmonisation Unit (CHU)
Furthermore the Senior Manager annually states based on evidences that internal control
system gives reasonable assurance for attainment of the objectives and aims of his administration
through internal control assurance statements (Annex 3A)
On the other hand the Senior Manager ensures the implementation of recommendations
put forward as a result of internal and external audits
32 Internal Audit
Internal audit has the functions of providing information making assessments and making
recommendations on the adequacy efficiency and functioning of internal control system Within
this framework the Senior Manager who has the responsibility for a sound functioning of internal
control system receives opinions and support from internal auditors
33 Internal Control and Risk Steering Board (ICRSB)
ICRSB assesses Internal Control System Evaluation Reports prepared by SDU as a result of
annual assessment of internal control system (Annex 2) and following to defining shortcomings of
the report if any submits it with the relevant opinions for the approval of Senior Manager
34 Authorising Officers
Authorising officers have responsibilities regarding internal control and continuous
monitoring Furthermore Authorising Officers provide necessary information for SDUs regarding the
annual assessment of internal control system fill in the internal control question form (Annex 1) and
annually sign the internal control assurance declaration (Annex 3B) to be submitted to Senior
Manager
In addition Authorising Officers have the responsibility for taking relevant actions regarding the
recommendations contained in internal and external audit reports
129
35 Strategy Development Units (SDU)
Have been assigned the function by Law No 5018 and the applicable legislation3 to carry
out studies to establish implement and continuously develop internal control systems and to report
the study results to the Senior Manager
Within this framework SDUs annually assess internal control system on behalf of Senior
Manager Then they report assessment findings gained by means of forming a working group and
using such tools as check lists questionnaires and question forms to the Senior Manager with the
relevant opinions from Internal Control and Risk Steering Board
SDUs sign the declaration on functioning of internal control system with a view to ensure
effective efficient and economical execution of administrationrsquos activities
Personnel of SDUs take active role in the assessment process of internal control systems and
guide the units in filling the reports regarding assessment (Annex 1)
36 Other Managers and Employees
Other managers and employees are responsible for the effective functioning of internal
control system within their own fields Within this framework while carrying out their own duties they
observe the functioning of internal control system and in case of a problem they inform Senior
Manager and contribute to the assessment process of internal control system by providing
information
37 External Audit
External audit is conducted by Court of Accounts Within this framework Court of Accounts
can assess internal control systems in public administrations and can make recommendations
38 Central Harmonisation Unit (CHU)
In accordance with the Article 9 of Principles and Procedures regarding Internal Control
and Ex-ante Financial Control and Article 55 of Public Financial Management and Control Law No
5018 this unit develops standards and methods regarding internal control processes and provides
guidance services in public administrations
Furthermore CHU annually assesses the functioning of internal control systems in public
administrations based on Internal Control Assessment Reports approved and submitted by senior
mangers and submits the assessment report it prepared to the Senior Manager and Minister of
Finance
CHU in necessary cases carries out on-site monitoring activities regarding the factors
contained in reports prepared by public administrations
Within the framework of roles and responsibilities explained above the following scheme
demonstrates the exchange of information and reporting lines envisaged to be realized within the
scope of monitoring activities in the administration
3 Legislation on Principles and Procedures regarding Internal Control and Ex-ante Financial Control and Working
Principles and Procedures of Strategy Development Units
130
M Figure 2 ndash Reporting and information exchange process foreseen under monitoring
CENTRAL HARMONISATION UNIT
SENIOR MANAGER
INTERNAL AUDIT INTERNAL CONTROL RISK STEERING BOARD EXTERNAL AUDIT
(Report) Court of Accounts (Report)
STRATEGY DEVELOPMENT UNIT
AUTHORISING OFFICERS
SUB-UNIT MANAGERS
SUB-UNIT PERSONNEL
1) Straight arrows demonstrate the hierarchy in the reporting process
2) Dotted lines demonstrate the exchange of information
4 Guidance by the CHU4
Article 55 of Public Financial Management and Control Law no 5018 and Article 9 of the
Principles and Procedures on Internal Control and Ex-ante Financial Control prescribe that
standards and methods concerning financial management and control are developed and
harmonised by the Ministry of Finance and guidance is provided to the public administrations
In this context within the scope of its monitoring function the CHU
Monitors whether internal control standards are complied with
Monitors the operation of the systems by receiving information and reports from the
administrations regarding internal control and ex-ante financial control arrangements and
practices
Carries out researches on the national and international good practices and
conducts studies for their implementation
CHU annually assesses the operation of internal control system within the public sector
based on the Internal Control System Evaluation Reports submitted upon the approval by the
4 This part consists of general information on the guidance provided by the CHU detailed information can be found
on the CHU Handbook
131
heads of public administrations and where necessary carries out on-the-spot monitoring on the
issues included in the reports of the administrations
5 Assessment and Reporting Role of SDUs
Assessing internal control periodically and identifying and applying necessary actions are
crucially important to ensure the efficiency of the system In this context each organisation needs
to assess its internal control system Assessment of internal control system means analysing on the
basis of the internal control components whether the system makes the expected contribution to
the achievement of the aims and objectives an administration identifying the aspects open to
improvement and taking corrective actions
Public Internal Control Standards suggests that the internal control systems in the public
administrations must be assessed at least annually using ongoing monitoring or separate
evaluations In the assessment of the internal control system participation of all units is required and
internal and external audit reports and requests and complaints from individuals andor
organisations and the opinions of unit directors must be considered and the assessment process
must be methodological
51 Assessment of Internal Control System by SDUs
Assessment of Internal Control System by SDUs is carried out fundamentally be means of
Internal Control System Question Form Other tools such as checklists and questionnaires can also
be benefited from during the evaluation process Furthermore the opinions of the managers
requests and complaints from organisation andor individuals are taken into consideration in the
evaluations Evaluations are carried out at least annually Quarterly or semi-annual evaluations can
be carried out as well
Coordination of the assessment conveyance of the questionnaires to the relevant units and
consolidation of the responses are tasks of Internal Control sub-units in the SDUs
The staff to be assigned from the SDU must be determined to support the process of filling
the questionnaires and the evaluation process must be planned In the plan a representative must
be appointed for each unit and where the number of staff is insufficient at least one person must
be assigned as responsible and this must be communicated to the relevant units This responsible
person must provide guidance to the units in filling the questionnaires
Spending units are obliged to respond to the questions on Risk Assessment Control Activities
and Information and Communication Responding to the questions in the Control Environment and
Monitoring parts is at the discretion of spending units
SDUs must complete the sections on control environment and monitoring in the internal
control question forms which they will fill in as spending units
The following steps should be followed while evaluating the internal control system
Primarily unit managers should organise an opening meeting for the representatives from
the SDUs In this meeting guidance should be provided for responding the questionnaires
and the deadline for completing the questionnaire should be announced
The time table for the questionnaire SDU representative and their contact details should be
communicated to the unit manager along with the questionnaire itself The units must be
given a reasonable amount of time to complete the questionnaire which should be not less
than one week
The questionnaire should be completed with the participation by sub-unit managers and
staff under the coordination of the unit manager
Completing the questionnaire spending units should bear in mind that this is a kind of self
assessment therefore by means of answers they give to the questions they essentially assess
their own units Within this framework while completing the questionnaire they should make
an in-dept assessment about functioning of internal control in their own units
132
Where necessary support should be received from the SDU representatives
When the questionnaire is received by the SDU representative each question should be
checked and any misunderstanding should be corrected during this process To this end
SDU representative is entitled to get in touch with the unit manager regarding responses to
the questionnaire
Internal audit unitsinternal auditors can be asked for support and recommendation when
there is a need for checking the accuracy of information in the questionnaire
Following the submittal of all questionnaires the SDUs should consolidate the questionnaires
and prepare the evaluation report resorting to the questionnaires primarily and also the
following sources of information
Action plans produced on the basis of internal and external audit reports
Information on budget and ex-ante financial control and
Other sources of information (opinions of the managers requests or complaints by
individuals andor administrations)
Given that evaluation report will be produced using the above mentioned information
sources (questionnaire internal and external audit reports budget ex-ante financial control
information etc) it should be kept in mind that this process would take time
While assessing the results of the questionnaire the points should be added up and converted to a
percentage for each section For example the total number of points that can be scored for the
Control Environment section is 44 If the Unitrsquos score was 22 out of 44 the percentage result is 50
The percentage scores should be recorded for each section and a percentage score for the
whole questionnaire (using the total possible points total of 116)
The percentage scores should be interpreted as follows separately for each category and also for
the overall percentage score
M Table 1 ndash Interpretation of the Results of the Internal Control Question Form
score Interpretation
0-25 Evidence of some awareness and understanding but still in the early
stages of internal control development Direct action needed by SDU
to provide guidance
25-50 Evidence of implementation that is planned and in progress Action
needed by SDU to provide further guidance
50-75 Evidence of implementation in some key areas Further guidance may
be required by the SDU
75-95 Evidence that implementation of internal control is embedded and a
good capability is established SDU may wish to identify the best areas
as examples of best practice and inform CHU
95-100 Evidence of mature internal control system with excellent capability
established CHU will wish to use as example of best practice
52 Reporting of Internal Control System Evaluation Results
The SDU prepares a report regarding the activities carried out for establishing and
developing internal control system and evaluation on functioning effectiveness and efficiency of
the system It will be appropriate to use lsquoInternal Control System Evaluation Reportrsquo template
contained in Annex 2 in making the assessment results into a report
In the preparation of the aforementioned report ldquoInternal Control System Questionnairerdquo is
an important basis The report should include alongside information on the operation of the
internal control system the steps taken for strengthening it Furthermore the areas where the no or
insufficient controls exist where they do not work properly where the controls are excessive or the
plans and tables produced to address the problems identified should also be covered in the report
The report produced is reviewed by the ICRSB if there is one in the administration If not it is
reviewed by a board consisting of authorising officers or their assistants assigned by them chaired
133
by an authorising officer or a Deputy of the Senior Manager After eliminating any shortcomings it is
submitted to the Senior Manager for approval by the board
The annual evaluation report approved by the Senior Manager must be sent to the CHU by
the SDU until the end of the following March
53 Monitoring of Internal Control System Evaluation Reports
The measures and actions to be taken and the arrangements to be made regarding the
aspects identified in the Internal Control System Evaluation Report as requiring development must
be set out within the framework of managerial responsibility In certain areas in order to eliminate
the gaps the unit managers will have to take actions Furthermore if there are horizontal problems
on which most of the units are identified to score low actions for improvement should be initiated
by the Senior Manager
The measures and actions to be taken and arrangements to be made must be
implemented in the context of an action plan in a designated period of time SDUs must monitor
the implementation results of the aforementioned measures actions and arrangements at least
semi-annually and inform the Senior Manager about the implementation results
134
54 Work to be carried out by SDUs concerning Internal Audit Reports
In accordance with Article 64 of Law No 5018 reports submitted by internal auditors to the Senior Manager shall be sent to concerned unit and SDU
following to the assessment by the Senior Manager for taking necessary action It will be convenient that SDUs assess the report sent by the Senior
Manager in light of the following questions
M Table 2 ndash Evaluation of the Internal Audit Reports by the SDUs
Question 1 Question 2 Question 3 Question 4 Question 5 Question 6
What
information is
available in the
report about the
effectiveness of
internal control
system For
example what
information
does internal
audit report
include on risk
management
Are there any
problems
according to
internal audit
report
What are the
problems in
question
What are the works
to be carried out by
spending units for
fixing these
problems
It is possible that
SDUs provide
spending units
with guidance
on actions to be
taken
What are the works to be carried
out by SDU for fixing these
problems
Taking these problems into
consideration SDU identifies
measures to be taken in Internal
Control System Evaluation
Report to be submitted to senior
management
Identifying the training need
within the framework of
shortcomings related to internal
control system SDU can
demand that new training
programs be developed or
available program be revised
Has SDU done what is
necessary for fixing these
problems
It should be found out
whether SDU has done
necessary works
(delivering
trainingsgiving
recommendations) for
fixing the problems
135
136
6 Internal and External Audits
In accordance with the Law No 5018 the audit of our financial management and control
system is divided into two categories internal audit and external audit Internal audit is carried out
by the internal auditors working in the administration within the scope of the general government
with the exception of regulatory and supervisory institutions External audit of the administrations
under the general government on the other hand is carried out by the Turkish Court of Accounts
61 Internal Audit
Articles 63-67 of Law No 5018 sets out the overall scope of the internal audit system and the
professional framework has been established with the secondary and tertiary legislation
Activities and transactions of all the units of public administrations including those abroad
and in the countryside have been undergoing internal audit in line with audit standards within the
scope of risk based audit plans and programmes using a systematic consistent and well-disciplined
approach
The most distinctive difference between the current inspection boards and the internal
audit designed by the aforementioned Law is that internal auditors have a limited authority which
merely enables them to notify the most senior person in the administration when they find out cases
requiring investigation during the course of or following the audit However inspectors have the
authority to initiate investigations and directly submit reports containing findings of the
investigations to legal authorities
611 Definition and Aim of Internal Audit
Internal audit is defined in the Article 63 of Law No 5018 as follows
M Box 2 ndash Article 63 of Law No 5018
ldquo Internal audit is an activity of providing independent and objective assurance
and consultancy performed in order to improve and add value to the activities of
the public administrations by evaluating whether the resources are managed in
conformity with the principles of economy effectiveness and efficiency and by
providing guidance Such activities are performed with a systematic regular and
disciplined approach and in accordance with generally accepted standards
aiming to evaluate and improve the efficiency of risk management and of
management and control processes on the management and control structures
and financial transactions of administrationsrdquo
In the above definition ldquoobjective assurancerdquo refers to providing sufficient assurance within
and outside the organisation that an efficient internal control system exists in the organisation its risk
management internal control system and business processes operates efficiently the information
produced accurate and complete the assets are safeguarded and the activities are carried out
in an efficient economic and productive manner in line with the legislation
Along side the objective assurance it ensures internal audit provides independent and
impartial consultancy to assist the administrations in developing their risk management control and
management processes Consultancy covers providing recommendations to evaluate and
improve the activities and business processes of the administration aimed at the achievement of its
objectives in a systematic and regular manner
Internal auditors get involved neither in the arrangement or implementation of internal
control systems nor in the selection of control actions
137
612 Monitoring within the scope of Internal Audit
Internal auditors submit their reports directly to the Senior Manager of public administration
Following the evaluation of the Senior Manager these reports shall be given to the concerned units
and SDU for taking necessary action Internal audit reports and the actions taken about them shall
be sent by the head of public administration latest in two months to the Internal Audit
Coordination Board
Audit results are monitored within the framework of Public Internal Control Reporting
Standards which has been published by Board The corrective actions and advice recommended
by the internal auditor following the internal audit activity shall be completed by the auditee within
the time period indicated in the relevant report Senior Manager shall follow up whether the
measures stated in the report have been taken or not Senior Manager can fulfil this duty through
internal audit units (through internal auditors in administrations where there is no unit) Internal audit
units (internal auditors in administrations where there is no unit) prepare a follow up system to
monitor the implementation of internal reports
Unit directors the necessary actions regarding the recommendations included in the audit
report about the audited activities In the event that no action could be taken head of internal
audit unit informs the Senior Manager
If the recommendation or corrective measure to be taken will take a certain period of time
this shall be stated in the response to the audit report and the relevant unit shall communicate the
developments to the internal audit unit in the form of six-months periods at least
Actions taken by the audited units upon the report or the justifications for not taking actions
are sent to the internal audit unit to be submitted to the internal auditor
62 External Audit
Another means that contributes into accountability is external audit In this context external
audit has an important role in fulfilment of the legislative bodyrsquos budget right and effective
efficient and economic use of public resources Turkish court of Accounts carries out the audit of
the financial activities and transactions of public administrations in the name of the legislative
body
621 Aim of External Audit
The purpose of the ex post external audit to be performed by the Court of Accounts is to
audit within the framework of the accountability of public administrations within the scope of
general government the financial activities decisions and transactions of management in terms of
their compliance with the laws institutional purposes targets and plans and to report their results to
the Turkish Grand National Assembly
622 Scope of External Audit
External audit is divided into two categories namely regularity audit and performance
audit
Regularity audit is carried out by means of the followings
Detecting whether revenues expenditures and goods of public administrations and related
accounts and proceedings are in compliance with the laws and the other legal regulations
Giving opinions about their accuracy and reliability after assessing financial reports and
statements of public administrations and all those documents produced in relation to these
reports and statements
Assessing financial management and internal control system
Performance audit on the other hand is an act of measuring activity results in light of the
objectives and indicators identified by administrations within the framework of
accountability
623 Functioning of External Audit
External audit makes use of the accounts and other relevant documents of the public
administration In the event the TCA needs reports by the internal auditors can also be requested
138
Reports produced upon the audits are consolidated by the administrations submitted to the Senior
Manager to be responded and finally external audit overall evaluation report produced
considering the external audit reports and the responses to them is submitted to the Turkish Grand
National Assembly It is possible to make external audit results into administration-based or topic-
based reports and submit them to the TGNA as individual reports
624 Coordination between External Audit and Internal Audit
Ensuring coordination and cooperation based upon communication common
understanding and trust between external audit and internal audit assumes importance in
increasing the efficiency of both external audit and internal audit Furthermore such coordination
and communication will ensure effective use of audit resources by preventing unnecessary
repetitions of audit
In accordance with Law No 5018 Court of Accounts can make use of internal audit reports
within the framework of such coordination and communication Moreover it is expressed in internal
audit standards that head of internal audit unit shall share available information with the other
internal and external auditors and conduct his activities in coordination with these people
7 Internal Control Assurance Declarations The new financial management and control understanding brings forward the concepts of
financial transparency and accountability Briefing the public and judicial organ on activities of a
public administration which are carried out in order to attain the objectives and aims and their
results is one of the most important requirements of managerial accountability
This way it is ensured that ones carrying out public services feel more responsible and work
outcome-oriented and beneficiaries of the public services are informed on how they use the taxes
they pay and on the performance of public administrations and it is encouraged that public audit
is strengthened as well as legislative audit To this effect in the new financial management and
control system it is provisioned that authorising officers5 prepare unit activity report Ministry of
Internal Affairs prepare Assessment Report regarding the activities of local administrations Ministry
of Finance prepare Overall Activity Report and it is ensured that the Court of Accounts inform
Turkish Grand National Assembly with its own assessments
In order to deliver the concepts of financial transparency and accountability the actors of
the system Senior Managers and authorising officers allocated with appropriations from the
budget have been commissioned to prepare internal control assurance declarations and attach
these declarations to the activity reports of the administrations and those of the units6
Within this framework those who need to give internal control assurance declaration and
the type of declaration they will give are demonstrated in the following scheme
M Table 3 Types of Internal Control Assurance Declarations
THOSE WHO WILL GIVE INTERNAL
CONTROL ASSURANCE DECLARATION
TYPE OF INTERNAL CONTROL ASSURANCE
DECLARATION
SENIOR MANAGER INTERNAL CONTROL ASSURANCE DECLARATION
(SENIOR MANAGER) (ANNEX-3A)
AUTHORISING OFFICERS INTERNAL CONTROL ASSURANCE DECLARATION
(AUTHORISING OFFICER) (ANNEX-3B)
HEAD OF SDU DECLARATION OF THE HEAD OF SDU (ANNEX-3C)
5 Unit activity report and internal control assurance decalaration are prepared by those authorising officers to whom an
appropriation is allocated to in the budget 6 Art 8 of Principles and Procedures regarding Internal Control and Ex-ante financial Control Art 19 of By-law on the
Preparation of the Activity Reports of Public Administrations Annex234
139
On the other hand every authority signing the internal control assurance declaration should
be sure that the assurance he gave is supported by evaluation reports issued by the SDU internal
and external audit reports other external assessments and similar sound evidences Furthermore
while filling internal control assurance declaration of his administration the Senior Manager should
assess the Assurance Declarations of authorising officers and Head of SDU and should state in the
Internal Control Assurance Declaration that the reasonable assurance these declarations gave to
him formed an important basis for his own declaration
71 How to complete Internal Control Assurance Declarations
Guidance on the internal control assurance declarations to be completed by the Senior
Manager (Annex 3A) Authorising Officer (Annex 3B) and the Head of SDU (Annex 3C) is as follows
711 Guidance on Internal Control Assurance Declarations for Senior Manager
and Authorising Officer
Internal Control Assurance Declaration (ICAD) is comprised of four main parts namely
Responsibility Basis of Internal Control System and Assurance Declaration Risk Management and
Assessment of Internal Control System (Annex 3A and Annex 3B)
In completing the two Annexes 3A and 3B Senior Managers and Authorising Officers should
observe the standard templates and complete the relevant boxes Each box has a cross reference
to where more information can be found in the main body of this chapter
7111 Responsibility
The Senior Manager is responsible for establishing operating and monitoring an effective
financial management and control system which will contribute to the realization of the objectives
and aims of his administration Within this framework he is obliged to take necessary measures in
order to ensure that regulations regarding internal control system are adopted by employees and
that internal control standards are observed Authorising officer is responsible for compliance of
spending orders with the budget principles laws legislations by-laws and regulations as well as for
economical and efficient usage of subsidies and functioning of the internal control within the
framework of his duties and authorities
As the paragraph of ICAD regarding responsibilities is regulated within this framework name
of the relevant administration should be written only in the part written as [administration] other
than this no change should be made on the text
7112 Basis of Internal Control System and Assurance Declaration
Aim of the internal control system is to ensure the followings in order to give a reasonable
assurance on realization of the strategic objectives of administration
Effective efficient and economical management of public revenues expenditures
assets and obligations
Public administrations carrying out their activities in line with the law and the other
applicable regulations
Prevention of corruption and irregularity in every kind of financial decision and
operation
Gaining regular timely and reliable information and reports to make decisions and
to monitor and
Prevention of abuse and waste of assets and protection against losses
However internal control system will not give absolute assurance to administration for
realization of aims mentioned above even in the case that it is designed and operated very well
Because some factors outside the influence and control of administration can affect the capacity
of administration to attain its objectives Therefore we need to admit that internal control system
gives reasonable not absolute assurance to management for realization of objectives
The cost of internal control should not exceed the obtained benefit The management has
to take into consideration the control costs and its benefits while making decisions on regulation of
140
responses to risks and control activities Authorising officer in the same manner has to take into
consideration these factors while identifying and assessing the risks related to his unit
On the other hand while identifying weaknesses in internal control system correcting the
faults and contributing to the development of the system Senior Managerauthorising officer
receives support from internal and external assessments made within the framework of
management information systems evaluation reports issued by the SDU internal and external audit
reports and internal and external assessments Therefore it will be appropriate that such support
provided within this line be explained in ICAD by Senior Managerauthorising officer
7113 Management Information Systems
Managers need financial and non-financial information in order to detect whether the
administration has attained its objectives and aims or not and whether accountability function has
been fulfilled or not for an effective economical and efficient usage of resources Therefore best
fulfilment of such requirements and timely and accurate decisions are possible if there is proper
accurate timely and accessible information
Therefore management information system in the administration should be designed in a
way to produce the necessary information and reports needed by the management and to give
the opportunity to make analysis
Senior mangerauthorising officer should briefly touch upon in ICAD the management
information system that is available in administrationunit and explain what kind of contributions this
system make to functioning of internal control system
7114 Internal Audit
Responsibility for establishing an adequate and effective internal control system rests with
Senior Manager By giving information to the management on effectiveness adequacy and
functioning of internal control system making assessments and recommendations internal audit
takes an important part in helping senior management this responsibility
Within this framework during the audits carried out by internal auditors followings are
realized
It is detected whether internal control system functions in a sound manner and
Success of internal control system in compliance to the legislation and relevant
regulations in the accuracy of accounts and operations and in the reliability of
financial system tables in providing an effective economical and efficient
execution of activities programs and projects of the administration is determined
Senior Manager on the other hand assesses the factors which are envisaged to be
corrected and improved in internal audit reports and takes necessary measures
First of all Senior Manager should state in ICAD whether his administration has an internal
audit unit or not Internal audit unit if any should give a brief summary of what measures they take
regarding the adequacy effectiveness and functioning of internal control system in line with the
recommendations and assessments of internal auditors in this part of the declaration
The Senior Manager can make explanations in ICAD on how action plans that have been
prepared by the audited units regarding the measures to be taken by the administration as a result
of internal audits are monitored and also he can touch upon the support provided by internal
audit unit if provided regarding the monitoring activity in question
Authorising officer on the hand can make explanations in ICAD on action plans prepared
on the measures needed to be taken by his unit as a result of internal audit and their
implementation
7115 External Audit
Senior Managerauthorising officer should include in Internal Control Assurance Declaration
a summary of the relevant findings and assessments if the Court of Accounts has conducted an
external audit as well as of the operations carried out by the administration in response to these
findings and assessments
141
If an operation in relation to external audit reports of the previous years has been carried
out within the year the summary of such operation should be contained in this part of the
declaration
7116 Strategic Development Unit (SDU)
SDU carries out studies in such fields as establishing internal control system implementing
and developing the standards and submits the study results to Senior Manager
Although standard and method setting duty in financial management and internal control
processes is assigned to the Ministry of Finance every kind of method process and standards
regarding special operations which are considered to be necessary are prepared and submitted
for the approval of Senior Manager by the SDU provided that they are not opposed to Law No
5018 and the standards set by Ministry of Finance Authorising Officers bases his activities on the
relevant regulation along with the legislation
Furthermore SDU prepares an annual Internal Control Evaluation Report on functioning of
internal control system and submits them to senior manger Therefore the Senior Manager should
mention in ICAD these regulations and Internal Control Evaluation Reports regarding financial
management and control system prepared by SDU and enforced following to his approval
Within this framework authorising officer should touch upon in ICAD the guidance
provided by SDU for a sound functioning of internal control system in the unit
7117 Risk Management
Administrations introduce their missions and visions as well as their objectives aims and basic
policies in their strategic plans Besides preparing their strategic plans administrations analyse their
institutional strengths weaknesses threats and opportunities
With the help of such techniques as SWOT and PESTLE analyses administrations have the
chance to identify define and assess the risks they can come across in carrying out their activities
Generally risk is an uncertain event that may occur and its unfavourable outcomes and impacts
Risk is generally considered to be the threats which prevent the realization of aims and objectives
however well managed risks paves the way to benefit from probable opportunities
The two most important components of administrative risks are probability and impact
Therefore while addressing risks both the probability to occur and the impact it may create if
occurs are handled The most important feature of the risk concept is that it is inevitable Therefore
administration should prefer managing risks instead of overlooking them and referring to crisis
management in case it occurs It should be emphasized that as time and resources to manage risks
are limited and it is impossible to eliminate risks necessary control activities are conducted to keep
risks at a tolerable level
Risk perception risk awareness and risk appetite can be different according to the
organisational structure human resources and activities of an administration Therefore Senior
Manager should include in ICAD the following elements relating them to the activities and
functioning of administration (Authorising Officers should take into consideration only the parts
included in their own ICADs)
7118 Risk perception of administration
Leadership that Senior Manager has in risk management process
How the risk awareness is raised among the staff and how the staff is encouraged for
practicing risk management
Administrative risk appetite and how it is perceived by the staff
Whether there is a common agreed risk perception among the staff
should be summarized
7119 Capacity to cope with risks
For and effective risk management
How a training is provided and awareness is raised among the staff
142
How the staff is guided in addressing relevant risks in relation to their duties and
responsibilities how and when they will consult with senior management in the field
of risk management
How risk management is internalized within the framework of overall activities of
administrationunit should be explained
71110 Risk identification and assessment
What affects the activities of an administration is not merely financial risks In relation to the
activities of an administrationunit such risks as follows can also be encountered
Risks with outer sources such as political economical social cultural technological
environmental legal and ethical risks
Risks with inner sources such as assets infrastructure labour force and organisational
structure
Assessing the risks with outer sources can be handled within the strategic risks of an administration
Spending units should give more attention to the operational and functional risks related to their
own fields of activity Various risk categories in relation to the activities of administration and how
such risks are assessed should be briefly explained in ICAD (for example whether risk have such
definitions as risks to be eliminated to be transferred to be managed to be tolerated or not)
71111 Addressing controlling monitoring and reporting risks
Responses to be given to identified risks and the method to address risks should be briefly
explained It should be emphasized whether risk register report on risk status consolidated risk
report and similar methodologies are functional in the administration or not
Identifying control environment by defining the followings and reporting after an effective
monitoring will strengthen the effectiveness of internal control
Impact
Probability
Responses to be given measures to be taken
Ownership and
Type and frequency of reporting
Taking into consideration that ICAD is a declaration made within the framework of
accountability that internal control system of administration gives a reasonable assurance
supported with evidence a summary should be made within the above mentioned explanations
regarding risk perception and risk management
71112 Assessment of Internal Control System
While preparing ICAD an assessment related to the effectiveness of internal control system
in the activity period should be included It is quite useful to touch upon especially the specific high
risk areas and positive and negative developments regarding internal system in these areas As
such areas in question can vary according to the organisational structures and activities it is
appropriate to make the assessment according to the following headings
Human resources differences regarding the key personnel of administrationunit
differences regarding the qualities that activities necessitate wage policy working
conditions developments regarding underemployment over-employment
Physical infrastructure and assets developments which can influence the
fundamental activities of administrationunit in physical infrastructure and all the
assets of administrationunit
Information and communication infrastructure information infrastructure software
and hardware park that administrationunit uses important developments regarding
information systems new or updated information systems
Data security assessment of the effectiveness of controls regarding the security of
strategic information of administrationunit which has confidentiality
143
New structures and changing fields of activity how structures that emerged in
administrationunit as a result of changes occurred in the foundation law of
administration or new duty and activity division among administrations reflect in the
internal control system
Problems encountered in main fields of activity or examples of good practice Senior
Managerauthorising officer should include in assurance declaration the problems
which are experienced because of inner and outer factors and rooted in the
weaknesses of internal control system Besides measures to be taken in order to
overcome such problems should be summarized in the declaration Likewise threats
eliminated with the help of an effective internal control system should be touched
upon within the scope of lsquogood practicesrsquo
Developments regarding weaknesses stated in previous years Senior
Managerauthorising officer should include in this part the measures taken and
improvements experienced regarding the weaknesses and problems contained in
the assurance declarations of previous years and
Other developments Senior Managerauthorising officer should include in this part
important developments if any which are not within the scope of the above
mentioned headings
Senior Managerauthorising officer may not feel comfortable touching upon the
weaknesses and problems listed above in ICAD However it is clear that no assurance declaration
which does not mention any thread problem and weakness will be convincing and meet the
requirements of transparency and accountability principles What is important is to emphasize that
controls are developed and internal control system is strengthened for the identified problems and
weaknesses
Proceedings which are not found to be appropriate following to ex-ante financial control
authorising officer should include in this part the proceedings performed which are found to be
inappropriate by financial services if any Supporting opinion report and evidence of authorising
officer despite the negative opinion should be summarized to contribute to accountability 7 If
there is not such a proceeding as mentioned above then the expression ldquothere is not such a
proceeding I performed that is not found to be appropriate by SDUrdquo should be available in the
assurance declaration
On the other hand Senior Manager should state while filling Internal Control Assurance
Declaration that he evaluated the Assurance Declarations of Authorising Officers and the head of
SDU and that reasonable assurance provided by these declarations formed an important basis for
his own declaration
In case that Senior Manager received support from support and consultation boardsBoards
established officially and unofficially (ad hoc) such support should be explained in ICAD It is
possible that these boardsBoards prepare reports regarding the assessment of internal control
system emphasizing risk strategy and risk management to be submitted to Senior Manager In the
case that a similar supportconsultation unit to those which are called Consultation Board Audit
Board Risk Board or Steering Board and show differences among countriesadministrations in terms
of composition and working style is established the support received from such a Board should be
summarized which will strengthen the assurance that declaration provides
712 Guidance for Internal Control Assurance Declaration of Head of SDU
7 Regulation on Principles and Procedures regarding Internal Control and Ex-Ante Financial Control ndash Article 28
Financial services unit keeps a record of transactions carried out by the authorising officers despite the fact that ex-ante
financial control declared them inappropriate and these records are submitted to the Senior Manager monthly The said
records are also provided to auditors during internal and external audit
144
The Declaration by the Head of SDU (DHSDU) is a very important element which lays the
groundwork for the assurance that the Senior Manager needs to provide regarding the internal
control system in their administration(ANNEX 3C)
In completing Annex 3C Head of SDUs should observe the standard templates and
complete the relevant boxes Each box has a cross reference to where more information can be
found in the main body of this chapter
Head of SDU is responsible to ensure that the internal control system is implemented
monitored and their opinions and recommendations are reported to the Senior Manager to take
the necessary actions in time in order to ensure that the activities in the administration are carried
out in accordance with the financial management and control legislation and other legislation
and public resources are utilised in an efficient effective and economic manner
As the Field of Competence part of the DHSDU is based on this framework this part should
not be changed either except for writing the name of the administration in the brackets
(administration)
Furthermore if the declaration is supported by the explanations under the following
headings it will be the basis for the reasonable assurance that the Senior Manager has to provide
to the public opinion
7121 Management Information Systems
The Head of SDU financial and non-financial information is needed to identify whether the
aims and objectives of the administration are reached resources are used effectively effectively
and economically accountability purposes are met Meeting these requirements and ensuring
timely and right decision making by the administrationrsquos management is only possible with the
existence of proper accurate timely up-to-date and accessible information
Therefore the management information system within the administration must be designed
in a manner to produce the information and reports needed buy the management and provide
them with the chance to make analysis
The Head of SDU in the declaration should included the explanations that the activities in
the administration have been carried out in compliance with the legislation and in line with the
budgets prepared according to the strategic plan and annual performance programmes and
provide supportive evidence They should explain the contribution made by the management
information systems utilised in the administration to the legality of the activities
7122 Development of Internal Control System
SDUs are responsible for the establishment internal control systems in the administrations and
carry out studies regarding the implementation and development of the standards Head of SDU
should mention the studies carried out to ensure that the internal control system of the
administration is harmonised with the Public Internal Control standards and briefly describe the
process for the design of job descriptions formation of business processes and preparation and
implementation of action plans in this part of the declaration
7123 Monitoring and Review
Head of SDU should include the supportive evidence regarding the ex-ante financial control
activities carried out in line with the legislation and approval form the Senior Manager and the
monitoring of the due process control In addition it should be suggested that the transactions
carried out by the authorising officers despite the negative opinion upon ex-ante financial control
are recorded and submitted to the Senior Manager on a monthly basis for information purposes
On the other hand it should be stated that financial decisions and transactions to be
subject to the ex-ante financial control by the SDU are grouped according to their type cost and
subject considering the risky areas and reviewed at least once a year
Among the duties of SDU are establishing performance and quality criteria in issues within
the duty field of administration collecting analysing and interpreting the data and information on
management of administration improvement of the services and performance in issues within the
145
duty field of the administration analysing the external factors which will affect services conducting
capacity research within the institution analysing the effectiveness of the services and level of
satisfaction by these services and doing a general research in that sense
In this context the Head of SDU should include the studies carried out to increase the quality
of the services provided by the administration and studies for analysing the external factors which
will affect services the capacity research within the institution to analyse the effectiveness of the
services and the conclusions of these evaluations in the declaration
In this part of the declaration Head of SDU should provide explanations about the
arrangements prepared by their unit and put into effect upon the approval form the Senior
Manager
Finally the studies regarding the establishment of the internal control system in the
administration implementation and development of the standards and the process where the
financial management and control system of the organisation is reviewed on an annual basis and
reported to the Senior Manager should be described
7124 Briefing and Advising
Providing necessary information and consultancy to the Senior Manager and Authorising
Officers regarding the implementation of financial laws and other related legislation are also
among the duties of SDUs
In this part of the DHSDU it should be underlined that coordination has been ensured while working
with the spending units regarding the establishment of internal control system and the
implementation and development of the standards A brief explanation that information and
consultancy to the Senior Manager and Authorising Officers has been provided regarding the
implementation of financial laws and other related legislation should be included
7125 Financial Information
The Heads of SDU should themselves be convinced that the information included in the
section IIIA-Financial Information of the Activity Report is reliable complete and accurate
depending on the supportive evidence
146
MONITORING ANNEXES
Annex 1 Internal Control System Question Form
INTERNAL CONTROL SYSTEM QUESTION FORM
This questionnaire is designed for the public administrations to see whether the internal
control system complies with the internal control standards Furthermore it will provide the
opportunity to identify to what extent the internal control system facilitates the achievement of risks
considering the changing conditions resources and risks It is of crucial importance that those
responding to this questionnaire give factual answers to the questions as the questionnaire will be
used to identify the level of advancement of the internal control system in the administration
Heads of units are responsible for making an in-dept assessment about the functioning of
internal control in their respective units and completing the internal control questionnaire Within
this framework the questionnaires completed by heads of units under the guidance by SDUs are
sent back to SDUs to be consolidated and formed into an overall evaluation report for the entire
administration SDUs submit the report produced using these questionnaires to the CHU following
the approval by the Senior Manager
Completing the questionnaire
This questionnaire is made up of five parts each of which is based on the components of Internal
Control
Control Environment
Risk Assessment
Control Activities
Information and Communication and
Monitoring
Each part includes questions regarding functioning of internal control system in the context
of the aforementioned components It should be paid attention that responses to the questionnaire
should be consistent with the administration action plans produced to achieve compliance with
the Public Internal Control Standards
Spending units are obliged to respond to the questions about Risk Assessment control
Activities and Information and Communication Responding to the questions about Control
Environment and Monitoring is at spending unitrsquos discretion
The response part is made up of three options YES NO and IN DEVELOPMENT There is also a
forth column titled EXPLANATION YES means that the issues included in the question are properly
understood and implemented within the administrationunit NO means that the issues included in
the question are not understood or implemented within the unit overall administration IN
DEVELOPMENT means that the issues included in the question are partially understood or
implemented in unitsome divisions of administration In explanations part evidence and
recommendations should be written if any Guidance is given following the questions with a view
to helping better understand the questions
The questionnaire will be evaluated by means of scores assigned to answers to each
question The answer ldquoYesrdquo will correspond to score ldquo2rdquo while the answer ldquoIn Developmentrdquo to
score ldquo1rdquo and the answer ldquoNordquo to score ldquo0rdquo For each chapter of the questionnaire there will be a
total score calculated Besides there will be a total score for the whole questionnaire
If answer ldquoNordquo is given in response to a question steps should be taken to improve the
relevant areas by Head of UnitSenior Manager
If answer ldquoIn Developmentrdquo is given in response to a question head of unitSenior Manager
should assess what can be done to achieve progress in the relevant area
147
If answer ldquoYesrdquo is given in response to a question then it means that there is no factor in that
area which needs improvement
Taking into consideration that this questionnaire is a kind of self-assessment and internal
control system is a new practice for administrations please give realistic and reliable answers
In the event that you have some hesitations in completing the questionnaire please refer to
the SDU
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
1 Are the public internal control standards
well known in your administration It will
be convenient to deliver trainings and
hold meetings with a view to raising
awareness in this subject
CONTROL ENVIRONMENT
CONTROL ENVIRONMENT Control environment provides a general framework that is the
basis for the other components of the internal control system and it is concept used to
describe the setting out of the goals and objectives of the administration their
communication to the staff and creation of a due organisational structure and culture
Great influence on the control environment have personal and professional integrity ethic
values of the employees and the management supportive attitude towards internal
control written procedures and the practices for human resources management
organisational structure management philosophy and the operating style
2 Are there mechanisms in your
administration that ensure familiarization
of all employees with the code of
ethics
For example are trainings provided or
meetings organised to adapt the public
code of ethics to your administration
and to adopt them are leaflets
produced in this regard
3 Are there any codes of conductethics
available in addition to public codes of
ethics produced for your
administration
4 Has any standard been developed in
your administration in terms of duration
and method for services directly
delivered to citizens
8 If the response is ldquoYesrdquo evidence (details of the activities carried out etc) must be provided in the ldquoExplanationsrdquo column
9 If the response is ldquoIn Developmentrdquo necessary information (details of the activities carried out etc) must be provided in
the ldquoExplanationsrdquo column
148
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
5 Is it ensured that authorised bodies and
staff have access to outputs related to
all the works and transactions
6 Are there mechanisms available in your
administration for staff and the other
people who are delivered service by
the administration to submit their
recommendations assessments and
questions (questionnaires face-to-face
meetings group meetings electronic
applications etc)
It is recommended that questionnaires
to be developed be based upon the
principle of confidentiality
7 Is your administrationrsquos mission written
down and announced Mission can be
announced to the staff via bulletin
boards intranet or e-mail
Production of a strategic plan indicates
that the mission has been set out
8 Are there any directives circulars or
approvals in your administration
regarding job descriptions of units sub-
units and staff
Job descriptions for the units and sub-
units as well as for staff must be written
down and announced in order to
ensure that your administrationrsquos mission
is being carried out
If the response is ldquoNordquo when this is going
to be done must be stated
9 Does organisational chart of your
administration demonstrate key areas of
authority and responsibility reporting
lines which are appropriate to
accountability and coordination and
integration points
If the response is ldquoYesrdquo roles and
responsibilities regarding each objective
must be set our clearly
Organisational chart for units must be
produced
149
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
10 Have procedures regarding sensitive
tasks been set out in your
administration
It is recommended that procedures in
question be defined in writing and
announced to staff and that rotation
policy regarding sensitive duties be set
out
For detailed information on sensitive
duties refer to Control Environment
Chapter of the Manual
11 Do mechanisms available in your
administration to enable managers from
each level to monitor the results of tasks
assigned
If the response is ldquoYesrdquo these
mechanisms (reports work plans
regular meetings automation programs
etc) must be stated
12 Have competence skill and knowledge
each task entails been identified in your
administration
Answering this question it must be
assessed whether factors mentioned
above are taken into consideration or
not while recruiting staff
13 Have promotion procedures been
defined in writing in your administration
Factors mentioned above must be
defined taking into consideration staff
performance and these factors must
be announced to staff
14 In your administration is there a unit
responsible for trainings which identifies
training needs for each task identified
and ensures that training activities to
satisfy the needs are planned and
carried out each year
15 Do managers of your administration
share results of assessments they make
on staff competence and performance
with the staff
It is recommended that that the Senior
Managers share the results of the
150
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
assessments with the staff
16 Is action taken to increase the
performance of the staff whose
performance is deemed unsatisfactory
upon the performance assessment For
example is any action such as
providing private training for that
person discussing the areas where their
performance is deemed unsatisfactory
assigning them under the supervision of
more experienced staff taken
17 Are there rewarding mechanisms in your
administration geared towards those
staff who give a high performance and
are these mechanisms applied
It is recommended that rewarding
mechanisms be developed for staff who
give a high performance (picking
employee of the month abroad
assignments etc) and that these criteria
be announced to all the staff
18 Have procedures regarding human
resources (staff employment
replacement promotion training
performance appraisal personal rights
etc) been documented
If so examples must be provided
Procedures mentioned above must also
be announced to staff
19 Are the bodies of signature and
approval set out in the flowcharts
If the response is ldquoNordquo it is
recommended that these business flow
processes are defined bodies of
signature and approval are identified
and communicated
20 In your administration have delegations
been defined in writing
Delegations must include the
information on its scope quantity
duration and whether the authority
delegated can be delegated to
another person
Furthermore striking a balance
151
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
between authority and responsibility
should be paid attention in delegation
of power
21 Have minimum requirements
(knowledge skill and experience) been
identified in your administration for staff
to be delegated authority
Please explain how you define these
knowledge skills and experience and
how you ensure that the person to
whom the authority is delegated have
them
22 Does the employee who receives the
authority report information to the
delegator on a certain basis about the
utilisation of the authority
Reporting period must be proportionate
to the duration of the delegation
TOTAL POINTS - CONTROL ENVIRONMENT
RISK ASSESSMENT
RISK ASSESSMENT RISK ASSESSMENT is the process where the risks that might prevent the
achievement of the administrationrsquos objectives are defined analysed and necessary
actions are taken In this section the risk perception and risk handling capacity of the
administration must be self-assessed using the following questions
1 Have methodologies and responsibilities
as well as reporting procedures for
monitoring and assessing the
performance given in achievement of
objectives been identified in strategic
plans
If answer is ldquoYesrdquo how monitoring and
assessment processes work in practice
must be explained briefly
2 Have strategic plan and performance
programs been taken into consideration
in budget preparations
The activities and projects carried out to
reach the aims and objectives set out in
the strategic plan the indicators to be
followed and the resource needs for
these activates and projects must be
shown in the performance programmes
There these strategic plans and
152
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
performance programmes must be
taken into consideration during the
budget preparations fort he
administrations
3 Do activates carried out in your
administrationunit comply with the aims
and objectives set out in the strategic
plans and performance programmes
Administrations must focus on the aims
and objectives set out in the strategic
plans and performance programmes for
effective efficient and economic use of
resources
4 While setting out the objectives of your
administration and units has it been
ensured that they are SMART
5 Have your units set out within their area
of competency specific objectives in
accordance with the objectives of the
administration
Responses to this question by the units
that are unable to set out specific
objectives (such as support services)
must be considered during the
evaluation
Furthermore specific objectives that
have been set out must be announced
to staff
6 Does your administration have a risk
strategy and policy document which is
approved b Senior Manager and
accessible to all the staff
Administrationrsquos risk strategy must be
reviewed at least once every year and
updated when deemed necessary
7 Are contributions from employees
received in risk management process
Employees feeling a sense of ownership
for risk management (identifying
handling responding to reviewing and
monitoring risks) and regarding risk
management as a part of their works
will produce a strong corporate reflex
against risks
153
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
If answer to this question is ldquoYesrdquo please
explain how you ensure this
contribution
8 Is risk management which covers
identifying assessing responding to and
reviewing risks for your objectives and
aims implemented in your
administration
While identifying the risks on the
achievement of aims and objectives a
methodology and a certain process
must be adopted and it must definitely
be documented (risk register risk
progress report consolidated risk report
and so on)
Measures to mitigate risks taken by the
administrations must be applied within
the framework of action plans
9 Are annual Internal Control Evaluation
Reports prepared in your administration
about how effectively risk management
process works in your administration
These reports must cover information
about what has been done throughout
the year to mitigate risks
TOTAL POINTS - RISK ASSESSMENT
CONTROL ACTIVITIES
CONTROL ACTIVITIES Control activates are the policies and procedures produced to
ensure that the administrationrsquos aims and objectives are achieved and the risks identified
are managed
1 In your administration are efficient
control strategies and methods set out
and practised for each activity and risk
Defined controls must comply with the
risks different control methods must be
applied for different types of risks
Control strategies and methods must be
set out and applied in the form of
periodical reviews control by sampling
comparison approval reporting
coordination confirmation analysis
authorisation supervision review
154
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
monitoring periodical check and
security of assets etc
The controls within the administration
must also cover ex-ante process and
ex-post controls where necessary
2 Is cost-effectiveness analysis made in
your administration in identifying control
activities
The expected benefit and the cost of
the set out control activity must
compared controls with costs
exceeding the benefits must be
identified and less costly alternative
controls must be selected
3 Are there written procedures regarding
your administrationrsquos activities financial
decisions and transactions
There must be written procedures
regarding your administrationrsquos
activities financial decisions and
transactions These procedures and
relevant documents must cover the
initiation implementation and
conclusion phases of the activity
financial decision or transaction
Procedures and relevant documents
must be up-to-date comprehensive in
compliance with the legislation
understandable by and accessible to
the relevant staff
4 Do managers of your administration
carry out necessary controls for
effective and continuous
implementation of procedures
Activities and transactions of the
administration must be carried out in
accordance with the regulations
developed in this area Managers must
systematically check whether these
regulations are complied with or not (in
this regard such control processes as
initials assent control lists and physical
counts can be defined) Within this
framework managers should monitor
whether works carried out by staff are in
155
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
compliance with the regulations or not
Manager instructions must be produced
about how to remedy faults and
irregularities detected
5 Is the principle lsquosegregation of dutiesrsquo
practised in your administration
The tasks of approving implementing
recording and controlling each activity
or financial decision must be carried out
by different people and that the
principle of segregation duties is
complied with must be supported by
written documents
Where segregation of duties is not
possible due to insufficient number staff
the managers must be aware of the risks
and take necessary precautions In such
cases other control procedures must be
established to manager the risk
6 Are necessary measures taken against
the factors that affect the continuity of
operation in your administration
Necessary measures must be taken
against the factors that affect the
continuity of operation such as
insufficient number of staff temporary or
permanent leaves adoption of new
information systems changes to the
methods or the legislation and
emergencies
If the response is ldquoYesrdquo efficient written
procedures trainings guidance and
planning can be provided as evidence
7 Is the system of deputation applied
efficiently in your administration
Where necessary deputies must be
assigned in accordance with the
relevant procedures The person
assigned as a deputy must have the
necessary qualifications Detailed
internal arrangements must be carried
out regarding the deputation
procedures included in the personnel
laws and the qualification required from
the deputies must be defined in detail
156
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
8 Do the staff leaving their positions report
to their successors about status of works
and transactions they have
conducted
Managers must ensure that the staff
leaving their positions prepare a report
on the status of the task and the
operations along with the necessary
documents and submit it to their
recently assigned successors The report
must include the list of the important
tasks being carried out the risks to be
considered as priority list of periodic
tasks and so on
9 Are there defined authorisations for
data and information input and access
to the information system in the
administration
Information system must only be
accessible to authorised staff To this
end regularly updated information
security softwarersquos must be used for
Access to the computer programmes
Arrangements regarding the
designated level of security must be
complied with while working on
documents
10 Are there sufficient back-up
mechanisms and tested disaster
recovery plansaction plans for the
information system
TOTAL POINTS - CONTROL ACTIVITIES
INFORMATION AND COMMUNICATION
INFORMATION AND COMMUNICATION Information and communication includes a proper
system of information communication and registry that ensures necessary information is
communicated to the person employee or manager who needs it in a certain format and
in a timely manner that the objectives are reached and that enables the relevant people
fulfil their internal control responsibilities
1 In your administration is there an
efficient written electronic or verbal
internal communication system that
covers both horizontal and vertical
communication
The response to this question should
157
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
include the meansmethods (in person
via telephone e-mail in writing etc) the
staff use to communicate with each
other or their managers and the
consideration on whether these are
appropriate andor efficient
In order for the employees receive the
information they need to carry out their
uninterruptedly it must be ensured that
they are in touch with managers from all
levels including top management
2 Is there an external communication
system to ensure efficient
communication with external
stakeholders
This system monitors communication and
checks whether the questions can be
answered or not
3 Do the present internal and external
communication systems ensure that the
staff or external stakeholders can
communicate their expectations
recommendations and complaints
For example whether the Law no 4982
on right to Information is efficiently
executed within the administration
requests and complaints are responded
in time should be considered
4 Is it ensured that all the information and
documents regarding the activities of
your administration are accurate
complete reliable useful and
understandable
Information systems must ensure timely
Access to the accurate complete
reliable and understandable
information required while carrying out
the operations
The response to this question must
include a statement whether
mechanisms (decision support systems
archive and document management
systems etc) for ensuring the
aforementioned principles exist
158
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
5 Do the present information systems
ensure that the objectives set by the
administration are monitored and
activities regarding these objectives are
efficiently supervised and assessed
Management Information
System must be designed in a way that
it produces the information and reports
that the managers need during decision
making processes and provide them
with the chance to make analysis
6 Are there reporting mechanisms with
rules and standards set out in line with
the monitoring of objectives supervision
of activities and accountability
purposes
The performance programmes
published financial progress reports that
include the expectations and objectives
and the content of the activity reports
must be in line with the requirements of
the relevant legislation
7 Is there a documentation and archiving
system that complies with certain
standards for the record classification
protection of and access to the
operations and transactions of the
administration
While responding to this question
Standard 15 of Public Internal Control
Standards and the legislation on
archiving and documentation must be
considered
8 Are there available tools to report from
inside and outside the administration
faults irregularities and possible or
ongoing problems
Employees and outer stakeholders must
be informed enough about these tools
There must be a whistle-blowing process
and a procedure for protecting
personnel and they must be informed
about these
Managers must take necessary actions
to prevent discrimination and ill
159
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
treatment against whistle-blowers
TOTAL POINTS- INFORMATION AND COMMUNICATION
MONITORING
MONITORING Internal control system is a dynamic process where the administration has
to continuously adapt to the risks and changes it faces Therefore the internal control
system needs to be monitored in order to ensure that it adapts to the changing objectives
environment resources and risks as necessary The basis for an effective and efficient
monitoring is the design and implementation of monitoring procedures that are relevant to
the administrationrsquos objectives and that assess the important controls regarding
meaningful risks
When monitoring is designed and implemented properly it provides correct and
convincing information on the efficiency of the internal control system identifies internal
control failures on time and notifies the people responsible for taking action and the top
management where necessary This will ensure that the problems faced are corrected
before they harm the objectives of the administration Monitoring is carried out by the
management and internal and external audit
1 Is the internal control system monitored
and assesses at least once a year
Please explain at what intervals the
internal control system in your
administration is assessed and the
methods used
Internal control system must be assessed
via ongoing evaluations or separate
evaluations It is recommended that
these two methods are applied at the
same time(Separate evaluation of the
internal control system can be carried
out by setting up working groups or via
questionnaires)
2 Are processes and methods set out in
your administration to identify and
disclose the shortcomings of internal
control and improper control methods
and to take the necessary actions
If the response is ldquoYesrdquo please briefly
mention the process and method
adopted in your administration It is
recommended that the processes and
methods are put into practice upon the
approval by the Senior Manager Please
give brief information on the responsible
staff notified in the event of an
incomplete or improper control method
160
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
the time limit set for taking action and
how these procedures are monitored
Management fulfils this responsibility via
SDUs and internal auditors
3 Are trainings plenary sessions and
meetings held which will create the
atmosphere in which managers will be
provided with feedback about whether
internal control functions effectively or
not
4 Are the units of the administration
involved in the evaluation of internal
control
If answer is ldquoYesrdquo please explain how
participation is ensured It must be
ensured that units take active part in the
process and the task of evaluating
internal control system must not be
perceived as the responsibility of only
the Senior Manager internal auditor
and SDU
5 Is there internal audit unitinternal
auditor in your administration
6 Is there efficient cooperation among
internal audit unit management and
staff
What has been done to increase the
level of awareness of the manager and
the staff on internal audit activities
What has been done to see the
relations with the internal audit unit and
the expectations Please explain briefly
7 While evaluating internal control are
the opinions of the managers requests
and complaints by
peopleorganisations and the reports
produced upon internal and external
audit taken into consideration
The method to adopt for the collection
assessment and reporting of the
information required for the evaluation
of internal control must be set out
Please refer to the staff responsible for
161
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
assessing the internal and external audit
findings and recommendations for the
evaluation of internal control the time
limits for these assessments and the
management level to which this
information is communicated
Compare the internal and external
audit reports with the results of the
internal control system evaluation by
the SDU for consistency In the event
that any inconsistency is identified the
reasons for this must be questioned
8 Are recommendations from internal
audit and SDU about how to improve
internal control taken into consideration
by management
9 Are action plan(s) where internal control
evaluation results and
recommendations made upon internal
and external audit produced and
implemented Are they followed-up
If the timing is appropriate action plans
can be combined Please give brief
information on the staff responsible for
following-up the action plans and the
method used Furthermore please
provide information on the method
used fort he follow-up of internal audit
reports if there is any With which level
of management are the results of the
follow-up shared and how often Please
explain
TOTAL POINTS ndash MONITORING
GRAND TOTAL
162
Annex 2 Internal Control System Evaluation Report
helliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphellip(NAME OF ADMINISTRATION)
INTERNAL CONTROL SYSTEM EVALUATION REPORT
I INTRODUCTION
11 Mission
12 Aims and Objectives
13 Organisational Structure
II INTERNAL CONTROL QUESTIONNAIRE RESULTS
II1 Consolidated Summary on strengths and aspects open to improvement regarding the entire
organisation relevant to each COSO component
- Control Environment
- Risk Management
- Control Activities
- Information and Communication and
- Monitoring
III OTHER INFORMATION
III1 Internal Audit Reports
III2 External Audit Reports
III3 Other Information Sources
III31 Budget Information
III32 Data on Ex-ante Financial Control
III33 Requests by Individuals andor Administrations
III34 Other Information
IV CHANGE SINCE THE LAST REPORT
IV1 For each COSO component has the position got better or worse and why
V CONCLUSION
V1 Strengths
V2 Aspects Open to Improvement
V3 Recommendations for action
163
Annex 3a Internal Control Assurance Declarations Senior Manager
I RESPONSIBILITY
As the Senior Manager I am responsible for ensuring the establishment delivery and
oversight of an efficient financial management and control system that will contribute to the
achievement of the policies goals and objectives of [the administration] In this regard I declare
that I have taken the necessary measures to make sure that the arrangements of internal control
are adopted by the staff and that the internal control standards are practised
II PILLARS OF INTERNAL CONTROL SYSTEM AND ASSURANCE DECLARATION
I declare that my administrationrsquos budget has been prepared and implemented in line with
the development plan annual programmes strategic plan performance objectives and service
requirements resources allocated from the budget for the achievement of aims and objectives are
utilised in compliance with the planned targets and in accordance with good financial
management principles
In this context I announce that the internal control system provides sufficient and
reasonable assurance that my administrationrsquos revenues expenditures assets and liabilities are
managed effectively economically and efficiently my administration operates in line with the laws
and other regulations irregularities and fraud are prevented in each financial decision and
transaction regular timely and reliable reports and information are acquired for decision making
and monitoring assets are safeguarded against abuse waste and losses
This assurance is based on my knowledge and considerations as the Senior Manager
management information systems internal and external evaluations carried out within the context
of quality assurance development programme studies of the SDU internal and external audit
reports (if available)
In the following part the Senior Manager must explain the support by the management
information systems internal and external evaluations within the framework of the quality assurance
development programme internal and external audit and SDU
Management Information Systems
Please read section no 6113 before completing this part
Internal Audit
Please read section no 6114 before completing this part
External Audit
Please read section no 6115 before completing this part
SDU
Please read section no 6116 before completing this part
164
III RISK MANAGEMENT10
As the Senior Manager I have a key role and responsibility in the development of a risk
strategy in my administration production of a common corporate risk perception adopted by all
employees Recognising that risk management is the most important element of the internal control
system creation of the necessary organisational capacity and embedding risk management into
the general activities is valued
In the following part the authorising officer should address the risk perception of the
administration and its capacity to deal with risk
Risk perception of the administration should summarise
Please read section no 6117 and 6118 before completing this part
Capacity to handle risk
Please read section no 6119 before completing this part
My administration faces a wide range of risks during the course of its activities These risks are
considered in accordance with the principle that the cost of the internal controls to be developed
with control purposes do not exceed the benefit received from the controls A systematic
approach has been adopted in levels of management for the identification assessment
addressing monitoring and reporting of the relevant risks
In the following part the Senior Manager should set out the issues related to the
identification assessment addressing control environment monitoring and reporting of the
administrationrsquos risks
Identification and assessment of the risks
Please read section no 61110 before completing this part
Addressing control environment monitoring and reporting of the risks
Please read section no 61111 before completing this part
IV APPRAISAL OF THE INTERNAL CONTROL SYSTEM
As the Senior Manager during the preparation of the foregoing declaration I also
considered the assurance declarations by the Authorising Officers and Head of SDU The
10 This part must be completed when risk management process starts to function in the administration
165
information and evaluations I have received from these declarations pose an important basis
regarding the assurance I have to provide on the internal control system in my administration
Furthermore [advisory audit risk steering] boardscommittees have been set up within
[the administration] to provide support and guidance for the evaluation of the internal control
system in terms of particularly risk strategy and management Reports prepared by these boards
have made a great contribution to the evaluation on the internal control system
Regarding the main activities of my administration the most distinctive developments that
took place within this reporting term and how these developments have been handled are
summarised below
Please read section no 61112 before completing these parts
Human Resources
Physical infrastructure and assets
IT and communication infrastructure
Data security
New structures and changing fields of activity
Problems faced in the main fields of activity or examples of best practice
Developments regarding weaknesses stated in previous years
166
Other developments
(Date)
Signature
Name
Title
167
Annex 3B Internal Control Assurance Declaration Authorising Officer INTERNAL CONTROL ASSURANCE DECLARATION11
I RESPONSIBILITY
As the authorising officer within my field of competence I am responsible to ensure that my
expenditure orders are in line with the fundamentals and principles of the budget the laws rules
and regulations and other legislation the appropriations are utilised in an efficient effective and
economic manner and that the internal control operates properly
II PILLARS OF INTERNAL CONTROL SYSTEM AND ASSURANCE DECLARATION
I declare that the operations and transactions carried out by my spending unit comply with
the aims and objectives of the administration high financial management principles control
arrangements and the legislation resources allocated with the administration budget to the
spending unit has been utilised in line with the planned objectives and the internal control system
within my unit provides the sufficient and reasonable assurance
This declaration of assurance is based on my own information and evaluations as the
authorising officer and on the management information systems internal and external evaluations
carried out within the context of the quality assurance development programmes studies by the
SDU internal and external audit reports
In the following part the support provided by the management information systems the
internal and external evaluations carried out within the context of the quality assurance
development programmes studies by the SDU should be elaborated by the authorising officer
Management Information Systems
Please read section no 6113 before completing this part
Internal Audit
Please read section no 6114 before completing this part
External Audit
Please read section no 6115 before completing this part
SDU
Please read section no 6116 before completing this part
11 Please read section no 611 before completing this part
168
III RISK MANAGEMENT12
Within the framework of the overall risk perception strategy and awareness of the
administration the capacity to handle risk has been determined for the activities specific to my unit
and the necessary importance has been attached to embedding risk management in its activities
In the following part the authorising officer should address the capacity to handle risk
Capacity to handle risk
Please read section no 6119 before completing this part
My spending unit faces various risks during the course of its activities These risks are
considered in line with the principle where the cost of internal controls to be developed do not
exceed the benefit planned to be gained from them A systematic approach has been adopted in
the spending unit for the identification addressing assessment monitoring and reporting of the risks
faced
In the following part the authorising officer should set out the issues related to the
identification assessment addressing control environment monitoring and reporting of the
administrationrsquos risks
Identification and assessment of the risks
Please read section no 61110 before completing this part
Addressing control environment monitoring and reporting of the risks
Please read section no 61111 before completing this part
IV EVALUATION OF THE INTERNAL CONTROL SYSTEM
The following is the summary of the most significant developments experienced in the
activities of my unit within the period covered by the foregoing report and how these
developments have been addressed by the internal control system
Please read section no 61112 before completing these parts
Human Resources
IT and communication infrastructure
Data security
12 This part must be completed when risk management process starts to function in the administration
169
New structures and changing fields of activity
Problems faced in the main fields of activity or examples of best practice
Developments regarding weaknesses stated in previous years
Other developments
As the authorising officer I hereby declare that we have also carried out some transactions
overriding the opinion of the SDU Information and justifications for these transactions are as follows
There is no such a work I carried out that is not found to be appropriate by SDU
(In this part transactions if any carried out by the authorising officers despite the
negative opinion provided upon the ex-ante financial control If there is no such a
work as mentioned above then expression ldquothere is no such a work I carried out that
is not found to be appropriate by SDUrdquo should be included)
(Date)
Signature
Name
Title
170
Annex 3b Internal Control Assurance Declaration Head Of SDU INTERNAL CONTROL ASSURANCE DECLARATION
As the Head of SDU I declare that the internal control system has been implemented
monitored and my opinions and recommendations have been reported to the Senior Manager to
take the necessary actions in time in order to ensure that the activities in [the administration] are
carried out in accordance with the financial management and control legislation and other
legislation public resources are utilised in an efficient effective and economic manner
Please read section no 612 before completing this part
In the following part the studies should be explained regarding the management
information systems development of internal control system monitoring and review and briefing
and advising by the Head of SDU
Management Information Systems
Please read section no 6121 before completing this part
Development of Internal Control System
Please read section no 6122 before completing this part
Monitoring and Review
Please read section no 6123 before completing this part
Briefing and Advising
Please read section no 6124 before completing this part
Financial Information
Please read section no 6125 before completing this part
I confirm that the information included in the section IIIA-Financial Information of
the Activity Report (year) is reliable complete and accurate
(Date)
Signature
171
Annex 4 Example Of A Complete Declaration INTERNAL CONTROL ASSURANCE DECLARATION
(SENIOR MANAGER)
Name-Surname
Title
I RESPONSIBILITY
As the Senior Manager I am responsible for ensuring the establishment delivery and
oversight of an efficient financial management and control system that will contribute to the
achievement of the policies goals and objectives of the Ministry of Space Exploration In this
regard I declare that I have taken the necessary measures to make sure that the arrangements of
internal control are adopted by the staff and that the internal control standards are practised
II AIMS AND PILLARS OF INTERNAL CONTROL SYSTEM
I declare that my administrationrsquos budget has been prepared and implemented in line with
the development plan annual programmes strategic plan performance objectives and service
requirements resources allocated from the budget for the achievement of aims and objectives are
utilised in compliance with the planned targets and in accordance with good financial
management principles
In this context I announce that the internal control system provides sufficient and
reasonable assurance that my administrationrsquos revenues expenditures assets and liabilities are
managed effectively economically and efficiently my administration operates in line with the laws
and other regulations irregularities and fraud are prevented in each financial decision and
transaction regular timely and reliable reports and information are acquired for decision making
and monitoring assets are safeguarded against abuse waste and losses
This assurance is based on my knowledge and considerations as the Senior Manager
management information systems internal and external evaluations carried out within the context
of quality assurance development programme studies of the SDU internal and external audit
reports (if available)
Management Information Systems
Management information systems has been established in all General Directorates in order
to provide information for managers that enables effective decisions to be made and for
information on changing risks to be monitored in our Ministry However not all of our legacy IT
systems have been fully assessed for security risks As part of the measures being taken to
strengthen data security governance we will ensure that the IT systems supporting our most time
critical business processes are reviewed to establish a known risk position by December 2010 We
will carry out a review of our remaining systems during 2011
Internal and External Evaluations Carried Out Within The Context Of Quality Assurance Development
Programme
Presidency of Strategy Development has carried out one internal evaluation of the effectiveness of
internal control within the context of the quality assurance and development programme The
main findings of this evaluation are
That compliance with internal control standards was good in terms of effective control
activities in order to minimise risk
Internal Control and Risk Steering Board has been set up within the Ministry to contribute to
the evaluation of the internal control system
Unit managers needed to develop their skills regarding ongoing monitoring of internal
control systems
Based on the evaluation findings the Ministry has produced an action plan which is planned to
put into practice as of June 2010
There were no external evaluations carried out within the context of the quality assurance
and development programme but the CHU has declared that this is scheduled for 2013
172
Internal Audit
Our Ministryrsquos Internal Audit Unit continues to operate within the framework of a three-year audit
plan Internal Audit operated to requirements defined in the Public Internal Audit Standards Their
audit programme was focused around the Ministryrsquos key risks of internal control together with
recommendations for improvement The Director of Internal Audit Unit provided me with an annual
Internal Control Evaluation Report which contained an independent opinion on the adequacy
and effectiveness of internal control The conclusion of the Director of Internal Audit Unit was that
the following aspects of internal control should be improved
Awareness of the Deputy Undersecretaries and General Directors on internal control
responsibilities and risk management
Improvement of the present arrangements regarding promotion assignment and
appointment system to make it transparent and competence based
Improvement of communication between the central and provincial organisations of our
ministry
Review of management information systems to update old systems
Improvement of allowances and supplementary payments for personnel going to the
space
It has been decided that a working group consisting of managers from the SDU General
Directorate of Personnel and other relevant units to put these recommendations into an action
plan
External Audit
The TCA has approved the annual accounts of the Ministry
SDU
An evaluation on the internal control system has been carried out with the full participation
from the SDU Spending Unit managers and the staff and a report has been produced and
submitted to the CHU on 30th March 2010 The main findings of the review are listed above under
the heading ldquoInternal and External Evaluations Carried Out Within the Context of Quality Assurance
Development Programmerdquo in this document SDU staff also underwent training in risk management
during this year
III RISK MANAGEMENT
As the Senior Manager I have a key role and responsibility in the development of a risk
strategy in my administration production of a common corporate risk perception adopted by all
employees Recognising that risk management is the most important element of the internal control
system creation of the necessary organisational capacity and embedding risk management into
the general activities is valued
The SDU took the lead in embedding risk management in the organisation by reviewing and
updating the key corporate external and internal risks facing the Ministry each month The SDU also
began an exercise to identify long term risks that may have posed a significant threat to the Ministry
in the future These risks were recorded on a long term risk register and the intention is that they will
be reviewed every six months Should the threat increase then these risks will either be escalated to
my part for appropriate action to be taken
The Internal Control and Risk Steering Board also endorsed an action plan to further embed
good risk management practice within the Ministryrsquos processes and systems and to support
Innovation through well managed risk taking Work to establish this position will continue and focus
on those areas identified as still most in need of improvement This will include giving further
consideration to risk appetite where the focus will be on practical examples of how it can be
applied in practice thus making it easier to communicate its awareness among staff
Guidance was available to all staff on risk management through the risk management
intranet site In addition to a risk management policy specific guidance was available on
undertaking risk self assessment which includes guidance on applying risk management as an
integral part of the Ministryrsquos business planning process Risk management workshops were
available to all staff and practical guidance on its application had been incorporated into a wide
173
range of training courses These courses covered all ranges of staff and were tailored to be
appropriate to their authority and duties
My administration faces a wide range of risks while carrying out its activities These risks are
assessed in accordance with the principle that the const of the internal controls to be developed
with control purposes do not exceed the benefit received from the controls A systematic
approach has been adopted in levels of management for the identification assessment
addressing monitoring and reporting of the relevant risks
The risk management framework for our Ministry operated through the initial identification of
risks as part of the business planning process which threatened achievement of the Ministryrsquos
objectives These risks were then evaluated in terms of impact and probability This process
established the level of residual risk against which the Ministry was exposed and which was
monitored over time as part of performance management Ownership for each risk was assigned
to a named individual Reasonable assurance that risk mitigation activities were appropriate was
obtained through regular management reviews and internal audits of the key activities undertaken
in the Ministry
In order to further embed best practice in risk handling and to ensure a consistent
interpretation of the acceptable extent of residual risk our Ministry will review its risk appetite and
communicate it more effectively across the organisation
IV APPRAISAL OF THE INTERNAL CONTROL SYSTEM
As the Senior Manager during the preparation of the foregoing declaration I also
considered the assurance declarations by the Authorising Officers and Head of SDU The
information and evaluations I have received from these declarations pose an important basis
regarding the assurance I have to provide on the internal control system in my administration
Furthermore Internal Control and Risk Steering Board has been set up within the Ministry of
Space Research to provide support and guidance for the evaluation of the internal control system
in terms of particularly risk strategy and management Reports prepared by this Board have made
a great contribution to the evaluation on the internal control system
Regarding the main activities of my administration the most distinctive developments that
took place within this reporting term and how these developments have been handled are
summarised below
In our investment programmes the underspend reported last year in the spacecraft
development programme has been managed There is now less than 2 slippage in that
programme Underspends have arisen this year in other areas for example
The satellite programme TL 121 m Internal Audit Unit has reviewed the Investment Budget
management and an action plan is being developed to address the audit findings
Astronauts training programme TL 113m due to slower than expected take-up Processes
will be streamlined to reduce barriers and it is expected the budget will be fully used in the
next year
Renovation of launching stations programme TL 16m arising mainly from slippage in
international cooperation projects affecting the expected refurbishment programme
together with some incorrect historical data for tracking capital allocation New systems will
prevent the reoccurrence of this problem
Whilst recognising the above summarised issues good progress has been made in resolving them
and there are plans in place to further enhance internal control system and improve practice As
Senior Manager I provide reasonable assurance that the above issues do not represent a material
threat to operational effectiveness and that the our Ministry complies with the public internal
control standards on risk management internal control and governance
(Date)
Signature
Name
Title
174
GLOSSARY
CONCEPT DEFINITION
Explicit information is the information which can be created expressed obtained and
transferred in accordance with a specific system Aim is the concept which refers to the objectives contained in the strategic
plan that administration aims to attain Information Financial and non-financial data related to internal and external events
and activities which is created obtained and communicated in a
particular form and at a particular time to ensure that people carry out
their duties Information security refers to safeguarding valuable assets in an administration against loss
misuse or damage Information map is demonstration of information kept in units or their systems which can be
shared and expertise and experience of personnel and demonstration of
them on an organisational scheme or map in accordance with
organisational structure Information pool is the accessible area where information obtained in hard form or soft
form is stored and kept ready for re-use Information
architecture Organisation of information with a view to make it accessible
manageable and useful form infrastructure level to end-user level Information stock Financial and non-financial information available in administration at a
particular time Information
technology is a system that controls all activities including communication and
computers which are used for the purposes of collecting storing and
processing of information its transmission from one point to another
through communication systems and computers and to the service of
users Information technology is a concept that is used to refer to all
information services which can be connected through communication
and computer systems Information
management
is a process where information is planned and obtained from any kind of
source internally or externally classified stored communicated to
relevant bodies in a timely manner for interpretation reviewed for
updating and disposed External audit Within the framework of accountability responsibility of public
administrations within the scope of general management it is the activity
of examining the compliance of financial activities decisions and
procedures of the administration with laws administrative objectives aims
and plans and reporting the results to TGNA by Turkish Court Accounts Audit trail It requires the maintenance of records giving the full documentation and
justification at all stages of the life of a transaction together with the ability
to trace transactions from summarized totals down to the individual
details and to trace all reporting stages Inherent risk refers to those risks whose probability and impact cannot be changed
unless particular precautions are taken by administration When risks are
identified for the first time they are at inherent risk level Ethics Ethics is a body of moral principles values and standards which forms the
basis for the behaviours of a person and guides them on how to do works Cost-Benefit Analysis It is the identification and comparison of the costs and benefits regarding
the implementation of a planned work or activity In cases when benefits
outweigh costs the work or activity is considered to be cost-effective SWOT Analysis
is a method in which the administration systematically examine itself and
the conditions having an impact the administration In this framework
strengths and weaknesses of the administration as well as the threats and
opportunities that may occur outside the administration are identified This
is an analysis which forms the basis for strategic planning process Segregation of duties covers the duty of approval implementation recording and control of
175
each activity or financial decision and transaction shall be assigned to
different people Objective These are the specific and measurable sub-aims geared towards
attaining the aims contained in the strategic plan
Performance objectives are out-come oriented objectives administrations
plan to attain in a program period with a view to attaining the aims and
objectives contained in the strategic plan Internal audit is an independent and objective activity of giving assurance and
providing counselling with a view to providing guidance and assessing
whether resources are managed in compliance with principles of
effectiveness and efficiency in order to improve and add value to the
activities of the public administration Internal control is the body of financial and the other controls covering the organisation
method process and internal audit in an administration carried out with a
view to ensuring that activities are conducted effectively efficiently and
economically in line with the administrationrsquos aims its identified policies
and legislation assets and resources are protected accounting records
are kept accurately and completely and financial information and
managerial information is produced in a reliable and timely manner Internal control
assurance declaration is the declaration annually signed by senior managers authorising officers
and heads of strategy development units within the framework of
accountability and transparency to state that processes and transactions
are conducted in line with the principles of good financial management
control regulations and the legislation Internal Control and
Risk Steering Board The Board makes assessments concerning development of process and
methods related to internal control system such as determination of
policies about monitoring internal control practices and introduction of
risk in the administration Whistleblowing is the notification of illegal and unethical behaviours and actions to
internal and external authorities that have the power and authority to
solve the problem by persons with information (employees or
stakeholders) therefore administrations or third persons inside or outside
the administration are not affected Business continuity The plans that aim at ensuring continuity for the activities of the
administration or ensure continuity without any interruption after any
extra-ordinary situations Ex-post controls Are the controls applied by management to administrationrsquos activities
after they have been carried out using pre-identified methods Monitoring Monitoring is the activity of assessing within the framework of compliance
with internal control standards whether internal control system provides
the expected contribution to attaining objectives and aims of the
administration and determining the activities to be carried out in fields
that are open to improvement Residual risk refers to risks remaining after management has taken precautions to
reduce their probability and impact Control activities are actions aimed at reducing the impact andor the likelihood of a risk
occurring and thus increase the probability of attaining the goals and
objectives of the organisation or part of the organisation Financial
Management and
Control
is the development implementation monitoring and improvement of
suitable organisations methods and processes within the of managerial
responsibility to ensure effectiveness efficiency and economy in
obtaining and using resources as well as compliance with the identified
aims and objectives and the legislation Central Harmonisation
Unit is affiliated to the Ministry of Finance The unit develops and harmonises
methods and standards concerning financial and internal control
processes and provided related guidance for public administrations Mission mission is the cause of existence of an administration and its place within
176
the state structure In other words mission is the answer to such questions
as what the public administration does and how and for whom it does
what it does Focus group These are such meetings that are held among a target group composed
of 6-8 people to receive their thoughts and reactions in a detailed and
elaborate manner They are managed by a moderated within the
framework of a flow plan Probability refers to the likelihood that an event may occur Organisational
structure is general system covering all the activities and procedures undertaken to
attain the aims and objectives of the administration Ex-ante financial
control Ex-ante financial control is a control performed to check the compliance
of the financial decisions and operations of administrations regarding their
incomes expenditures assets and liabilities with the budget of the
administration Further checks are carried out with the available
appropriation amount expenditures programme financing programme
and the provisions of central government budget law and other financial
legislation It is also checked whether resources are used effectively
economically and efficiently Implicit information is the information in peoplersquos minds which is not regulated in accordance
with a particular system therefore not easy to transfer and circulate and
the registered information which is not accessible to employees Stakeholders are the people groups and administrations which are relevant to the
administrationrsquos products and services and can directly or indirectly
positively or negatively affect or be affected by the administration Risk can generally be defined as uncertainty of events that may occur in
future or undesirable outcomes and impacts of an event For
administrations risk can be defined as negative or positive effects of
internal and external factors that may occur in future on attaining the
objectives and aims of administrations In risk terminology positive aspects
of risk and wins it may bring along are referred to as opportunity and
negative aspects and losses it may cause are referred to as threat Risk assessment is analysing those factors which can have an impact on attaining the
objectives of administration Transferring risk is the response to the risks by taking some of them away from the
responsibility of the administration and transferring it to others Handling risks is the identification of responses to risks identified and assessed (within the
framework of risk appetite) by public administrations and reducing the
expected threats and benefiting from the opportunities that may emerge
within this context Impact of risk refers to outcomes or effects that risk posing event can produce once it
occurs Risk appetite is the amount of risk an administration is ready to accept (toleratebe
exposed to) at any time before deciding on the need to take any
relevant precautions in line with its strategic objectives mission and vision
In terms of threats it refers to exposure level which can be tolerated and
justified and in terms of opportunities it refers to how a person is ready to
actively take the risk to gain benefits of the opportunity Tolerating risks is a passive method of response given to risks which public administrations
are comfortable to undertake Avoiding risks is a response to risks by removing the activities in which risks are probable
to occur thus eliminating the risks that are probable to occur together
with the activities Controlling risks is a method of response to risks by means of control activities carried out
to keep tolerable risks at a certain level in public administrations
Preventive Controls These are controls carried out to prevent threats that
risk may pose and undesirable outcomes risk may produce once it occurs
Corrective Controls These are controls aiming at reducing the impact of
undesirable outcomes that arise from threats risk poses once it occurs
177
Directive Controls These are controls carried out to prevent the occurrence of
risk or avoid the impact it may produce once it occurs
Detective Controls These are controls applied to identify damages and
losses experienced once the risk is realised Risk profile documented and prioritised overall assessment of the range of specific
risks faced by the administration Risk management is a management tool and all the mechanisms related to identify and
assess risks that may have an impact on attaining aims and objectives of
administration identify responses to risks regularly review and update risks
and responses and monitor the whole process Corporate risk
management is a process which covers the entire administration and
ensures that risk management processes are considered and handled as
a whole Risk strategy the overall organisational approach to risk management as defined by
the Accounting Officer andor the Board This should be documented
and easily available throughout the organisation
Risk Strategy and
Policy Document
(RSPD)
corporate approach to risk management identified by Head of
Administration and senior level policies are called risk strategy and the
document in which this approach and policies are set down in writing is
called Risk Strategy and Policy Document (RSPB) Risk identification is the process of identifying ascertaining categorising and updating risks
that prevent or limit the achievement of administrationrsquos strategic
objectives using previously defined methods
Strategy Development
Unit refers to presidencies of strategy development units departments of
strategy development and directorates where strategy development and
financial services are undertaken They carry out studies to establish
implement and continuously develop internal control systems and report
the study results to the Head of Administration Irregularity Faults errors and negligence stemming from violation of regulations and
provisions related to financial management Delegation of authority is delegation of the responsibility and authority for making decisions to
another authority in writing in the way envisaged in the legislation Fraud Is misuse or insufficient use of documents and declarations for monetary
purposes or non-monetary private purposes as well as hiding information
or deliberate acts performed to abuse the benefit legally obtained and
negligence and illegal use of public power Management
Information system supporting systems which provide proper data for managers and
decision-makers for taking decisions and implementing them with a view
to more effectively attaining the previously identified objectives of the
administration by operating and communicating the information used in
administration
Managerial refers to management being accountable for the decisions they have
made regarding duties assigned as well as for effective use of public
resources to the Parliament Government and public opinion Governance Governance is the way in which organisations are directed and
controlled It defines the distribution of rights and responsibilities among
the different stakeholders and participants in the organisation determines
the rules and procedures for making decisions on corporate affairs
including the process through which the organisationrsquos objectives are set
and provides the means of attaining those objectives and monitoring
performance
Conference call A system of telecommunications technology that enables a number of
people in different locations to hold a discussion using the telephone
5
62 External Audit 137
7 Internal Control Assurance Declarations 138
71 How to complete Internal Control Assurance Declarations 139
MONITORING ANNEXES 146 Annex 1 Internal Control System Question Form 146
Annex 2 Internal Control System Evaluation Report 162
Annex 3a Internal Control Assurance Declarations Senior Manager 163
Annex 3B Internal Control Assurance Declaration Authorising Officer 167
Annex 3b Internal Control Assurance Declaration Head Of SDU 170
Annex 4 Example Of A Complete Declaration 171
GLOSSARY 174
6
LIST OF ABBREVIATIONS
ARC Administrative risk coordinator
BiMER Prime Ministry Communication Centre
CHU Central Harmonisation Unit
COBIT Control Objectives for Information and Related Technology
COSO Committee of Sponsoring Organisations of the Treadway Commission
DHSDU Declaration by Head of Strategy Development Unit
e- SAC Electronic System Audit and Control
FMC Financial Management and Control
HRM Human Resources Management
ICAD Internal control assurance declaration
ICRSB Internal Control and Risk Steering Board
INTOSAI International Organisation of Supreme Audit Institutions
ISOIEC International Organisation for Standardization International Electrotechnical
Commission
IT Information Technology
MERNIS Central Civil Registration System
MIS Management Information System
PESTLE Political Economic Social Technological Legal and Environmental
RSPD Risk Strategy and Policy Document
SDU Strategy Development Unit
SMART Specific Measurable Achievable Relevant Time-related
SURC Sub-unit Risk Coordinator
SWOT Strengths Weaknesses Opportunities and Threats
TGNA Turkish Grand National Assembly
TSE Turkish Standards Institute
URC Unit Risk Coordinator
UYAP National Judicial Information System
7
INTRODUCTION
From the late 20th century onwards the focal point of governments in the whole world
has been to establish mechanisms to increase performance ldquoGood governancerdquo put
forward to serve this end has recently come to be a guiding principle both for the private
sector and the public sector Within the framework of the principle of good governance such
factors as ensuring accountability for the provision of better quality public services
improvement of transparency delegation of authorities and responsibilities by means of
managerial flexibility outcome-oriented management and budgeting understanding and
meeting the expectations of citizens have come to the foreground
On the other hand provision of quality public services has brought along the need for
the public resources to be used effectively efficiently and economically thus necessitating
the usage of effective tools in public administrations in many areas from organisational
structure to information and monitoring which are related to financial management and
control The most important tool for accountability adopted in this reform process is internal
control
Internal Control Internal control which is internationally used is a system designed to give reasonable
assurance to attain the objectives of a given administration Within the framework of
Committee of Sponsoring Organisation (COSO) which is the mostly widely-known system
among the others internal control aims to ensure compliance of actions and works with the
legislation as well as the reliability of financial and managerial reporting and effective and
efficient asset protection COSO which is made up of control environment risk management
control activities information and communication and monitoring components is such an
internal control model which is also accepted as a reference point by such institutions as the
International Organisation of Supreme Audit Institutions (INTOSAI) and the European
Commission The following figure shows the components of COSO
IN Figure 1 The COSO Cube
8
Our country on the other hand which has been carrying on membership negotiations
with the EU has been going through a reform process since the early 2000rsquos with a view to
strengthen its public internal control system The basic factors of the internal control system
which is recommended by the European Commission to all the candidate countries and is in
compliance with COSO can be summarized as financial management and control (FMC)
system based on managerial responsibility and accountability functionally independent
internal audit activity and Central Harmonisation Unit (CHU) responsible for the harmonisation
of these two areas in the whole public sector
FMC refers in the most general terms to the management and control processes
related to public revenues expenditures assets and obligations In this context public
managers of every level are responsible for the establishment and sustainability of a sound
FMC system to ensure resource-based planning programming budgeting accounting
controlling reporting archiving and monitoring Internal audit on the other hand which
assists the manager in assuming this responsibility and attaining the objectives gives based
on risk management objective assurance and provides guidance regarding the compliance
of the current FMC system with the identified rules and standards Furthermore a full capacity
and quality central harmonisation activity is required in order to identify and develop
methodologies legislation and standards in the areas of FMC and internal audit in public
administrations as well as to coordinate and monitor them and provide the training needed
In the light of the best practice examples our country has taken important steps in
strengthening transparency and accountability in public financial management and ensuring
an effective internal control function Public Financial Management and Control Law No
5018 which is the most important step among the others and adopted in 2003 defines the
functioning of internal control system and the roles and responsibilities of the actors involved
in the system and assigns the Ministry of Finance (MoF) the duty of identifying standards and
methods as well as ensuring coordination and providing guidance in this area As per this
duty the MoF published a Public Internal Control Standards Communiqueacute in 2007 which was
in compliance of the international standards
Financial Management and Control Manual which is an extension of all these works
has been prepared with a view to supporting decision-making and implementation
processes for a better management and thus contributing to the rational usage of public
resources The Manual which has been started to be prepared in 2010 and completed in the
first quarter of 2011 is the outcome of a painstaking work carried out by the Experts both from
the United Kingdom and our country within the framework a twinning project financed by the
European Union
FMC Manual has been designed with a view to ensure the implementation of internal
control standards as a guideline which explains all the basic factors of internal control by
means of methods tools and examples which can be used by all the stakeholders In
addition it is also possible for administrations to use according to their own needs other tools
than this Manual which can be modified and revised in time in line with the changing
circumstances and needs in public administrations however it is foreseen than tools
adopted should not be in conflict with the basic requirements contained in the Manual
This Manual is made up of five main parts based on Internal Control Standards
Following this introduction there is a table showing the main responsibilities of the major actors
in financial management and control
In the first part conceptual explanations regarding ethical values and integrity
mission organisational structure and duties competence and performance of personnel and
delegation of authority which are the milestones of the control environment as well as
information on the legislation and implementing tools are given
In the second part information on the importance and aim of risk management
stages of risk management process and roles and responsibilities of the actors involved in the
process Risk Strategy and Policy Document and communication and reporting tools that can
be used is given
9
In the third part control strategies and methods identifying and documenting
procedure principle of separation of authorities hierarchical controls sustainability of
activities and information processing controls are explained within the framework of control
activities which is closely related to risk management and a set of control activities (approval
authorisation verification reconciliation of accounts etc) are dealt with
In the fourth part the concept of information and its management functioning of
Management Information Systems internal and external communication tools and reporting
mechanisms are handled within the framework of information and communication
component
In the fifth part information on the roles and responsibilities of Financial Management
and Control Central Harmonisation Unit (FMC CHU) in the overall public sector and of
Strategy Development Units (SDU)Financial Services Units in each public administration as
well as the tools used internal control system quality assurance development program roles
of internal and external audit content of Internal Control Assurance Declaration and
guidance on how to fill the Declaration is given within the framework of regular monitoring
and assessment of internal control system
In the last part of the manual a glossary of the concepts used in the manual is given
Users of the Manual Besides for the relevant stakeholders and users it is believed that this Manual will be a
reference document for the followings
Senior mangers responsible for establishing an effective and adequate FMC system as
well as observing and monitoring it
Authorising officers who have responsibility within the scope of their duties and
authorities to ensure the functionality of the internal control regarding administrative and
financial decisions and proceedings
Relevant managers and employees of the Ministry of Finance who carry out the
central harmonisation duty in the area of FMC
Managers of SDUs and financial services experts who have responsibility concerning
the development of internal control system and implementation of the standards
Realization officers and accounting officers who are involved in the financial
processes and accountable to authorising officers
The other public managers who have responsibilities arising from the activities
conducted in the area of FMC in units
All the employees working in public administration
Internal auditors who have the responsibility to assess and report to the Head of
Administration the effectiveness of FMC system
External auditors who responsible for examining the accounts financial transactions
and activities and internal control systems of public administrations as well as whether
resources are used effectively efficiently and economically as well as in compliance with
laws and reporting the results to the TGNA
10
TABLE OF ROLES AND RESPONSIBILITIES
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
MINISTER
Within the framework of the
responsibility for ensuring
effective economic and efficient
utilisation of public resources the
Minister should be aware of the
potential risks to the
administrationrsquos objectives
He ensures coordination and
cooperation with the other
ministries and informs the public
opinion and the TGNA about the
annual performance programme
and activity report of the
administration
Within the framework of the
responsibility for ensuring
effective economic and efficient
utilisation of public resources the
Minister is responsible for ensuring
effective monitoring of the
internal control system
HEAD OF ADMINISTRATION
He defines strategies and policies
for an effectively functioning risk
management system in
accordance with the aims and
objectives of his administration
He explicitly defines tasks roles
and responsibilities He ensures the
participation of the stakeholders
and the public opinion
As the quality of the information
exchange and communication
between the head of
administration and the other
actors has a direct effect on the
accountability of the head of
administration he must inform the
relevant units about the
frequency and methods of
feedback he prefers
He ensures effective
communication among spending
units SDUs and internal audit
He is responsible for observing
and monitoring the functioning of
financial management and
control system
He approves annual internal
control system evaluation reports
and signs the Internal Control
Assurance Declaration
INTERNAL CONTROL AND
RISK STEERING BOARD
The Board develops policies for
improvement of risk management
in the administration and submits
them for the approval of the
Head of Administration The Board
notifies the unit of the policies and
procedures for coordination
purposes ICRSB determines a
particular number of risks which it
deems significant as the key risks
It provides the Head of
Administration with timely and
accurate information about the
effectiveness of internal control
and risk management
It assesses internal control system
evaluation reports prepared by
the strategy development unit as
a result of annual evaluation of
internal control system and
following to defining shortcomings
of the report if any submits it with
the relevant opinions for the
approval of Head of
Administration
11
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
among those risks that are
submitted to itself and reports
whether these key risks function
well or not to the Head of
Administration in regular periods
or whenever it deems necessary
AUTHORISING OFFICER
He acts as the unit risk
coordinator or assigns someone
to act so URC coordinates the
management of the unitrsquos risks
that may have an impact on
objectives of the administration
and provides guidance to this
end
He ensures that tasks authorities
and responsibilities of staff are
defined clearly and in writing and
communicated to all the staff
He ensures that sub-units are
informed about the activities of
each other
He ensures that an effective
communication and archiving
system is established for the
information related to the
objectives and activities of the
unit
He has responsibility for
continuously monitoring internal
control system
He provides necessary
information for strategy
development units regarding the
annual evaluation of internal
control system completes internal
control questionnaire and
annually signs internal control
assurance declaration to be
submitted to the Head of
Administration
HEAD OF DEPARTMENTUNIT
He is responsible for the
coordination of risk management
activities within sub-units (if having
such units or their management
at this level is deemed
appropriate) of the spending units
in administrations He is directly
accountable to URC regarding
risk management
He ensures that an effective
communication and archiving
system within the sub-unit is
established for the information
related to the objectives and
activities
He ensures that tasks authorities
and responsibilities of staff are
defined clearly and in writing and
communicated to all the staff
He is accountable to the
authorising officer
He has responsibility for
continuously monitoring internal
control system
He supports the authorising officer
in providing SDUs with information
Every employee is directly Every employee is responsible for They observe the functioning of
12
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
EMPLOYEES responsible for managing risks in
their fields of duty (identifying
assessing responding to
reviewing and reporting risks
delivering accurate and timely
information to managers
colleagues and stakeholders by
using right communication
means
internal control system and in
case of a problem they inform
senior management and
contribute to the evaluation
process of internal control system
by providing information
STRATEGY DEVELOPMENT
UNIT
It organises trainings on risk
management in the
administration and provides
guidance in this respect
It is responsible for providing the
Head of Administration and the
units with accurate and timely
information In addition it is
responsible for providing the unit
with guidance and trainings on
the area of internal control
It annually assesses internal
control system on behalf of the
Head of Administration It signs
the declaration on functioning of
internal control system with a view
to ensuring effective efficient
and economical execution of
administrationrsquos activities Staff of
Strategy Development Units take
active role in the evaluation
process of internal control systems
and guide the units in completing
the reports regarding evaluation
ACCOUNTING OFFICER
Within the scope of his duty the
Accounting Officer should identify
and manage the financial risks
The Accounting Officer is
responsible for performing
accounting services and keeping
accounting records in a regular
transparent and accessible way
Accounting Officers must
regularly report to the authorising
officer on the accounting
records
CENTRAL HARMONISATION
UNIT
It is responsible for such activities
as making regulations and
chances when necessary
carrying out developmental
activities as well as ensuring
guidance harmonisation inter-
administrational coordination and
reporting
It is responsible for making
arrangements setting out
standards providing guidance
and advice ensuring
harmonisation and coordination
among administrations
monitoring and reviewing the
implementation in the fields of
financial management and
It annually assesses the
functioning of internal control
systems in public administrations
based on Internal Control
Evaluation Reports approved and
submitted by senior managers
and submits the evaluation report
it prepared to the Head of
Administration and the Minister of
13
RISK MANAGEMENT
INFORMATION AND
COMMUNICATION MONITORING
control and internal audit Finance
INTERNAL AUDIT
Internal auditor provides the
Head of Administration with
advice regarding risk
management by making
evaluations on whether risk
management process is effective
and risks are managed in the right
way or not
He examines the functioning of
information and communication
system in the administration and
reports the results to the Head of
Administration There must be an
effective communication system
between
Head of Administration and
internal audit
It has the function to provide the
management with information
about the sufficiency
effectiveness and functioning of
internal control system as well as
making evaluations and giving
recommendations
EXTERNAL AUDIT
Within the framework of
performance management it
can audit the functioning of risk
management processes in
administrations
Within the framework of
performance management it
can audit the functioning of
information and communication
systems in administrations
Court of Accounts can assess
internal control systems in
administrations during the audits it
conducts and give
recommendations
14
15
CONTROL ENVIRONMENT
1 INTRODUCTION
According to the COSO model control environment is creation of the basic
infrastructure for the other components of internal control by providing internal control
awareness for employees working in a particular administration Control environment
generally includes internal control awareness values working styles and procedures of the
administration Basic factors of control environment are summarized below
CE Box 1 Basic Factors of control Environment
Creation and sustainability of a positive and supportive environment for internal
control by the management is of great importance As employees also have their relevant
roles in carrying out internal control all the individuals within the administration need to know
hisher responsibilities and authorities very well Employees need to uphold personal and
professional integrity and ethical values and comply with the current behavioural norms In a
well-functioning control environment the public administration should previously determine its
mission organisational structure and terms of reference and should regularly assess the
performance of personnel
2 Internal Control Standards
Four standards were determined regarding control environment among Public
Internal Control Standards
CE Box 2 Control Environment Standards
Standard 1 Ethical values and integrity
It should be ensured that rules which regulate how personnel behave are known by the
personnel
Standard 2 Mission organisational structure and duties
Mission of the administration and job descriptions for units and personnel should be set out
Risk Management
Control Environment
Control Activities
Info amp Communicattion
Monitoring
Principles of personal and professional integrity
Adoption of ethical values by management and personnel
Supportive attitude of senior management towards internal control
Organisational structure
Professional competence and performance of personnel
Human resources policies and practices
Management philosophy and working style
16
in writing and announced to the personnel and a suitable organisational structure should
be established in the administration
Standard 3 Competence and performance of personnel
Administrations should ensure the compatibility between the competence and duties of
personnel and take actions about performance appraisal and improvement
Standard 4 Delegation of authority
Administration should explicitly identify authorities and limits of delegation of authority and
announce them in writing Authority should be delegated by taking the importance and
risk of authority to be delegated into consideration
This part gives explanations regarding the relevant legislation and standards with a
view to rendering Public Internal Control Standards more comprehensible and to guide the
practices Besides it stresses upon the methods to be applied for ethical values and integrity
principles to be owned by senior management and adopted by personnel which is very
important for a well-functioning control environment Besides criteria are determined for the
assessment of competence and performance of personnel as well as giving explanations on
determination of mission organisational structure and duties Moreover the part explains how
the delegation of authority which is a priority for accountability needs to be conducted
3 LEGISLATION
31 Legal Basis
In utilising of public resources or in providing effective and efficient public services the
principles and procedures of a work financial or non-financial are determined by the
regulations made by laws or the central administration
Internal Control standards provide the minimum and overall framework for managers
for giving an assurance on the provision and sustainability of services In the following
diagram the international and national standards and legislation relating to Control
Environment are given
17
CE Figure 1 Legal Basis Framework regarding Control Environment
Part Five of Law No 5018 regulates lsquointernal control systemrsquo Within this framework in
order to establish an effective and sufficient internal control system the top manager and
the other managers should take necessary action to ensure that the following factors are
implemented
bull Having professional values and an integral management understanding
bull Assignment of financial authorities and responsibilities to informed and competent
managers and personnel
bull Compliance with the standards set
bull Prevention of actions that are opposed to the Legislation
bull Provision of a proper working environment and transparency with a comprehensive
management understanding
The main legislation related to control environment is given below
CE Table 1 Main Legislation on the Control Environment Standards
CONTROL
ENVIRONMENT
STANDARD
RELATED LEGISLATION
1 Ethical Values
and Integrity
Behaviour Principles and Application Principles Law No 5176 on
the Establishment of Civil Servants Ethical Board and Making
Amendments on Some Laws
Legislation on Ethical and Procedures of Civil Servants
2 Mission
organisational
structure and Tasks
Law No 3046
Decree of Law No 217 on the Establishment and Duty Principles
of State Personnel Presidency
Strategic Planning Guideline for Public Administrations
3 Competence
and Performance
of Personnel
Turkish Constitution
Law No 657 on Civil Servants Law No 2802 on Judges and
Public Prosecutors Law No 2914 on High Education Staff Law No
926 on Turkish Armed Forces Personnel Law No 3269 on
18
CONTROL
ENVIRONMENT
STANDARD
RELATED LEGISLATION
Specialized Sergeants Law No 3466 on Specialized Gendarmerie
Law No 4678 on Contracted Officers and Petty Officers to be
Recruited into Turkish Armed Forces
Regulation on Examinations for Those to be Appointed for Public
Duties for the First Time
Regulation on Appointment Conditions for Public Services of
Disabled Persons and Competition Examinations to be Conducted
Special Regulations Prepared by Administrations (expert
coordinator inspector etc)
General Regulation on Training of Candidate Civil Servants
Registry Regulation for Civil Servants
Regulation on Civil Servants to be Sent Abroad for Training
Purposes
General Regulation on the Principles of Promotion and Title
Change in Public Administrations and Entities
Regulation on Promotion and Title Change in Supreme Institutions
and Agencies of High Education
4 Delegation of
Authority
Law No 3046
Law No 2547 on High Education
Law No 5393
Organisational Laws
Communiqueacute Serial No 1 on Authorising Officers
19
4 ETHICAL VALUES AND INTEGRITY
41 What is Ethics
Ethics is a body of moral principles which forms the basis for the behaviours of a
person In other words ethics is the guidelines values principles and standards which help
people determine lsquohow to do worksrsquo Ethics is at the same time a process In this process while
making and implementing decisions actions are carried out upholding particular values
The aim of observing ethical behaviour principles is to prevent corruption and
upholding integrity in a state and community
42 Current Legislation on Ethics
Law No 5176
The Law determines the establishment duty and working principles and procedures for
Civil Servant Ethical Board to determine and monitor the implementation of such ethical
values that civil servants must observe as transparency impartiality accountability and
observing public interests However scope of the law is too narrow that it diverges from its
original aim (Provisions of the Law on President Members of TGNA Members of Council of
Ministers officials of Turkish Armed Forces and officials of jurisdiction are not enforced)
Civil Servants Ethical Board is authorised and responsible for determination of ethical
behaviour principles through the legislations it will prepare conduction of the relevant ex-
officio examinations and investigations as well as conduction of examinations and
investigations upon applications on ethical behaviour violations and notification of the results
to the relevant authorities carrying out studies to settle ethical behaviours in a community
and supporting studies to be carried out in this field
Within the framework of laws the Board can be applied to with allegations of violation
of ethical behaviour principles about the civil servants of at least director general or
equivalent positions in a public administration and institution
Applications to be made with allegations of violation of ethical principles about the
other civil servants are evaluated by the concerned boards of the relevant administrations to
see whether there is a condition that is opposed to ethical value principles or not Results of
the evaluations are communicated to the applicant and to whom it may concern
The Board conducts its examinations and investigations regarding the applications
referred to itself to see whether ethical value principles are violated or not The Board has to
conclude the examinations and investigations to be conducted upon the whistle blowing or
complaint applications in three months at most Results of the examinations and
investigations are communicated to the relevant authorities and to the Prime Ministry in
writing (For further information please refer to ldquoInformation and Communicationrdquo chapter
Legislation on Civil Servants Ethical Behaviour Principles and Application Procedures
Civil servants are liable to observe ethical behaviour principles while fulfilling their duties and
sign the Ethical Contract document Authorised appraisal managers in administrations and
institutions assess the performance and employment records of personnel in terms of
compliance to ethical values
CE Figure 2 demonstrates ethical behaviour principles determined in the Legislation
20
CE Figure 2 Ethical Behaviour Principles
Granting
decleration
of property
Relations with
the previous
civil servants
Accountability
requirement for
managers
Informing
transparency
and
participation
Binding
explanations
and unreal
declerations
Being
economic
Utilisation
of public
properties
and
resources
Prohibiton
of giving
presents and
drawing
benefits
Not abusing
duties and
authorities to
draw benefits
Avoiding
conflict of
interest
Notification
of authorised
bodies
Courtesy
and
respect
Esteem
and trust
Integrity and
Impartiality
Commit
ment to
aims and
mission
Compliance
with service
standards
Service
awareness
for public
Public service
awareness in
fullfilment of
duties
ETHICAL
BEHAVIOR
PRINCIPLES
21
43 Main Ethical Behaviours that are Expected from Civil Servants
Observing all the time high ethical standards and working to increase public belief in
the state and civil servants for public benefit
Behaving in compliance with the ethical values and principles when fulfilling duties
obtaining and using public resources and purchasing goods and services from
outside
Showing respect for colleagues and users of services exhibiting impartial and fair
behaviours
Having a participatory decision-making process by taking the views of colleagues
and users of the services into consideration
Appreciation and announcement of good works colleagues do
Not abusing public authorities and resources for personal benefits and not favouring
relatives or friends in using public services
Being careful about the possible and real conflict of interests
Assuming responsibility for decisions and behaviours
Filling in the property declaration forms in time accurately and without any reserve
Not working in a second job that is prohibited by the Legislation other than his public
service
Not establishing private relationships with the persons and firms that are in connection
with the administration that civil servant works in
Warning other civil servants whose behaviours are not in compliance with the ethical
principles and notifying authorities in case that warning turns out fruitless
44 Ethical Behaviours That are Expected from Public Managers
While fulfilling their duties managers should
Inform all the civil servants of the overall aims main objectives and values of the
administration
Create a positive working environment where behaviour expectations are clearly
defined and violations are identified and corrected if any
Assume all the responsibility for the activities of administration
Take into consideration the merits current behaviours and developmental potential of
personnel while appointing for a position
Behave in a fair equal and impartial way towards all the personnel
Solve the problems and conflicts in a quick and fair manner
Be consistent reliable predictable fair and objective in decisions and behaviours
Set a personal example in terms of ethical principles and values
Maintain the highest standards possible to be followed in the field of efficiency and
effectiveness at work
45 Ethics Training
One of the most important prerequisites of establishing a culture in the administration that
is based on ethical values and principles is ethics training All the personnel of every level that
are employed in public administrations and institutions need to be informed of the ethical
behaviour principles and their responsibilities related to these principles
Administration and institution managers are liable to include ethical behaviour principles
in the basic preparatory and in-house training programs that are implemented for civil
servants
5 MISSION ORGANISATIONAL STRUCTURE AND DUTIES
Mission of an administration is the cause of existence of the administration and its
place within the state structure Organisational structure ensures that duties that are carried
22
out to attain the objectives and aims of the administration are controlled and monitored
Duties that are carried out by the administration are led by the mission and organisational
structure These factors in question which complete each other form an important basis for
the other components of internal control system
51 Mission
Public administrations set out their missions visions aims objectives and strategies in
strategic plans As Strategic Planning Guideline for Public Administrations states mission is the
cause of existence of an administration In this regard mission covers all the services and
activities an administration carries out In other words mission is the answer to such questions
as what the public administration does and how and for whom it does what it does Mission
should be sound realistic and participatory to lead the administration and should be
developed according to the changing conditions and needs It will also be proper to receive
opinions from personnel and stakeholders in forming and updating the mission
The following should be taken into consideration in mission declarations of administrations
The mission should be up-to-date precise and clear
The mission should be determined in line with the established aims of
administration not process of service provision
While determining the mission tasks and authorities granted to the
administration with legal regulations should be taken into consideration
In mission promotion people and entities that the administration provides
services for and the goods and services that the administration offers should
be stated
CE Box 3 Mission Example
For the mission which is very important for public administration to be achieved
personnel should be informed enough about the mission of administration they are affiliated
to Being informed about the mission and adopting it will guide the decisions and activities of
the administration and help the personnel understand their duties within the administration To
this effect firstly mission should be set down in writing and it should be announced to the
personnel and a system should be developed for the mission to be adopted by the
personnel On the other hand job descriptions of the sub-units should be determined in
writing in compliance with the mission and compliance with the mission should be regularly
reviewed
52 Organisational Structure
Organisational structure of the administration is another important factor which
influences the control environment Organisational structure is the provision of a framework
for the attainment of the aims and objectives of administration
In order to establish a proper control environment organisational structure should
Indicate the division of authorities and responsibilities within the organisation
Include accountability mechanisms and relevant reporting line which will ensure
the functionality of these mechanisms
Indicate the coordination and integration points
Carrying out research training and publishing activities developing and supporting
projects for strengthening and increasing the problem-solving capacity of families and for
identification and solution of the problems in cooperation with the institutions and
organisations in the light of scientific and ethical valuesrsquorsquo
(General Directorate of Family and Social Research 2007-2011 Strategic Plan)
23
Organisational structures of administrations are generally determined by the
organisational laws that are prepared in compliance with the framework that is set in Law No
3046 and duties of administrative units (main services consultationaudit and support units)
are shaped in these organisational laws Duties of the sub-units of administrations on the
other hand are determined in administrative regulations such as circulars and regulations
not in the organisational laws
Furthermore organisational structures of public administrations which fall under the
scope of the local administration are determined by Law No 5393 on Municipalities Law No
5216 on Metropolitan Municipalities Law No 5302 on Special Provincial Administration and
Law No 5355 on Local Administration Unions
Mission of the administration is achieved by the activities carried out by the units of the
administration and their sub-units and the units of the local administration Within this
framework duties of both the units and sub units should be in compliance with the mission of
the administration
Relevant chances regarding the organisational structure units and sub-units of the
administration and duties that are carried out by these units and sub-units can be made by
amending organisational law or revising administrative regulations according to the
circumstances within the framework of the reviewing activities in question
53 Job Descriptions
As it is stated in Public Internal Control Standards written definition of duties to be
carried out by units and sub-units of administrations and formation of a task distribution chart
covering duties of the personnel in the administrative units and their relevant authorities and
responsibilities assume importance for the mission of the administration to be accomplished
Within this framework preparation stage of job descriptions is demonstrated below
Public administrations can prepare their job descriptions by following the below given
process
CE Figure 3 Preparation Process of Job Descriptions
Job analysis is a process in which information regarding
the quality of every job carried out in the administration and
working environment the job will be carried out in as well as
working conditions is collected and collected information is
systematically examined and assessed While making job
analysis the followings should be followed
Determination of jobs to be analysed taking into
consideration the organisational structure of the
administration
Determination of the objective
Formation of the team to make the analysis ( it is
essential that the team members to make the
analysis should be selected from inside the
administration However it possible to receive
counselling from outside when necessary)
MAKING JOB ANALYSIS
24
KEY QUESTIONS IN JOB ANALYSIS
What are the requirements of the job (In terms
of knowledge experience and competence)
How is the job done
When is the job done
Where is the job done
Why is the job done
What are the assistive tools for the job
(Equipment)
What kinds of outputs are obtained
Job analysis does not have a value on its own It is only
valuable when it contributes to attaining the objectives of
administration Therefore analysing should start by
understanding the philosophy mission and objectives of the
administration and the role and importance of every unit
within the administration and should continue in this
direction
The findings gathered from the job analysis should be
submitted in a systematic and consistent way and the job
descriptions that are formed according to these findings
should be submitted to the top management for the job
description whose final draft has been completed
At minimum job descriptions should include the following
Unitamp Sub Unit
Name of the job (Name of the position)
Title that the job has
Level of competence (areas of responsibility
information problem solving)
Basic duties and responsibilities
Authorities
Required skills and abilities for the job
Its relation with the other jobs
Approval section and section regarding communiqueacute to
personnel
25
State Personnel Presidency determined standard job descriptions for some
titles (chief programmer warehouse official statistician personnel titled as inspector in the
municipalities etc) In this process it is possible that public administrations receive guidance
form State Personnel Presidency
531 Sensitive Duties
Some of duties that are carried out in public administration assume more importance
because of their nature than the other duties do in terms of esteem of administration risk of
corruption disclosure of secret information etc Therefore integrity of the personnel who
carry out the duty in question is attached more importance
It would be convenient to assess at least the followings while deciding whether a duty
is sensitive or not
Capacity to make important decisions that can impact administrationrsquos objectives
Its relations with the third parties and administrations outside the administration
which can impact decisions
Regular accession to confidential information
Whether financial transactions of high value are involved
The duty requiring special expertise at high levels
Other criteria that can be introduced by administrations
According to the criteria in question administration should determine sensitive duties
develop control mechanisms to mitigate the risks identified and review the chances to occur
at the level of the risk
The following table demonstrates the fields of activity which can be sensitive for
administrations and gives examples regarding these fields
CE Table 2 Examples of Sensitive Duties
Areas of Management Examples for Sensitive Duties
Financial management Accounting
Managing payments
Analysing the financial reports
Job descriptions should be announced to the personnel for
them to learn what they need to do under which rules they
work and what their objectives are
Job descriptions should be reviewed and updated annually
ANNOUNCING JOB
DESCRIPTIONS TO THE
PERSONNEL
UPDATING JOB DESCRIPTIONS
26
Commitment process Membership for the Tender
Commission
Contracting process
Process of examining and accepting
Publishing tender documents
Human resources management Definition of positions
Job description
Recruitment process
Assessment
Implementation of salary system
Information management systems Accession to the system and controls
Security of the systems and key
documents
Developing the system
Support Services Controlling valuable stocks
532 Monitoring the Results of Duties
Administrations should continuously assess sensitive duties and decide what steps to
take in accordance with the changes in the level of the risks (such as renewing controls
identifying new sensitive duties re-evaluating sensitive dutiesrsquo risk levels by taking into
consideration the cost-effectiveness)
Managers carry out the activities of administrations through written or spoken
instructions However it may be difficult for the management to monitor the results of duties
due to such reasons as the structures of units organisational complexity scattered
organisations the number of the personnel being high and duties being varied Managers
should develop such methods as introducing reporting mechanisms and holding regular
meetings to overcome this difficulty
6 COMPETENCE AND PERFORMANCE OF PERSONNEL Good management of human resources aims to ensure the efficiency effectiveness and
productivity of personnel
27
CE Box 4 Humans first
The basic aim is the selection of proper personnel for the fulfilment of the mission of
administration appraisal of personnel career planning for those who are successful and
ensuring they have the basic skills and adequate knowledge with a high sense of
responsibility and identity
61 Transition to Human Resources Management from Personnel Management
As it assumes the responsibility for identifying policies objectives and standards in
human resources management (HRM) top management plays a significant role in HRM
Besides top management should create a transparent and accountable environment
complying with laws and legislation
The expertise that human resources managers have in this area should lead the
other unit managers to apply human resources standards at every level of the administration
Furthermore HRM is a responsibility for all levels of management starting from top
management In line with the policies in question the unit managers when they carry out in
an effective way the tasks given to them by the senior managers should also assume such
duties as orientation and training of the new personnel improvement of their work
performance developing a proper work environment and relations in which they will work in
cooperation boosting the moral and motivation of personnel safeguarding the health of
personnel and improving the working conditions of the personnel
62 Activity Areas in Human Resources Management
The basic functions of HRM can be listed as follows
Conduction of job analyses
Job descriptions
Job requirements
Labour force assessment
Staff analysis
Cost-benefit analysis
Limitations of various legal regulations (Budget Law Decree of Law on General Cadre
Procedure etc)
Recruitment process
SWOT analysis (of the recruitment process)
With the principle lsquogood people make good organisationsrsquo we can say the quality of the
employees of an administration is the quality of the outputs of that administration First of
all it must be kept in mind that employees are humans and a balance must be
established between the needs of administration and employees It is important for
personal motivation that assignments be conducted in line with merits and careers of
employees in every stage from recruitment to retirement The only capital an
administration has which can not be materially measured is human
Humans First
28
Announcements on newspapers internet and administrationrsquos billboards
Developing easy application methods which meet the needs are fair and do not
lead to discrimination
Examination process being open which will give confidence
Merit and career evaluation system
PromotionAchievement criteria
Personnel performance indicators
Appraisal system
Rewarding mechanisms
Training Activities
Training needs questionnaire
Training programs (theoretical and practical)
Abroad trainings and internships
Post-training assessments
Participation in such activities as conferences and workshops which support personal
development
Poor performance management and disciplinary practices
Determining the data on which decisions about non- appropriateness for duty will
based and announcing this to all the personnel
Clearly determining the criteria to terminate duties and announcing these criteria to
the personnel
7 DELEGATION of AUTHORITY Authority refers to the power of administrative bodies to make administrative decisions
and to conduct administrative transactions
Responsibility can be defined as a body of rules and sanctions that those who assume
roles in administrative activities are subject to
Delegation of authority is the transfer of authority and responsibility to make decisions
to another body within the framework of the applicable legislation Delegation of authority
does not remove the managerial responsibility of the delegator
Rigid and traditional administrative structures in which all the authorities as well as
transferring and execution functions gather in a single centre are not preferred In such
administrations motivation of employees and managers of lower levels will be decreased to
own the administration and produce services in line with the objectives of the administration
Administrations on the other hand in which managers delegate all their authorities to
lower levels with insufficient capacity and do not monitor the results are not desirable either
Delegation of authority forms a step for transition form an authoritarian management
understanding to a transparent and accountable management understanding In modern
administrative structures a proper control environment is created employees are assigned
responsibilities and authorities at the level of their duties and employees together with the
lower level managers are included into the decision-making mechanisms In such
administrations working motivation will increase therefore effectiveness and efficiency
indicators will go up with the attainment of the aims and objectives
In relation to delegation of authority authorities to be delegated and their limits are
defined by regulations on various laws The main regulations in this regard are as follows
Law No 3046 on Ministries
Law No 5442 on Provincial Administration
Law No 2547 on High Education
Law No 5393 on Municipalities
Law No 5018 on General Management
Organisational Laws of Administrations
29
71 Determination of Delegation of Authority
Delegation of authority should be carried out according to the hierarchical structure of
the organisation With a top-down approach authorities to be delegated from Minister to
undersecretary (-authorities to be delegated to Head of Administration-) to his deputies and
to heads of units from head of unit to head of department from head of department to
director of branch should be determined in writing and consulted with whom it may concern
72 Delegation of Authority and Work Flow Process
Work flow processes of administrations should be determined and the officials to take part
in the processes and their authorities and responsibilities should be set out These processes
which are determined should be analysed and who to be assigned which authority in the
processes should be determined
What is expected in the delegation of authority is that the official who is to be delegated
the authority should be well-informed of the process and have the quality and experience to
manage the process Employees that are delegated authority are expected to report the
current situation of the process to the delegator and the delegators are expected to seek for
this report
73 Delegation of Authority and Responsibility
We can handle responsibilities in three different categories
Managerial responsibility
It refers to the responsibility to the senior level in hierarchical terms Besides it is
defined as performance responsibility
Delegation of authority will not remove the managerial responsibility of the
delegator
Financial (Compensation) Responsibility
It is the financial responsibility for public andor personal loss caused by using
the authority delegated Financial responsibility to arise from the usage of this
authority will belong to the user of the authority
Legal (punitive) Responsibility
Legal responsibility covers managerial and financial responsibility Legal
responsibilities are defined in the Constitution organisational laws Turkish Penal
Code and special legislations It is a must that all the employees and political
authorities working in the public administration behave with legal responsibility
while carrying out their duties
74 Factors of Delegation of Authority
Those authorities that can be delegated and those that cannot be delegated
should be determined with their limits on senior management level and announced
The basic factors to be taken into consideration in delegation of authority are as
follows
Delegation of authority must be in writing
Legally there are authorities which can not be delegated and these are
not at the administrationrsquos discretion (For example authority to give
disciplinary punishment or the authority of administrative tutelage etc)
Limits of the authority to be delegated must be set out
As long the as the delegation of authority continues the delegator will not
be able to use that authority
That the official delegatingdelegated authority leaving the job will
terminate the authority
30
75 Delegation of Authority and Communication
Employees taking over the authority should periodically report the current situation of
the process to the delegator and the delegator should seek for this report which will provide
feedback to Head of Administration regarding the process This forms an example about
monitoring function
8 INTERNAL CONTROL AND RISK STEERING BOARD
81 Roles and Members of the Board
The Board has a consultation role which will provide additional value for the activities
of administration in development of methods and processes regarding internal control system
such as monitoring internal control practices preparation of action plans and implementation
of the current plans
The Board is formed by the approval of Head of Administration for commencement of
studies on the internal control system within the framework of Action Plan Manual on
Harmonisation with Public Internal Control Standards The Board consists of authorising officers
(or their deputies) under the chairmanship of the deputy Head of Administration and when
the deputy Head of Administration is not available an authorising officer to be assigned by
the Head of Administration will take over as chairman All or some of the authorising officers
are selected for the ICRSB and how many to select should be determined with a view to
provide efficiency in line with the organisational structure When deemed necessary The
Head of Administration can invite those authorising officers who are not members of the
Board to meetings of Board to get their opinions provided that they are not included in the
decision-making Secretarial services of the Board are provided by strategy development
units
The Board periodically convenes Experts from inside and outside the administration
can be invited to the Board if deemed necessary in order to contribute to the objectives and
aims The Board is free within the framework of the duties and responsibilities given to itself in
determination of the dates and content of meetings and notifies the relevant persons of the
relevant arrangements in advance
Decisions are made based on majority voting Each member has only one voting right
including Chairman of the Board However when the voting of both sides is equal the
majority is considered to be the side that the chairman takes Those members who do not
side with the decisions state their justifications for not siding with the decision in writing
Deputy senior manager authorising officers or the deputies they assign should have a single
equivalent voting right in the meetings however the other representatives and experts
whose opinions are received should not have a voting right The Head of Administration on
the other hand should be able to participate in the Board meetings without having a voting
right and should encourage the participation of authorising officers for strengthening internal
control system For meetings which are not participated by Head of Administration briefing
should be made through reporting system
Details about how the Board works should be specified in the relevant legislation
The Board regularly monitors internal communication activities and processes and
revises them when deemed necessary and determines new communication methods to fit
the changing organisational structure
31
CE Figure 4 Information Flow in Internal Control and Risk Steering Board
82 The Boardrsquos Scope of Duty
The Board works to support the accountability of senior management in the fields of
management internal control and especially risk and is authorised to carry out the followings
with the approval of senior manager Within this framework its duties in the field of risk can be
listed as follows
It prepares the Risk Strategy and Policy Document (RSPD) or reviews the available RSPD
and submits it for the approval of senior manager
It determines policies in establishment of the risk management culture in the
administration
It determines the risks of spending units to be managed in partnership and the related
policies and procedures and communicates them to the unitrsquos risk coordinator for
coordination purposes
It determines the risks to be managed in partnership with the other administrations and
communicates them to the relevant administrative risk coordinator to ensure that
necessary precautions are taken for management in partnership with the relevant
administrations
The Board periodically assembles to assess whether risk management process functions
well or not and the level achieved regarding risks and reports the level achieved to the
senior manager
The Board fulfils following duties other than risk management
Assessing internal audit reports and providing guidance for implementation of
recommendation and ideas regarding internal control environment and the other
components in line with the requirements of the administration
Monitoring the activities of the administration carried out within the framework of
strategic plans and policies of the administration by means of periodical meetings
Making decisions on dissemination of good practice examples both inside and outside
the administration as a result of monitoring activities that are carried out
Deputy Head of
Administration
Internal Control and
Risk Steering Board Strategy
Development
Unit
Authorising
Officer
(A) Spending Unit (B) Spending Unit (C) Spending Unit
Authorising
Officer Authorising
Officer
32
33
RISK MANAGEMENT
1 Introduction Administrations utilise the resources allocated for them in order to reach the set out
objectives Activities processes and projects which are carried out for utilisation of these
resources bring along risks Risk management is a good tool for administrations to achieve the
aims they set out in accordance with their missions and visions Box RM1 describes Risk
RM Box 1 Definition of Risk
Risk is the uncertainty of events that may emerge in the future (if positive it is an opportunity if
negative then it is a threat) For the administrations this means that aims and the objectives
they set out to achieve these aims can be affected positively or negatively by internal or
external factors
Risk management covers risk assessment determination of effective control activities
monitoring and continuous improvement of these processes Risk management must be
practised corporately for consistency purposes which brings us to the concept of Corporate
Risk Management Corporate risk management covers the entire administration and ensures
that risk management processes are considered and handled as a whole
2 Risk Management standards Administrations while implementing risk management take into account the following
standards
RM Box 2 Risk Management Standards
3 Benefits of Risk Management for Administrations
The followings are the important benefits of a properly applied risk management in
corporate terms
Helps improve performance of administrations and assists administrations in attaining
their aims and objectives
Helps provide the continuity of services the administration provide and improve the
quality of activities the administration carries out
Info amp Communication
Monitoring
Control Activities
Risk Management
Control Environment
Standard 5 Planning and Programming
The administrations shall establish and announce their activities goals objectives and indicators as well as the
plans and programs including the resources which are required for the realization of above listed elements They shall
also ensure that the activities are in compliance with plans and programs
Standard 6 Determination and assessment of risks
The administrations shall define and assess the internal and external risks that could prevent the achievement of
goals and objectives by performing a systematic analysis and determine the measures to be taken
34
Ensures cost-benefit balance between the risks identified and the controls applied
and therefore increases the efficiency in resource allocation
Helps control the impacts of potential losses and decrease the costs of such losses
Ensures compliance with the legislation and regulations
Helps strengthen decision making mechanisms by supporting evidence and risk-based
decision making
Enhances accountability by supporting the clear definition of tasks roles and
responsibilities within the administration
Helps the administration have a more positive image in the eyes of public opinion
4 Critical Achievement Factors for an Effective Risk Management
For administrations to obtain the expected benefits from risk management the
followings are required
Ownership of the risk management process and determination of a risk strategy
encouraging its implementation in accordance with the mission and vision
Establishment of necessary mechanisms to have a single risk management language
Provision of sufficient information guidance and advice regarding risk management
Simplicity flexibility and practicality of risk management processes and integrated
planning and implementation with the other basic processes (strategic planning
performance management human resources management etc)
Supporting the assessments regarding risks with reliable evidence at all times
Systematic monitoring reporting and evaluation of risk management processes
Increasing within the administration awareness that everyone has an important role to
play in risk management and risk management should be fulfilled as an integral part of
the existent processes
Having an organisational communication strategy and proper and functional
communication channels inside and outside the administration
5 Risk Strategy and Policy Paper Risk Strategy is the organisational approach defined for risk management and top
level policies whereas Risk Strategy and Policy Paper (RSPP) is the document in which this
approach and policies are set down in writing Risk strategy sets out the administrationrsquos
attitudes towards risks and forms a framework for the risk management process The RSPP of
an administration is prepared by the Internal Control and Risk Steering Board (ICRSB) for the
endorsement of the head of administration and should be available to and known by all
staff
The Organisational risk strategy should clearly set out the structures regarding the
management and ownership of risks how to address risks at strategic level and program and
activity levels the structures regarding communication monitoring assessment and getting
assurance the criteria for key risks risk register format and risk measurement criteria Attention
must be paid the risk policies of the organisation comply with national level policy papers
The Risk strategy must be set out to reflect the risk appetite of the administration at
strategic level As risk appetite can change in time based on various conditions (for example
risk appetite may be low in periods of financial crisis) risk strategy of the administration should
be reviewed at least once a year and updated when deemed necessary Box RM3 gives a
basic explanation about Risk Appetite
RM Box 3 Risk Appetite
Risk appetite is the amount of risk an administration is ready to take at any time
(toleratebe exposed to) in accordance with its mission vision and objectives Risk
appetite should be taken into consideration while preparing strategic plans
35
Risk appetite is affected by internal and external environment people business systems
and policies Within this framework risk appetite should be set out with a top down
guidance
It is possible for the administration to set different appetite levels as long as the
administration does not exceed its overall risk appetite limits
Both taking too many risks and taking too few risks may lead to failure Although low risk
appetite is considered to be a reliable management method it may constrain the
administration in terms of creativity innovation and taking advantage of
opportunities
Another prerequisite in risk management is the existence of a common risk language
While producing this common language what is needed is a joint terminology and
mechanisms to disseminate it Otherwise it is not possible to build a strong common
understanding to manage risks
Corporate risk management requires a contribution from all employees Ownership of
the risk management process by the staff (Identifying addressing responding reviewing and
monitoring the risks) and considering it as a part of their jobs can increase the effectiveness of
corporate risk management
In order for the risk management to contribute the achievement of objectives and to
improve management quality and also to reduce costs it should be embedded in the
activities Embedding risk management in the processes means that activities are carried out
as a whole including risk management
Box RM4 gives details of the content of the Risk Strategy and Policy Paper
RM Box 4 Risk Strategy and Policy Paper
6 TASKS AUTHORITIES AND RESPONSIBILITIES Good risk management is only possible if the administration is well organised Clear definition
of tasks roles and responsibilities awareness of staff on the expectations of them within the
framework of policies and practices of the administration existence of horizontal and vertical
communication mechanisms and mechanisms for communication that are outside the
administration are the requirements for a good control environment The assignment of tasks
roles and responsibilities to appropriate competent and authorised people in risk
management will provide a strong infrastructure for risk management in the administration
While it is necessary to define roles and responsibilities all staff are responsible for risk
management Diagram RM1 explains the structure of roles and responsibilities in risk
management
RM Figure 1 Tasks and Responsibilities in Risk Management
RSPP should include at least the following
Aim of risk management
Risk appetite
Compliance with the legislation and binding policy papers
Risk methodology to be adopted
How to determine key risks (criteria)
Organisational structure and duties
Roles and contributions of the employees
Communication Plan
36
61 Head of Administration
This person is defined within the framework of Law no 5018 on Public Financial
Management and Control and is authorised and responsible for risk management at the
highest level
Regarding risk management the Head of Administration
Ensures the establishment of the strategy regarding the management of risks in
accordance with the aims and objectives of his administration at the outset of each year
and approves the Risk Strategy Policy Paper (RSPP) which demonstrates how the strategy
will be implemented and notifies all staff of this in writing
In the RSPP he clearly defines all the tasks roles and responsibilities and the necessary
structures (for example the ICRSB) within the scope of this manual for risk management
Provides the Administrative Risk Co-ordinator (ARC) with necessary support regarding the
risks to be jointly managed with other administrations
Ensures that the proper mechanisms are established to provide for the necessary
sensitivity and participation regarding the management of risks for the public opinion and
the stakeholders
Sets out the strategic actions for the future in accordance with the considerations and
recommendations by the ICRSB and the ARC
Receives assurance on risk management from the ICRSB and presents an assurance
declaration to the Minister on whether the risks are managed effectively
He encourages the consistency of risk management processes
He reviews monitoring of reports and encourages the effectiveness of risk management
He sets an example in terms of his behaviours particularly in strategic risk management
He encourages the employees for identification of risks
He should show leadership in risk management
37
62 Internal Control and Risk Steering Board (ICRSB)
The Board develops policies for the improvement of risk management in the
administration and submits them for the approval of Head of Administration The Board
notifies the units of the policies and procedures On the advice of the ARC the ICRSB
determines a particular number of risks which it deems significant as the key risks among the
risks that are submitted to itself and reports whether these key risks are managed well or not
to Head of Administration in regular periods or whenever it deems necessary
Secretarial services of the board are carried out by the Administrative Risk
Coordinator (Head of SDU) Whenever necessary people with the relevant expertise from
within or outside the administration can be invited to the meetings ICRSB has the authority to
enforce the elements it determined regarding the following duties with the approval of the
Head of Administration
Regarding risk management the ICRSB carries out the following
Preparing Risk Strategy and Policy Paper (RSPP) of the administration or annually
reviewing the already available RSPP and submitting it to the Head of Administration
for approval
Defining policies for establishment of a risk management culture
Ensuring that risks are consistently managed in the administration
Determining critically strategic risks of the administration
Determining the risks of spending units which require a joint management and related
procedures and policies and submitting them to URC for coordination purposes
Setting out the risks that require joint management with other administrations and
ensure that necessary measures are taken for the joint management by notifying the
ARC
Meeting at least quarterly in order to consider whether the risk management processes
in the administration work effectively and assess the current status of risks and
reporting it to the Head of Administration
Ensuring that good practice cases are determined and spread to a larger place
63 Administrative Risk Coordinator
It is advisable that the Head of the SDU takes the role of Administrative Risk Co-
ordinator The ARC is a member of the ICRSB and is responsible to the Head of Administration
for consistency of risk management processes of the administration and their compliance
with the standards
Regarding risk management the ARC
Is responsible for the efficient operation and coordination of all risks processes in all units
Calls the relevant Unit Risk Coordinators (URC) for meeting at least once in three months
Prepares the Consolidated Risk Report (using the report form in this manual) on the basis
of the reports submitted by the URCs and submits this Consolidated Risk Report to the top
management and the ICRSB on a quarterly basis The report should include the ARCrsquos
personal considerations on the key risks
Carries out secretarial services of ICRSB and such tasks as setting out meeting agendas for
the Board keeping minutes of meetings submitting decisions of the Board to Head of
Administration for approval
Discusses the issues on common risk fields with the ARCs of other administrations and
coordinates these within the administration
ARC provides technical support to the units on risk management of the administration
Identifies the needs of units regarding risk management and reports them to the ICRSB
and the Head of Administration before each meeting
Sends feedback to URCs regarding opinions advice and decisions of ICRSB and takes
necessary precautions for the consistency of risk management processes of the
administration
38
64 Unit Risk Coordinator
The Unit Risk Coordinator (URC) is the authorising officer or the person who is determined
by the authorising officer Regarding risk management URC
Coordinates the identification of the unitrsquos risks that may have an impact on the
objectives of the administration and provides relevant guidance at the beginning of the
year URC associates risks that are determined with the activities of the sub-units using
their knowledge and expertise and pays attention to ensure that all important issues are
addressed Important risks included in the risk register are submitted to the ARC to be
presented to the ICRSB for consideration
Reviews the risk registers and relevant reports that are annually prepared on periods (such
as monthly quarterly semi-annually) to be set out by the administration and reports them
to the ARC
Monitors the risks managed and reported by the Sub-Unit Risk Coordinators (SURCs) at unit
level Evaluates the changes on the risks or the arising risks if any and reports them to the
ARC upon the approval from the unit director
Submits an assurance declaration to the ICRSB on whether the risks are managed
effectively
Provides feedback to SURCs regarding opinions advice and decisions of ARC and ICRSB
Determines training needs regarding risk management
65 Sub-Unit Risk Coordinator
The SURC is responsible for the coordination of risk management activities within sub-
units of the units in administrations (if such units exist or it is seen to be appropriate to manage
the risks at this level) and is the person to be determined by the authorising officer Heshe is
directly accountable to URC regarding risk management Sub-unit risk coordinators must be
selected from among those who have the sufficient competence and experience
Regarding risk management the SURC
Coordinates the conduction of tasks of identifying assessing addressing reviewing and
reporting of the sub-unitrsquos risks that are associated with the objectives of the
administration
Reports in line with the risk strategy of administration the recently identified risks that are
related to the activities of the sub-unit those risks with changing scores and the
effectiveness of controls carried out to decrease these risks to the Unit Risk Coordinator
(URC) on periods determined by URC
Is accountable to the URC and furthermore responsible for providing the Administrative
Risk Coordinator (ARC) with requested information and documents
66 Employees
The most important factor for risk management to be successful is the ownership of risk
management by employees Therefore every employee is responsible for managing risks in
their field of duty (identifying assessing responding to reviewing and reporting risks)
Regarding risk management employees
o Contribute to the risk management processes in their respective units by defining
communicating and responding to the expected emerging and changing risks
Manage the risks within their own fields of responsibility through the power and
responsibility assigned to them by the administration
Provide evidence to the SURCURC regarding the effectiveness of the management of
risks in their respective fields
Employees should not hesitate to identify risks and submit them to the relevant risk
coordinator It is important to bear in mind that just one loose screw could cause a plane
crash
39
67 Internal Auditor
The Internal Auditor provides the Head of Administration with advice regarding risk
management by making evaluations on whether risk management process is effective and
risks are managed in the right way or not Internal Audit can also provide advice on whether
any key risks have been overlooked or inappropriately controlled
68 Strategy Development Unit
The Strategy Development Unit (SDU) is responsible for providing training identifying
training needs and facilitating delivery of necessary training They are also responsible for
identifying best practice in risk management encouraging such practice to be shared and
providing guidance where necessary
69 Central Harmonisation Unit
The Central Harmonisation Unit (CHU) carries out such activities as making regulations
on internal control including risk management and activities for the development of risk
management The CHU also provides guidance ensures harmonisation and inter-
administrational coordination and reports on the effectiveness of risk management
7 RISK MANAGEMENT PROCESS
Basically the risk management process should start simultaneously1 with strategic planning
studies In cases when strategic plans should be renewed or amended studies concerning
risks should be carried out with current amendments in mind Within the framework of risks
identified in light of strategic objectives attitude of an administration towards risk
management are set out in the Risk Strategy and Policy Paper with information on risk
appetite involved Within this framework administrations identify risks at strategic
programproject level and operational (activity) level In identifying risks an administration
can start with strategic level (top-down) or activity level (bottom-up) or it can start the risk
management process by implementing both methods together
Figure RM2 shows the Risk Management process
1 If strategic plans are already prepared the risk management process should then begin as soon as possible
40
RM Figure 2 Risk Management process
The administration should manage the risks at strategic programme and operational level as
shown in figure RM3
RM Figure 3 Hierarchy of Risk
Administration level This is the area which covers the whole administration where decisions
related to strategic objectives are made and for which senior management of administration
is responsible Strategic objectives are medium and long term objectives and are associated
Idetification of
risks
Assessment of
risks
Monitoring and
reviewing risks
Responding to
risks
Risk
Managament
strategy
Risk Managament
Process
Idetification of
risks
Assessment of
risks
Monitoring and
reviewing risks
Responding to
risks
Risk
Managament
strategy
Risk Managament
Process
41
with senior level policy documents Therefore while making decisions for the future decision-
makers (top management) have to take into consideration a lot of uncertainties This is the
area where risks have the highest impact Besides this is the area which is affected most by
external risks such as governmental policies general economy and technological
developments This area assumes specific importance as those risks which are not managed
well at strategic level affect the other levels as well
Unit level This refers to units where policies of senior management are implemented and
which are responsible at the highest level for the usage of public resources within the
administration Impacts of such risks last for a shorter period of time comparing to those of the
strategic risks This is the area where units should identify their objectives and manage related
risks for the administration to achieve its strategic objectives This is the area which is affected
by risks both form inside and outside the administration For risks from upper and lower levels
to be assessed and coordinated it is vital that this level be managed well Besides there
should be strong communication in this area
Sub-Unit level In this area there are only those works which are carried out at operational
level with a view to achieving unitrsquos objectives Daily activities of all employees fall within the
scope of this area This is the area where short-term-decisions are made products and
services are produced and fewer uncertainties are experienced This area is affected more
by internal risks than external risks Risks not being managed well at this level may affect the
achievement of strategic objectives
71 Identifying Risks
Risk identification process which is the first stage of risk management is the process of
identifying categorising and updating the risks that prevent or limit the achievement of
administrationrsquos strategic objectives using previously defined methods The following box
suggests some questions to be considered when starting to identify risks
RM Box 5 Questions to be considered when starting to identify risks
The following should be considered while identifying risks
As a generally accepted rule strategic risks that can affect the administration are
determined at the stage of strategic plan preparation and risks identified are included
in the strategic plan
Risks should also be identified at programme and operational level Programme and
operational risks should include all the strategic risks However when identifying the
programme and operational risks we should not limit our scope with strategic risks but
have a wider spectrum
When identifying risks the administration can determine a top-down or bottom-up
method preferably used at the same time
What are the main objectives
What are the key activities
Who are the stakeholders
42
Risks identified should be associated with objectives of the administration It must be
taken into consideration that some risks can indirectly affect the objectives such as
those which damage the reputation of the administration
Risks should be identified systematically with previously determined methods These
methods can vary according to the characteristics of administrations and its activities
In this process administration can either use one or more of the below defined
methods or develop a new method in line with its own needs
Risks identified should be expressed as lsquoxrsquo risk or risk that lsquox may emergersquo It will be
convenient to register them this way in the risk register (see Annex 3 for the risk register
form)
Assess whether risks identified are internal or external risks
o Internal risks are the risks stemming from the events directly controlled by the
administration itself Internal risks can be grouped into three as strategic risks
program risks and activity risks
o External risks on the other hand are the uncertainties arising due to the
events that are out of the control of the administration which hampers or
prevents the achievement of objectives While identifying external risks it will
be useful to classify them by their subjects (Generally PESTLE analysis is used
see Box RM7)
After risks are identified their owner or the person to be responsible from them must
be defined and this information must be included in the risk register
Since risk identification is a dynamic process emerging risks should be identified and
changes to the existing risks should be consistently followed-up
RM Box 6 Factors and methods to be taken into consideration during the process of
identifying risk
The following box explains the PESTLE and SWOT analysis
HHHooowww dddooo III iiidddeeennnttt iiifffyyy rrriiissskkksss
Firstly decide how to identify the risks namely at strategic
level operational level or both
Identify and categorise the risks (social cultural political
scientific etc) taking into consideration the threats
opportunities and the scope
Decide on the required human resource tools and methods
Mostly the following methods are used to identify risks
However administrations can determine different methods
other than these methods in light of their needs
o PESTLE analysis (see Box RM7)
o SWOT Analysis (see Box RM7)
o Brainstorming (this method can be used both for
identification and assessment See Annex 1)
Group risks as internal and external ones
Make a stakeholder analysis (identify the risk tolerance
position and attitude of the stakeholders )
Repeat the identification regularly and in periods of change
43
PPPEEESSSTTTLLLEEE AAAnnnaaalllyyysssiiisss Pestle Analysis is the identification of risks by making assessments based on the
following categories
Politic
Economic
Social
Technologic
Legal
Environmental
Example
o Politic change of governmental priorities
o Economic inflation rate going above the expected levels
o Social population growth rate going much above the
expected levels
o Technologic information process infrastructure not being set up
o Legal cases in courts turning against
the administration
o Environmental an earthquake strike
SSSWWWOOOTTT AAAnnnaaalllyyysssiiisss (((IIInnn---hhhooouuussseee aaannnaaalllyyysssiiisss)))
SSStttrrreeennngggttthhhsss
WWWeeeaaakkknnneeesssssseeesss
OOOppppppooorrrtttuuunnniii tttiiieeesss
TTThhhrrreeeaaatttsss
EEExxxaaammmpppllleee
SSSttt rrreeennngggttthhhsss SSSpppeeeccciiiaaalll iiissseeeddd pppeeerrrsssooonnnnnneeelll
WWWeeeaaakkknnneeesssssseeesss OOOlllddd ttteeeccchhhnnnooolllooogggyyy
OOOppppppooorrr tttuuunnniii ttt iiieeesss EEEcccooonnnooommmiiiccc gggrrrooowwwttthhh
TTThhhrrreeeaaatttsss SSSuuuddddddeeennn pppooolll iiicccyyy ccchhhaaannngggeee
For detailed information refer to Strategic Planning Guideline for Public Administrations SPO June
2009
RM Box 7 PESTLE and SWOT analysis
44
What could go wrong in the achievement of
objectives
What are the critical achievement factors
Who are our stakeholders and what can their
negative or positives impact be on our activities
What are our risk categories Tables diagrams etc
What are our weaknesses
Which assets assume more critical importance
What areas are open to irregularities and fraud
Which events or situations can hamper our
activities
What are our most critical sources of information
In which areas do we spend most
Which activities or processes are more
complicated
In which areas are we subject to penal sanctions
What are the legal requirements
What are the resource limitations
The following two boxes give some tips for the process of risk identification and some questions to
ask
RM Box 8 Tips for Risk Identification
RM Box 9 Questions to ask in the process of risk identification
WWWhhhaaattt aaarrreee ttthhheee TTTiiipppsss
Whether there is available information regarding the risks and how
accurate it is if any should be taken into consideration
A working group including different fields of expertise would
increase the likelihood of identifying new risks
Using brainstorming method yields effective results (See Annex 1)
Having open communication lines and acting farsighted are the
key points
45
72 Risk Assessment
Risk assessment refers to analysing the factors that may have an impact on the
achievement of administrationrsquos objectives and evaluating the seriousness of the risk in terms
of impact and probability While assessing risks in addition to the potential events the
administration can face aspects which are specific to the administration (for example size of
the administration complexity of activities legislation it is subject to in relation to its activities
its political priorities public interest) should be considered
After risks are identified comes the stage where the risks are measured and prioritised
Prioritisation is listing down the risks in accordance with their priority in line with the scores they
are given Risk assessment helps decide whether to respond to identified risks and if so select
the best response with regards to the costbenefit balance
The following box gives some questions to be considered before starting the risk
assessment process
RM Box 10 Questions to be considered before starting the risk assessment process
Three important principles in risk assessment are
1 Identifying the impact and probability of each risk In assessment probability and impact
are analysed Probability refers to the chance of an event to occur at a particular period
On the other hand impact is the outcome or the effect produced
Three categories are used while assessing risks low risk level (shown in green) medium
risk level (shown in yellow) and high risk level (shown in red) These colours as in the
traffic lights facilitate understanding the degree of importance of the risks These are
shown in the following diagram
Probability and impact of the risks can also be shown using numbers In the following
diagram Point 1 indicates that there is almost no probability for that risk to occur while
point 10 means that it is almost certain that it is going to occur In terms of impact
point 1 is used where the outcome of the realisation of a risk has little importance
whereas point 10 means that this outcome is highly important Risks are scored
between 1 and 10 for their probability and impact (See Annex 5) In assessing impacts
and probabilities of risks one of the methods to be used is voting method (See Annex
2)
Risk maps are made use of to see the severity of the risks better A basic
demonstration of risks on the risk map is given in the following diagram
What are the objectives
What are the present controls
What are the possible results if the risk occurs
Do activities of some other administrationsunits affect my
risk
Who are the stakeholders and what is their level of
experience and expertise
46
RM Figure 3 Risk map
2 Assessing the risks on the basis of inherent risks and residual risks
Inherent risk refers to the amount of risk before it is managed or any action is taken
These inherent risks are transferred to the risk register (see Annex 3 for the Risk Register
form) after assessing their probability and impact In assessment as has been
suggested above the probability and the impact of the risk is scored between 1 and
10 Multiplication of the scores of probability and the impact indicates the risk score
The administration at this stage must decide on the risk appetite It must also be set
out which risks placed between which numbers are low medium or high risks in
accordance with the designated risk strategy of the administration and the risk map
of the administration must be produced in this framework (See Box RM3 Risk Map)
After risk score has been set risks are prioritised starting from the one with the highest
score Responses to be given to risks are determined Controls are identified and
applied considering the methods of responding to risks
The management must identify the level of the remaining risk after the control
activities it carries out to manage the risk Residual risk refers to the remaining risk after
an action has been taken to mitigate the probability and impact of a risk If the level
of the residual risk is still higher than the risk appetite the efficiency and competence
of the present control activities must be questioned and if deemed necessary
responses to be given to the risks must be reviewed The following box gives an
example of inherent and residual risk
RM Box 11 Example of inherent and residual risk
3 Recording the risks
Recording the risks contributes to the prioritisation of the risks and therefore to the
efficiency of the allocation of resources and to production of evidence for the decisions
taken helps people to understand their responsibility within risk management facilitates
the acquisition and communication of information to the right people at the right time
Activity using a car
Inherent risk having an accident because you are inexperienced
Control action getting a licence taking driving courses
Residual risk another inexperienced driver crashing into your car
47
via the reporting mechanism and enables the reviewing and monitoring processes of the
risk
Risk records are reported in two stages Risk Register (see Annex 3) used in the
identification and registry of risks Consolidated Risk Report (see Annex 4)used for the
reporting of risks to the senior managers (see Annex 7 for an example of a completed Risk
Register)
The following box gives some tips for the risk assessment process
RM Box 12 Tips for risk assessment
RM Box 13 Example of the Risk Assessment process
Measure the impacts and probabilities of the risks identified for a
particular period of time
While determining the impact score assess the impact the risk will have
on the objective that is foreseen to be hampered
Utilise proper methods in the assessment
Bear in mind that risk assessment of a job can best be made by the
person who does this job
Note that activities of other administrationunit can have impacts on
your risks and risks are not independent of each other
Utilise such table as risk maps to be able see all the risks together
Prioritise risks in line with the risk scores (Impact X Probability)
48
You are going to deliver training on your subject of expertise
Your Objective Audience understands the subject you explain
You identify your risks
Risk 1 As you arrive late you may not have sufficient time to deliver the training
Risk 2 You may deliver your presentation using an inappropriate approach as you do not know who
the audience is
Risk 3 You may have difficulty in supporting what you explain as you donrsquot have the softcopy of the
presentation
Letrsquos see the likelihood of the Risks 1 2 and 3 and how it would affect your objectives if they occur
RRRiiissskkk 111 Likelihood The traffic would be bad at that hour In addition you have a lot of other things to do that day
Likelihood 7
Impact You can arrive late but you know the subject very well Even if you deliver it in very short time it still
would be understandable for the audience The impact of arriving late on your objective is 3
Risk Score 7x3 = 21
RRRiiissskkk 222
Likelihood In the letter you have been told what the subject is but not who the audience is and you donrsquot have
the chance to ring someone and learn Likelihood 5
Impact If you are to deliver the training to the experts who already know the issue you get into details but if
your audience is made up of people who donrsquot know anything about it you only draw the general framework
If you cannot learn who the audience is and you deliver the training in detail while the audience is unaware of
the subject and they would not understand or you give little information to the people who already know about
it they would not learn anything new The impact of using the wrong approach in the delivery is 9
Risk Score 5x9 = 45
RRRiiissskkk 333
Likelihood You generally carry your computer around You also have habit to carry your pen drive in your
bag after saving your studies in it Likelihood 2
Impact Even if you donrsquot Project the presentation on the screen you know the subject very well You could
still effectively deliver it to the audience The impact of not having the soft copy with you on your objective 3
Risk Score 2x3 = 6
As shown in the risk map
Imp
act
10 10 20 30 40 50 60 70 80 90 100 9 9 18 27 36 45 54 63 72 81 90 8 8 16 24 32 40 48 56 64 72 80
7 7 14 21 28 35 42 49 56 63 70 6 6 12 18 24 30 36 42 48 54 60 5 5 10 15 20 25 30 35 40 45 50
4 4 8 12 16 20 24 28 32 36 40 3 3 6 9 12 15 18 21 24 27 30
2 2 4 6 8 10 12 14 16 18 20 1 1 2 3 4 5 6 7 8 9 10
1 2 3 4 5 6 7 8 9 10
Likelihood
Prioritisation
1 Risk 2 (Risk Score 45)
2 Risk 1 (Risk Score 21)
3 Risk 3 (Risk Score 6)
(Note that risks are not always assessed according to the scores Some strategic risks should be taken into
consideration even if they have a low score Emergency precautionsplans should be available You may not
always foresee what will happen Your plans should be flexible Therefore you will be able to handle the
situation when something unexpected emerges
49
73 Responding to Risks
Responding to risks refers to setting out the responses to the risks identified and assessed within
the risk appetites by the public administration and mitigating the potential threats or taking
the arising opportunities Before deciding on the method to respond to risks a costbenefit
analysis must essentially be carried out The objective desired to be reached by responding
to risks is to mitigate the likelihood of the risk and its impact and achieving the foreseen
objective in the most efficient manner
Box RM 14 Questions to consider in responding to risks
The following figure shows within the framework of risk appetite how inherent risk turns into
residual risk as a result of responses controls actions (also see Box RM3 Risk Appetite)
RM Figure 4 Risk Indication Table
(OGCrsquos Risk Dashboard from HM Treasuryrsquos publication named Thinking about Risk)
Figure RM4 demonstrates the followings Columns 1 and 5 Control activities successfully decrease the inherent risk so that the
remaining risk called the ldquoresidual riskrdquo is reduced to the same level as risk appetite
Such points where the risk appetite and residual risk of an administration overlap are
ideal situations in terms of risk management (cost-effect)
What is the level of risk
What happens if no response is given to the risk
Which risks must be controlled
Which risks can be transferred
What are the consequences of resorting to risk aversion as a public
administration
Is the opportunity good enough to take the risk
50
Columns 2 3 and 4 Control activities decreased the risk However residual risk is still
higher than the risk appetite (tolerable level) This shows that effectiveness and
adequacy of the controls implemented should be questioned and more control
activities should be implemented
In column 6 as the inherent risk is equal to risk appetite risk is tolerable However
these risks should be monitored just as the other risks because of the possibility of
changing
In column 7 on the other hand control activities decreased residual risk below the risk
appetite This shows that more than necessary controls are implemented and
resources are not used efficiently In these over-control cases control activities should
be decreased to a level at which residual risk is equal to risk appetite
There are four methods of responding to risk and these are shown in the following diagram
Figure RM5
RM Figure 5 Methods of responding to risk
Tolerating This is a passive method of response given to the risks which public administrations are
comfortable to undertake In the following cases risks can be accepted
If the inherent risk is within the limits of risk appetite then it is accepted
When it is understood that cost of the actions to be taken (controlling transferring or
avoiding) for an intolerable risk would exceed the potential impact of the risk then the risk
is accepted
Some risks are out of the control of the management Certain risks do not disappear
unless the activity is terminated whereas terminating an activity is not always possible or
desirable
Treating This is a method of response given to a risk by means of control activities carried out
with a view to keeping risks at a tolerable level (risk appetite) in public administrations
This method can be applied using the five following controls
Preventive Controls
Corrective Controls
Directive Controls
Detective Controls
Emergency Plans
Methods of responding to risk
Tolerating
Treating
Transferring
Avoiding
51
For detailed information refer to the Control Activities chapter
Transferring This is the response given to the risks by taking some of them away from the
responsibility of the administration and transferring it to others (Even if the risks are
transferred the responsibility cannot be transferred and they need to be managed under
the control of the administration because it is the administration that will be affected when
the risks are realised)
Risk transfer is carried out using the following methods
Completely and partly transferring the activity to another administration
Transferring its operation to third parties using a procurement method
Transferring it by means of insurance (when appropriate)
Avoiding if the risk we have to take is too big to manage and there are alternatives to the activity
performed it is possible to terminate this activity For example deciding not to build a factory
which is expected to cause too much air pollution or deciding not to purchase the computers
that are planned to be purchased because of budgetary cut
The following box summarises the process of responding to risk
Box RM 15 Process of responding to risk
While managing risks opportunities they bring along should also be taken into consideration
Alongside negative impacts risks can also lead to opportunities In order to be able to take these
opportunities that would make additional contribution to the achievement of administrationrsquos
objectives the administration must have designated strategies Taking the opportunity is not an
alternative method to respond to risks rather it is a method to be applied additionally
Opportunities are taken in the following cases
When the cases of taking the opportunity and reducing the threats coexist For example
making health and scientific researches to find a cure of a disease (Disease threat will
decrease and there will emerge the opportunity at the same time that cost will decrease
with less people going to hospitals)
When opportunities emerge before the negative event occurs For example using a new
technology to be able work better or reaching to a greater number of people via e-state
The following box gives some tips for use when responding to risk
List the Threats and Opportunities according to the analysis results
Define your attitude considering the content of the risk
Tolerate
Control
Transfer
Avoid
Ensure that the benefit that the response will provide is higher than the cost it will bring
52
RM Box 16 Tips for responding to risk
Prioritising risks helps decide on which risk to respond first
As a public administration while determining the responses to be
given to risks recipients of the services and the impacts on them
must be considered
Stay away from over-control measures while responding to risks
Over-control harms the efficiency of the administration as much
as insufficient controls do
The possibility that acting in coordination with other
administrations in responding to risks may be more efficient must
be considered
53
Your organisation has decided to buy a new IT system
You identify your risks
Risk 1 The new system has inadequate response times
Risk 2 Data is not transferred accurately from the old IT system to the new system
Risk 3 You do not have the capability to operate the new IT system
Risk 4 The new IT system does not work
What responses can you give to these risks
RRRiiissskkk 111
Tolerate You have been assured that the new system has a five second response time
which is similar to the current system so you decide that it does not need to be quicker
RRRiiissskkk 222
Treat You need to introduce controls to make sure that data is transferred accurately
Preventive controls Testing done on the new IT system before it is introduced to
ensure that data is not corrupted on transfer
Corrective controls Testing is done comparing data transferred from the old system
to the data on the new system This control activity corrects the errors
Directive controls Requirement that IT staff working on developing the new system
have adequate skills and experience
Detective controls testing is done after one year of operating the new system to see
if standing data transferred from the old system is accurate
Emergency plan You should make sure that you can revert to using the old system in
the event that the new system does not have properly transferred data
RRRiiissskkk 333
Transfer You outsource the running of the new system to another organisation which has the
relevant expertise
RRRiiissskkk 444
Avoid If it is detected during testing that new IT system is not working you quit buying this
system and search for an alternative IT system
Take the opportunity
Your new IT system allows you to operate more efficiently freeing up staff time to do other
activities
The following box gives an example of the process of responding to risk
RM Box 17 Example of the process of responding to risk
54
74 Reviewing Risks
Risks can change in terms of their impact and likelihood due to various changing conditions
or measures taken Furthermore it is also possible that new risks areas are formed due to
changing conditions Therefore all the aspects of risks identified and the risk management
process should at least be reviewed on a regular basis Reviews can be carried out on
frequencies to be set by the administration according to the level of importance of the risks
In the event that extraordinary developments take place and this has a serious impact on the
risks Administrative Risk Coordinator (ARC) upon the spoken or written instruction by the
head of administration organises an emergency meeting for the Internal Control and Risk
Steering Board to assess the risks For example natural disasters economic crises early
election resolutions are extraordinary developments
Reviewing the risks and reviewing the risk management process are two different processes
and the fact that one of them is carried out does not necessarily mean that the other is
carried out as well Whereas each risk is reviewed by its respective owner the risk
management process is reviewed by the Head of Administration and or ARC Reviewing
risks regularly would provide flexibility in adapting to the changing conditions
Risks are reviewed as follows
Whether risks still exist new risks have arisen the likelihood or impact of a risk has
changed or not is reviewed
The priority should be given to key risks (those with the highest probability and impact)
during a review Other risks should be reviewed later
While reviewing strategic risks first and foremost amended policy papers if any
developments in the other counties expectations of the public for that period
Internal Audit Reports Inspection Reports External Audit Reports and other relevant
reports and documents should be considered
Under the light of the developments if there have been any changes to the risk
profile the risk register of the administrationunitsub-unit must be reviewed
The change must be communicated to the risk coordinator at the next senior level
within five working days
By reviewing the prioritisation of the keymain risks the assessment results should be
submitted within five working days by the ARC to the ICRSB in a revised Risk Report
The results of the assessment will be discussed by the ICRSB and the report is then
submitted to the Head of Administration by the ARC
Conclusion and evaluation part of the report must definitely include remarks on
whether the risks management process provides the necessary assurance and
whether new measures are needed or not
o Do we give reasonable assurance on the successful management of
risks
o Do we give reasonable assurance on the effective implementation of
the control activities
The process of reviewing risks is summarised in the box RM18 and questions to consider are
listed in box RM19
55
RM Box 18 Process for reviewing risk
RM Box 19 Questions to consider in the risk review process
75 Communication and Reporting
Communication within the context of risk management refers to accurate and timely
conveyance of the right information to the relevant people through various mechanisms at
the right time Communication is a vital process which needs to be effectively applied in all
phases of risk management
The following are important to communicate
The administrationrsquos objectives policies and procedures
The risk management strategy
The numbering system in the risk assessment stage and measurement mechanisms
Which controls are convenient in responding to risks
How well risks are managed in reviewing risks
It is important to bear in mind that this vertical and horizontal communication is mutual
(communication-feedback)
Set out a review period depending on the characteristic of the activity
Frequently review the first critical risks
During the review assess the probability and impact of the risks for that
period
Decide whether the risk is still a threat
Identify whether new risks have arisen for that period
The condition of the control activities must be reviewed according to the
change in the risk It would be appropriate to eliminate an activity which
became pointless as the risk has disappeared
Record the identified findings on the risk register
Report the risks of every level
Changes regarding the risks are reflected on the risk register however in
emergencies the managers must be informed as soon as possible
What are the changes in the environmental conditions
What are changes that impact on the operation of the activity
How do the changes affect the administration
Are present controls sufficient to address the changing situation
Is there sufficient evidence that the controls are effective
It would be useful to take into consideration the policy papers of
the government and the administration while assessing risks
56
To ensure effective communication the issues in Box RM20 should be considered
RM Box 20 Issues for effective communication
In addition to internal communication efficient communication lines are needed with the
partners where the services provided requires partnerships and with the citizen of NGOs who
are affected directly or indirectly by the services provided by the administration Therefore
while the administration is producing its Risk Strategy and Policy Paper it should prepare an
efficient communication plan which regulates the internal and external communication and
share it with all stakeholders
Reporting has a direct impact on the decision making processes in risk management The
reports should be as short and accurate as possible demonstrate the evidence regarding the
evaluations they should be relevant and submitted to the relevant people where necessary
Reporting must be carried out within the administration both vertically and horizontally It
should be explicitly set out who will report to whom and with what frequency in risk
management process Reporting will be done in the forms to be determined by
administrations and in pre-determined periods by at least using the information contained in
the forms shown in the Annex to this Manual When deemed necessary administrations can
develop different forms other than the forms contained in the Manual
Who will communicate with whom in which format
Who is responsible to whom about what
How the communication should be with high levels
How the communication with the Minister works
Who will communicate what information to which levels
How to ensure the accuracy of information
The expectation of top management from the employees regarding risk
management should be clearly defined and conveyed to all employees
57
Administrationrsquos Mission
Strategic Plan and Performance
Programme Budget
Annual Management Plan Activities Processes Projects
Identify
Measure (impact x
probability)
Prioritise
Tolerate
Control
Transfer
Avoid
Operational Level
Unit Level
Administration Level
Risk Assessment
Assess Manage Monitor
Risk Register
Control Activities
Mo
nito
ring
an
d E
valu
atio
n
Take the opportunities
Within the scope of this chapter of the manual Risk Management can be demonstrated via
the following diagram
RM Figure 6 Risk Management Process
76 Learning
Learning needs to be enriched through systematic training tools and disseminated to the
target groups using the most effective method Depending on the target group such
methods as conferences seminars workshops trainings hands-on trainings internships
exchanging information via various communication channels sharing best practices failures
or mistakes would facilitate learning the risk management processes and establish a basis for
the risk management practices in corporate sense
58
Addressing risks largely depends on experiences Previous experiences and making everyone
aware of the successful and unsuccessful practices via a strong communication network
would facilitate more effective and faster addressing of risks In particular conveying the
positive and negative experiences about the emerging risks and the methods to handle
these to the stakeholders and learning what could go wrong can only be ensured if a
method that focuses on learning from mistakes is adopted and learning experiences are
shared Therefore it will be useful to use the peer review method within the administration In
this method units learn how the others at the same hierarchical levels manage risks and they
can adopt good practice examples in their own units
Sharing risk management experiences with external stakeholders especially organisations
experienced in this field could not only help the administrations develop new methods but
also ensure a more efficient use of risk management resources
59
RISK MANAGEMENT ANNEXES
ANNEX 1 Using the brainstorming method to identify assess and record risks
Step 1
Collect together in the same room all members of the Unit of Sub Unit or all staff who work on
a project or on a business process Identify an appropriate facilitator (see box RM 21) to
guide brainstorming workshop The brainstorming would be most effective if it is facilitated by
an independent person who has experience at facilitating brainstorming
(Note this can also be done by collecting all senior managers in an Administration to
brainstorm strategic risks)
Requirement for step 1 all attendees of the brainstorming should be fully familiar with the Sub
Unit Unit projectbusiness processAdministration respectively
RM Box 21 Role of the facilitator
Step 2
Once all brainstorming attendees are assembled as per step 1 firstly clarify what the
objectives of the Sub UnitUnit projectbusiness processAdministration respectively are
These may be included in the strategic plan or for sub units may not previously have been
identified Think widely ndash are there other objectives that are not included All attendees
should agree that these are the objectives before proceeding to Step 3
Step 3
All attendees at the brainstorming should brainstorm ndash what are the risks to the achievement
of each of the objectives identified in step 2 This can be done as one group or for larger
brainstorming sessions in pairs or sub-groups Risks identified by the brainstorming should be
recorded in the risk voting form in Annex 2 (columns 3 4 and 5) clarifying which objective(s)
might not be achieved if the risk happens
Step 4
Once all risks are identified all brainstorming participants should vote on what they think the
likelihood and impact of the risk are using the guidance for scoring in the risk management
chapter of this manual These votes should be recorded on the risk voting form In line with
the number of participants number of the related columns can be increased (Columns 678
and 101112) (For scoring impacts and probabilities see Annex 5 Risk Assessment Criteria
Table)
Encourage the workshop attendees to all participate in identifying risks
Watch out for duplication of similar risks (if 2 risks are very similar considering
amalgamating them)
Ensure that all attendees vote on impact and likelihood of the identified risks
Encourage attendees to challenge each otherrsquos scores defend their own or
change them if they think appropriate
Ensure that the risk scores are accurately entered in the spreadsheet and
prioritised
Action plan the response to risks starting with the highest priority
For each response ensure responsibility is allocated to a named individual
Ensure for each response that a review and reporting date is identified (exact
date)
60
Step 5
Once initial votes are recorded on the risk voting form where there are large variations
between the highest and lowest score for likelihood andor impact for a particular risk the
individual(s) who gave the highest score should first of all justify why they gave the high score
and try to convince the others why they should increase their score The individual(s) who
gave the lowest score should then justify why they gave the low score and try to convince
the others why they should decrease their score After these justifications have been given
an opportunity should be given to all who were convinced by any of the justifications to
change their score
Step 6
The risks identified should be listed in decreasing order of the multiple (Column 14) between
the average impact (Column 9) and average probability score (Column 13) from the
brainstorming The participants should be asked if the result is what they expected Does
what they considered to be their most significant risk have the highest score If not look at
the voting again and consider if it needs to be changed
Step 7
Once brainstorming participants are satisfied with the prioritisation of the risks complete the
other columns of the risk register (Annex 3) starting with the highest priority risk
Step 8
If the risk which is written in column 5 in the Risk Register arises from an event which will occur
at a particular date (eg elections) column 6 in the Risk Register namely time frame column
can be completed by writing how much time before the date risk is expected to materialize
(eg a month three months etc) Column can be left blank if timing is not important
Step 9
When identifying control activities consider whether the risk level is within the risk appetite for
that particular risk or not what control(s) would be most cost-effective and would mitigate
the risk best by reducing the impact andor the likelihood of the risk materialising Also
consider what the existing controls are whether these are currently effective and whether
they can be improved or it would be more cost-effective to introduce new additional
control(s) in addition to or instead of the existing control(s) Complete the related columns in
line with explanations in the table (Columns 1112 in the Risk Register)
Step 10
Form will have been fully completed when the other columns are completed taking into
consideration the instructions in Risk register Form
The following Box gives some suggestions for ground rules for brainstorming
RM Box 22 Suggested ground rules for brainstorming
There is no such thing as a bad idea
One person speaking at a time
Active participation
Keep to the timetable
The facilitator is in charge (if there is one)
Open discussion but no personal criticism
61
ANNEX 2 Risk Voting Form This form is used to calculate the risk score after risks are identified
62
ANNEX 3 Risk Register This is a form used to report the status after risks identified at administrationunitsub-unit level are recorded
RISK REGISTER
AdministrationUnitSub-unit
Date 20
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Se
ria
l n
o
Re
fere
nc
e N
o
Str
ate
gic
Ob
jec
tiv
e
Un
its
Ob
jec
tiv
e
Risk Identified
Tim
e fra
me
Pro
ba
bility
Imp
ac
t
Ris
k s
co
re(R
)
Ch
an
ge
(Dir
ec
tio
n o
f ri
sk)
CurrentNewAdditional
control activities
Sta
rtin
g d
ate
Risk
owner
Monitoring
and
Reporting
Risk
45
-100
9-4
4
Reason 1-8
Columns
1 Serial no shows the sequencing in the risk register
2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to This
code does not change as long as risk continues to exist The same code is not given to another risk
3 Strategic Objective This is the column in which code of strategic objective related to risk which is demonstrated in strategic plan is
written
4 Units objective If risk register is completed at unitsub-unit level objective of unit which is directly or indirectly related to strategic
objectives of the administration and can be affected by the risk is written in this column if risk register is completed at administration level
63
then this column is left blank
5 Risk Identified Description of the risk Reason Reasons which cause the risk to occur
6
Time frame If the risk arises from an event which will occur at a particular date (eg elections) this column can be completed by writing
how much time before the date risk is expected to materialize (eg a month three months etc) Column can be left blank if timing is not
important
7
Probability Probability value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be
useful to list related control activities actions taken and related regulations In this way probability that risk will materialize
notwithstanding the actions taken can be determined
8
Impact Impact value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be useful
to list related control activities actions taken and related regulations In this way what the impact of the risk will be if it happens
notwithstanding the actions taken can be determined
9 Risk Score (R=IxP) risk score determined by multiplying probability and impact scores in the Risk Voting Form (Annex 2) (between 1-100 )
See below for an explanation of the colours to use
10
Change (Direction of risk) This is the column in which the change in the status of the risk is shown in light of the previous risk register It can
be shown according to the administrations preference in writing such as updownstable or by means of direction signs If there is no
previous risk register then it is stated as New
11
CurrentNewAdditional control activities Current control activities are written in this column It is assessed whether these activities are still
needed or not If not they are removed It is also assessed whether current control activities are appropriate or sufficient If calculated risk
score is above the desired level taking into consideration the current control activities then new or additional control activities which are
planned are written in this column
12 Starting date The exact date that newadditional control activities will start to be implemented
13
Risk owner is the person responsible for managing the risk and implementing the foreseen control activities It is the risk owner who
collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures that
evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement control
activities The risk owner also reports risks and updated risk registers to the next senior level
14 Monitoring and Reporting When to review and to whom to report risks are written in this column
Colours
High risk
Medium risk
Low risk
No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient information
64
Note In the event that a new risk is identified during the year the employee identifying this risk reports it to senior manager If manager decides
this is a risk which needs to be managed then this risk is registered in the risk register form and approved by the relevant manager
ANNEX 4 Consolidated Risk Report
This is the form which enables corporate risks of an administration to be submitted to senior manager as a report composed of a few pages
CONSOLIDATED REPORT
(Corporate Risks)
AdministrationUnitSub-unit Date 20
1 2 3 4 5 6 7 8
Se
ria
l N
o
Re
fere
nc
e N
o
Str
ate
gic
Ob
jec
tiv
e
Risk Identified
Status
Risk Owner Explanation
Previous risk
score and colour
Current risk score
and colour
45-100 45-100
9-44 9-44
1-8 1-8
Columns
1 Serial no shows the sequencing in the risk register
2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to
This code does not change as long as risk continues to exist The same code is not given to another risk
65
3 Strategic Objective This is the column in which code of strategic objective related to risk which is demonstrated in strategic plan is
written
4 Risk Identified Description of risk
5 Previous risk score and colour shows the status of risk in the previous Consolidated Risk Report
6 Current risk score and colour shows the status at the date of the report
7
Risk owner is the person responsible for managing the risk and implementing the foreseen control activities It is the risk owner who
collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures
that evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement
control activities The risk owner also reports risks and updated risk registers to the next senior level
8 Explanation Information about the effectiveness of control activities and foresight for the future are given in the explanation section
Colours
High risk
Medium risk
Low risk
No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient
information
66
ANNEX 5 Risk Assessment Criteria Table
Va
lue
Ra
ng
e
Probability
Impact
Strategy Activities Financial Compliance with
Legislation
10
High
Risks which are almost
certain to occur within
5 years Taking into
consideration the
structure of the
administration they
generally arise form
policies and
procedures The wider
the activity area of the
administration the
more likely it is that the
risky event occurs
Risks which
can have a
major impact
on attaining
strategic
objectives
These are risks
which are
generally
faced in the
long term but
can cause
the
administration
to divert form
its objectives
in case of
occurrence
Risks which cause the
administrationunitsub-
unit not to provide the
service it has to provide
in an effective and
efficient way belong in
this category
Risks which will cause
heavy financial loss for
the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
which are above the
acceptable level
should be accepted as
a high risk
Risks which will cause a
big obligation upon the
administrationunitsub-
unit in case of
intentional or
unintentional non-
compliance with the
legislation Such risks
can be seen in areas
where the legislation is
too complicated and
unclear
9
8
7
6
Medium
Risks which are likely to
occur within 5 years
These are generally
such risks that the
administrationunitsub-
unit or administrations
with similar structures
Risks which
can have a
certain level
of impact on
attaining
strategic
objectives
Risks with a certain
level of impact on the
competence of the
administrationunitsub-
unit to provide the
service it has to provide
in an effective and
Risks which will cause a
certain level of
financial loss for the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
Risks which will create
a certain level of
obligation upon the
administrationunitsub-
unit in case of
intentional or
unintentional non-
5
67
4
have faced formerly efficient way belong in
this category
which are within the
acceptable level
should be accepted as
a medium risk
compliance with the
legislation
3
Low
Risks with low
probability of
occurrence within 5
years These are
generally such risks that
the administration
unitdepartment faces
very rarely These are
risks with almost no
likelihood of
occurrence
Risks which
can have the
least impact
on attaining
strategic
objectives
Their impacts
are generally
little and
cover a
limited area
Risks with little impact
on the competence of
the
administrationunitsub-
unit to provide the
service it has to provide
in an effective and
efficient way belong in
this category
Risks which will cause
little financial loss for
the
administrationunitsub-
unit Ineffective and
inefficient use of public
resources in amounts
which are below the
acceptable level
should be accepted as
a low risk
Risks which will cause a
little obligation upon
the
administrationunitsub-
unit in case of
intentional or
unintentional non-
compliance with the
legislation
2
1
Unknown
In case that there is no
idea about the
likelihood of the risk
occurring within 5
years the risk is shown
in blue until it can be
clearly identified with
larger data
The impact of
a risk likely to
occur on
strategic
objectives of
the
administration
could not be
determined
The impact of a risk
likely to occur on the
activities could not be
determined
The financial impact of
a risk likely to occur
could not be
determined
The impact of a risk
likely to occur in case
of non-compliance
with the legislation
could not be
determined
Risk has recently emerged no data was obtained regarding its status and there is no sufficient data for analysing the new risk or it is a risk which
previously occurred but there is no sufficient data for the analysis Information should be gained as soon as possible so that an analysis can be
made and an opinion formed
68
ANNEX 6 Case Study Example of Inherent and Residual Risk
Case study example to illustrate the concepts of inherent and residual risk and also to
illustrate how a risk owner can obtain information from several different control owners to
monitor the extent to which the risk they are responsible for is successfully mitigated by the
existing controls
The scenario concerns a storage warehouse for gold bars a risk owner who was the Store
manager a risk that gold bars are stolen and 4 controls
a) An IT system control giving bars in and out and a balance held for each working day ndash
daily printouts sent by the IT manager to the risk owner
b) An independent company comes in once a month to perform a stocktake count of gold
bars in the warehouse which they reconcile with the relevant printout of stock from the IT
manager ndash any variances in stock held was investigated and explanations provided where
possible ndash the independent company provides a monthly report to the risk owner on results of
the work they have done detailing any unexplained variances (which could potentially be
incidences of theft)
c) Security guards ndash professionals guarding access to the warehouse 24 hours a day and 7
days a week ensuring that only authorised staff have access to the warehouse and that all
bags are put through a metal detector on leaving to ensure gold bars are not being
smuggled out (gold bars are too heavy to be easily hidden on the person) On recruitment a
criminal record check is made on the security guards to ensure that they do not have prior
convictions for theft Security guards report weekly to the risk owner on their work and
d) An alarm system ndash any incidences of it being set off are sent in a report by the security
guards to the risk owner Regular (weekly) checks on the alarm systemrsquos functioning are
carried out by the security guards with success of the check included in their reports to the
risk owner
The inherent risk in the absence of the above 4 controls would be considered high (a high
probability that bars would be stolen and a high impact as gold bars are expensive) This
would be above the risk appetite and consequently the above 4 controls would be
designed to mitigate the risk of the gold bars being stolen with the foreseen effect of the four
controls being that the residual risk would be reduced (Note all four control measures
combined would mitigate only the probability of the gold bars being stolen not the impact)
The risk owner would gather evidence as to their effectiveness of the four controls If they
were found to be effective he would consider whether the risk had been successfully
mitigated to within the risk appetite (likely answer Yes unless a further new control or a
strengthening of the existing controls was considered necessary if the risk appetite was very
low due to the high impactthe organisation is very risk averse)
If one or more of the 4 controls is found by the risk owner to be ineffective it is likely that the
risk would still be at a level above the risk appetite and so the risk owner would need to
escalate the issue to his line manager suggesting methods for further mitigating the risk
(either by introducing an additional control or by strengthening the control(s) that had been
found to be ineffective)
69
ANNEX 7 Case Study Example of completed Risk Voting Form Risk Register and Consolidated Risk Report
70
71
72
CONTROL ACTIVITIES
1 Introduction Control activities (also referred to as controls) are actions aimed at reducing
the impact andor the likelihood of a risk occurring and thus increase the probability
of attaining the goals and objectives of the organisation or part of the organisation
For an effective control the introduction of the control activities depends on the
completed risk assessment The management must plan organise and direct
sufficient control activities to obtain reasonable assurance that the tasks and goals
will be achieved Control activities cover both financial and non-financial controls
and they should be designed and implemented as a whole for all the activities of the
administration
This section of the manual within the framework of internal control standards
looks at how procedures should be developed as control activities to ensure that risks
to achieving administrative objectives are managed effectively
2 Control Activities Standards Administrations while identifying and implementing their control activities
take into account the following standards
CA Box 1 Internal Control Standards
Standard 7 Control strategies and methods
The administrations shall determine and implement control strategies and methods
which aim to achieve the objectives and are suitable for risk response
Standard 8 Determination and documentation of procedure
The administrations shall prepare and update written procedures which are required
for administration activities as well as financial decisions and transactions and
arrangements relevant to these areas and also give the relevant personnel access to
these documents
Standard 9 Segregation of duties
With a view to reducing fault flaw error irregularity and corruption risks the duties of
approval implementation recording and control of financial decisions and
transactions shall be allocated among personnel
Standard 10 Hierarchical controls
The administrators shall systematically control the compliance of the works and
transactions with the procedures
Standard 11 Continuity of activities
The administrations shall take necessary measures for continuity of the activities
Standard 12 Information system controls
The administrations shall develop control mechanisms in order to ensure the continuity
and security of information systems
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Environment
73
3 Planning Process of Control Activities Control activities can be regarded as the ability of administrations to get
through the challenges they experience in carrying out their activities Control
activities should be designed within the framework of cost-effectiveness analysis in a
way to directly facilitate attainment of objectives Ideally when introducing control
activities the heads of organisations must take into account the expected benefit
from them as well as the costs of their introduction and implementation Control
activities should ideally be introduced in the processes and systems at the time of
setting up these processes and systems because the introduction of control activities
at a later stage is more expensive and less efficient
It is important for effectiveness of controls that control activities be
understandable applicable and consistent A good control strategy should take into
account how to implement the controls as well as identifying them At this juncture
administrative financial and physical capacity of an administration should be taken
into consideration
Another important point to pay attention to in planning control activities is the
evaluation of effectiveness of controls implemented Such issues as whether the aim
of implementing the control is commensurate with the targeted results and whether
the expected cost is in parallel with the actual cost should be evaluated
Furthermore regular review of control activities in the light of changing circumstances
is also an important factor in terms of effectiveness-evaluation
Administrations should take into consideration the following basic
requirements in identifying control activities
CA Box 2 Basic Requirements Planning of control activities
In order to be effective control activities must be
adequate (the right control in the right place at the right level and
commensurate to the risk involved)
cost-effective (the costs of implementing a control should not exceed its
benefits)
comprehensive understandable and directly related to the control objectives
documented clearly
evaluated as a whole so that they are consistent in their operation
carried on until effectiveness is evaluated
4 Classification of control activities The control activities are generally classified as follows Administrations should
implement the following basic requirements as minimum standard however they
can implement additional control activities depending on the nature of the risk
4 1 Preventive controls
These are the controls to be carried out to mitigate the likelihood and prevent
as much as possible the undesirable outcomes that may emerge when risks occur
For example ex-ante financial control operations applying the principle of
segregation of duties to prevent fraud or irregularities
74
CA Box 3 Basic requirements Preventive Controls
The security of physical and intangible rights (intellectual assets etc) and records
physical safeguarding of assets
recording financialmanagement information
access controls such as passwords identity cards guards and
segregation of duties in order to avoid conflicts of interest
42 Corrective Controls
These are the controls aiming at reducing the impact of the undesirable
outcomes that stem from the threats the risks pose For example placing provisions
regarding the reimbursement of unduly payments in the agreements setting the
period of guarantee in advance
CA Box 4 Basic requirements Corrective Controls
identifying methods for the purpose of recovery from loss or damage which
would effect the activities negatively
appropriate actions are taken for the correction or elimination of the identified
differences
43 Directive Controls
These are the controls applied to reach a certain end For example provision
of trainings on protection against possible threats using protective materials (masks
special clothes etc) preventive medical practices (giving messages for washing
hands in periods of epidemics publishing private leaflets)
CA Box 5 Basic requirements Directive Controls
an approved organisation chart that is constantly up-dated to reflect
organisational changes
manuals or written procedures brochures booklets posters and other similar
documents on implementation
established clear and documented definitions of the responsibilities and tasks for
resources activities program projects objectives and targets
assigning tasks and responsibilities by taking into account their relevant skills and
experiences
delegating authority based on the organisational structure and responsibilities to
do the jobs effectively and it should be documented
establishing effective means of communication throughout the organisation
and
establishing clear reporting methods
44 Detective Controls
These are the controls applied to identify the damages and losses
experienced once the risks are realised For example conformity controls carried out
after spending has been made to identify the responsibility controls performed to
detect negligence by experts or authorities
75
CA Box 6 Basic requirements Detective Controls
periodic countsphysical inventories
comparison of the countinventories with the records
methods for the identification and analysis of differences
5 Methods of control activities The main methods of controls are mentioned below Administrations may also
implement different ex-ante and ex-post control methods based on the requirements
of their organisational structure and field of activity
Ex-ante controls are the controls put into practice in the light of the
appropriate procedures before the activity takes place whereas Ex-post controls refer
to the controls performed by the management through the use of pre-identified
methods after the activities take place
CA Box 7 Tips for control activities
The following box gives some issues to be considered when control activities are
identified
While determining the control activities and allocating resources for them
it may be necessary to give priority also those risks with high probability and
low impact and rating low in the prioritization list which is formulated
according to the risk scores
Preparing emergency plans as well as control activities for those risks with a
very high probability and impact assumes great importance
Reducing both the realization probability and impact of internal risks is
possible with control activities
Reducing the realization probability of external risks on the other hand
may not be under the control of the administration However mitigating
the impacts of risks is possible with a proper risk management
While responding to risks over-controlling should be avoided Both over-
control and under-control can undermine the effectiveness of the controls
According to the content of the risk several control methods can be used
at once if deemed necessary
Have the costs and benefits of implementing the control activities been
analysed
Have the new control activities been piloted to see if they are having the
desired effects
Are the control activities effectively operating as planned Is the required
evidence on controls collected and analysed periodically
After a reasonable period of time are the new control activities and
existing controls that are being continued functioning as expected And
do you report this to the manager risk coordinator
76
CA Box 8 Factors to be determined when identifying control activities
51 Authorisation and approval
Managers should introduce appropriate rules and procedures for decision-
making authorisation and approval taking into account the following Decision-
making and approval shall be carried out only by authorised persons Authority
means that the operations are initiated only by persons acting within their powers
Observance of the order of authorisation requires employees to act in accordance
with directions and within the limits set by the manager of the organisation or the
legislation The procedures for authorisation should include specific conditions and
delegation of powers by managers to employees for performance of particular
activities The approval is endorsement (certification) of transactions data or
documents whereby processes actions proposals andor consequences thereof are
completed or validated
52 Segregation of duties
To minimise the risk of errors irregularities and violations and their non-
detection managers should introduce rules stipulating that different employees be
responsible for the implementation of two or more key stages of an operation
process or activity To ensure effective checks and to strike a balance in the
implementation of an operation the responsibilities shall be segregated in a manner
which precludes an employee from being responsible simultaneously for the approval
(decision-making) implementation accounting and control
In organisations with fewer staff this segregation is more difficult to implement
In such cases the manager may consider the possibility of combining two of the
specified activities and compensate the non-application of this control mechanism
by another eg rotation of employees rotation of duties or additional management
checks Thus the risk of a single person dealing with more than one key aspect of an
operation process or activity for an unjustifiably long period of time could be
reduced
53 Double signature system
The double signature system is a procedure to ensure the accuracy of the
data included in the document The method is applied in non-financial processes
such as provision of information to the top management (reports information notes
statistics etc) and appointment orders and before financial obligations such as
signing of contracts and making payments (payment order etc) This makes it
Which unitWho will conduct the activities
Deadlines of the activities
Necessary resources for the activities to be conducted
Critical achievement factors
How to document the activities
Monitoring processes for the activities
77
possible that especially in financial transactions the person responsible for the
accounting entries knows about pending obligations or payments and performs due
accounting procedures The double signature system gives assurance that the
procedures are carried out by authorised staff
54 Reconciliation of data
Procedures should also guarantee that data from different documents and
sources are matched for ascertainment of consistency For example accounting
entries relating to bank accounts are reconciled with corresponding bank
statements invoice data are matched with those in the warehouse receipt etc
55 Supervision procedures
Supervision procedures should be carried out on a daily basis by line
managers on assignment of work and its performance Assignment of work by the line
managers does not reduce their own responsibility for the performance of the work
Line managers should give staff the necessary directions and instructions in order to
ensure understanding and avoid errors and frauds in the discharge of their duties
Line managers should also apply these procedures to assure themselves that the tasks
assigned are carried out correctly
56 Ex-ante financial controls
Ex-ante financial control is a control performed to check the compliance of
the financial decisions and operations of administrations regarding their incomes
expenditures assets and liabilities with the budget of the administration Further
checks are carried out with the available appropriation amount expenditures
programme financing programme and the provisions of central government budget
law and other financial legislation It is also checked whether resources are used
effectively economically and efficiently The purpose of ex-ante control is for the
managers to obtain reasonable assurance of the compliance of such
decisionsactions with the legislation and the performance programme2
57 Procedures for accounting operations
Procedures should ensure that accounting for all financial transactions on a
given date is complete true accurate and timely Their purpose is to support the
taking of correct decisions from which financial consequences arise These
procedures should be developed in accordance with the relevant legislation and
public accounting standards
2 Please see regulation on procedures and principles on internal control and ex-ante financial control for
further details
78
58 Anti-corruption
There should be rules and procedures for warning examination detection
and reporting of administrative weakness discrepancies and violations which create
conditions for corruption frauds and irregularities
Anti-corruption procedures include
preventive controls
a system for checking detecting and reporting early indications of corruption
frauds and irregularities
whistleblowing procedures (for more information please refer to Information
and communication section) and
a set of procedures for reporting irregular activities to the external competent
authorities such as the Prosecutorrsquos Office
59 Access to assets and information
Managers must ensure that only authorised persons responsible for the
safeguarding andor use of assets and information have access to them The
restriction of the access to assets reduces the risk of their misuse or their wrongful
utilisation and protects the organisation from losses The degree of the restriction
depends on the vulnerability of the assets and information and the risks of loss or
misuse When determining the vulnerability of assets the manager shall consider their
value transportability and the possibility for them to be exchanged for cash
510 Documentation archiving and storing of information
Procedures for documentation archiving and storing of information shall be
introduced to support the performance of operations taking of correct managerial
decisions and control of the processes in an organisation Documentation involves
developing written evidence of decisions made events occurred actions and
transactions performed etc The documentation must be complete accurate and
timely
The documentation procedures include those for document circulation
describing the order for circulation and use of documents produced and received
The documentation procedures must allow tracing of every document action
process in the organisation stating precisely who performed what how and when
the purpose and type of actdocument issued as a result thereof
According to the terminology adopted by the European Commission this
comprises an audit trail Its establishment helps achieve
transparency
tracing of the processes in the organisation from their initiation till completion
and
tracing the segregation of functions by decision-making performance
accounting and control
The audit trail shall state what procedures and transactions exist who the
responsible persons are what documents are drawn up what systems for
management and control of data flows exist and what the form of presentation of
the results is
Archiving procedures must ensure chronological and systematic filing of
documents about past events decisions and actions concerning the organisation
There should be specific guidelines describing in detail the procedures for archive
establishment completion use and destruction
79
The procedures for storage of information shall ensure physical preservation of
the information media (paper andor electronic) as well as preservation of the
content without change so that the information provides a true and fair view of the
facts decisions and actions relating to the organisation
511 Business continuity (or emergency plans)
Adequate measures are in place to ensure continuity of service in case of
business-as-usual interruption Business Continuity Plans are in place to ensure that
the entity is able to continue operating to the extent possible whatever the nature of
a major disruption
512 Control activities related to Information Technology (IT)
IT systems entail specific types of control activities which should be introduced
in organisations by their managers These mechanisms for information systems control
consist of two major groups general control mechanisms and applications control
mechanisms (applications controls)
General control mechanisms are applicable to all operations and contribute
to their proper implementation The applications control mechanisms include both
procedures programmed in the software product itself and procedures that must be
carried out manually in order to exercise control over the processing of different
operations The general control mechanisms are needed for the functioning of the
applications control mechanisms Absence of sufficient general controls cannot be
offset by applications controls
Usually general control mechanisms are used in information analysis and
processing centres for installation and maintenance of software products for
definition of access to information
controls for information analysis and processing centres ndash they include the
organisation and planning of worksthe intervention of the respective
administratorsoperators procedures for saving and subsequent use of
information back-up and contingency plans
software controls ndash these refer to the acquisition installation and maintenance
of software products necessary for the maintenance of the entire system and
for processing of software applications
access definition controls ndash these ensure protection against unauthorised
access Access definition restricts users by allowing them to use and perform
operations only with particular software products thus ensuring segregation of
responsibilities
General software controls built during the development of the system entail
detailed application tests and allow checking of the appropriateness of the rationale
of the program and whether all errors will be detected After the system is built the
controls for access and maintenance of the system give assurance that nobody can
use or make changes in the applications without the appropriate authorisation and
that all the necessary changes are made in accordance with the established
procedure for authorisation and approval
The applications control mechanisms support internal control preventing entry
of wrong data in the system detecting and correcting errors based on automated
procedures for control over data form and content The prevention and detection of
these errors is programmed in the respective application The applications control
mechanisms analyse the data on-line (simultaneously with their entry in the system)
80
provide ongoing information in case of detected error and ensure immediate
correction
The use of both types of controls provides assurance that the information is
analysed and processed completely correctly and accurately
513 Assessing costs and benefits of control activities
After initial selection of control activities to reduce the impact of risks risk
owners should evaluate the costs and expected benefits of the control activity If the
costs of the control activity exceed the expected benefits the control activity should
not be selected
81
6 Practical Stages For Control Activities Practical steps for control activities are briefly indicated in the following table Since control activities are linked to r isks points on risk
management are provided in stages 1 2 and 3 whereas points on control activities are provided in stages 4 and 5 For further details on stages 1 2
and 3 please refer to the risk management chapter
CA Table 1 ndash Stages for control activities
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
Identify objectives
Identify risks to
achieving objectives
Select method of
responding to risks
Accepting
Controlling
Transferring
Avoiding
Taking the
opportunity
Select control
method(s)
Preventative
Detective
Corrective
Directive
Select type of control activities
authorisation and approval
segregation of duties
double signature system
reconciliation of data
supervision
ex-ante controls Checking
compliance with the law
accounting covering all financial
processes
anti-corruption
access to assets and information
documentation archiving and
information storage
business continuity and
information technology
Or
Refer to CA Annex 2 List of common
control activities
82
83
7 Steps to identify and implement control activities
Step 1 Administrations when assessing their risks review their systems and processes to determine
whether they have existing controls to mitigate their risks
(Administrations where risk management will be implemented in the framework of the principles
mentioned in this manual for the first time should list and evaluate all the existing control activities
Those control activities that donrsquot match the objectives and the risks of the administration should be
terminated)
Step 2 Administrations assess whether these existing controls are effectivesufficient in terms of
mitigating risks
Step 3 If there are no existing controls or the existing controls are not effective sufficient new
andor additional control activities are determined (To help you decide which control activities to
select you may refer to the list of control activities at Annex 2) In this steps it will be useful to
consider the following
It may be appropriate to select more than one control activity
Any new control activities you select must be evaluated for cost-effectiveness and
Appropriate control activities should be tested beforehand
Step 4 New control activities are not foreseen for those high risks that are managed
effectivelysufficiently with the existing controls and the existing control activities should continue
Step 5 Risk owners once the risk register has been approved have to put in place the new control
activities and also ensure that monitoring of both new controls and existing controls that are being
continued at the predetermined starting date
Step 6 Stakeholders are notified in writing about the control activities and whether they are
working effectively
Step 7 Risk owner while reporting the risks in the of the Consolidated Risk Report (Risk
Management Annex 4) will notify the manager risk coordinator how well the new control
activities and existing controls that are being continued are working This reporting involves writing
a summary of what has happened identifying the impact of the new control activities and existing
controls that are being continued and attaching any evidence to the report as an annex
84
Control Activities Annexes
Annex 1 ndash Examples of some common risks and controls
Common Risks Possible Control Activities
Risk management
Risks are not being managed effectively
and so the organisationrsquos objectives may
not be achieved
Risk workshops are organised to
determine risks allocate owners
determine controls and how their
operation is monitored - corrective
Cash management
Cash holdings could be stolen Cash is kept locked away and access
to it is strictly controlled - preventive
There is segregation of duties for staff
who have access to cash -
preventive
Cheques and other payment forms
are serially numbered ndash preventive
Asset management
Assets could be stolen Physical controls - for example using a
safe - preventive
separation of duties authorisation
levels passwords - preventive and
tagging of goods reconciliations
stock counts - detective
Document control
Documents received could be lost Keeping a register that shows where
all the received documents are filed -
preventive
Due to document control procedures not
being clear and specific decisions not
being taken on time
The document control procedure defines the
controls needed to
approve documents for adequacy
prior to issue
ensure that changes and the current
revision status of key documents
(strategic plan performance
programmes etc) are identified
ensure that previous versions of
applicable documents are available
at points of use
ensure that distribution of sensitive
and classified documents is
controlled and
identify documents that should be
archived - All preventive
Planning and budgeting
Budget resources may be spent
inappropriately
Effective planningbudgeting process ndash
preventive
85
Common Risks Possible Control Activities
Staff have received training in budget
preparation ndash preventive
Comparison of interim and final
accounts and activity reports with the
strategic plan performance
programme and the budget ndash
detective
Financial information may not be
accurate and complete
Financial information being stored or
reported on the computer -
preventive
Procurement
Error and fraud could occur in the
procurement process
Separation of duties between staff
making decisions staff selected for
the tender commission and staff
involved in payments - preventive
Applying ex-ante controls to the
award decision before the signing of
the contract ndash preventive
Random checks on transactions by
authorised staff ndash detective
Identifying purchasing thresholds -
preventive
Requirement to seek the ex-ante
approval of a senior manager or the
Minister for some high-value
procurements (Double signature
system) - preventive and
Regular rotation of staff who have
critical responsibilities in the
procurement process - preventive
Stores
Unauthorised removal of goods from
store
Physical stock checks to inventory
records ndash detective
Goods ordered but not delivered on time
or partially delivered
Including penal provisions in the
contract regarding any failure to
deliver goods on time ndash corrective
Comparison between invoices goods
delivery notes and the contract ndash
detective
Revenue management
Delays in submitting tax statements on
time and the failure to collect revenues
on a timely basis
Incentives for timely submission of tax
statements (advance warning
posters etc) - directive
Incentives for on-line submission of tax
statements - preventative
Penalties for late submission ndash
preventative
Contingency planning
Major lsquoincidentrsquo destroys important data A Business Contingency Plan exists
86
Common Risks Possible Control Activities
has been tested and kept up to date
- preventive
IT security
Unauthorised staff may obtain access to
computerised data
Personal identifiers and passwords ndash
preventative
Review of on-line access and
transaction logs ndash detective
Master files may be changed
inappropriately
Supervisor authorisation required on
forms indicating data to be changed
- preventive
Supervisor does not have change
access rights - preventive and
Supervisor verifies changes against a
printout of changes - detective
87
Annex 2 List of common control activities
Category Control Activity
Risk management
Appropriate risk
management policies
procedures techniques
and mechanisms exist for
each of the organisationrsquos
activities
Management has ensured that all relevant objectives
and associated risks for each significant activity have
been identified in conjunction with conducting the
risk assessment and analysis function
Management has identified the actions and control
activities needed to address the risks and directed
their implementation
Implementing control activities
The control activities
identified as necessary are
in place and being
applied
Management has ensured that
Control activities described in policy and procedures
manuals are actually applied and applied properly
Managers and employees understand the purpose of
internal control activities
Nominated staff review the functioning of established
control activities and remain alert for instances in
which excessive control activities should be
minimised
For existing control activities look out for
Guidance ndash it is likely that there will be official
guidance about how to carry out your work
Documentation ndash there may be standard document
control procedures to ensure that new documents
are registered and filed changes to documents are
recorded and documents no longer in use are
archived
Checking the work of others ndash this is a basic control
activity that can involve a supervisor or manager
checking the work of staff staff in one section
checking the work of staff in another section or
computer checks There may also be a requirement
for transactions to be checked by the SDU under the
ex ante control regulation
Security ndash protecting documents cash and assets
and
Contingency arrangements - ensuring the
continuation of essential services in the event of a
service failure
Performance monitoring
Senior management track
outturn in relation to its
operational and
performance plans
Top management are involved in developing annual
performance plans and targets and measuring and
reporting results against those plans and targets
Top management regularly review actual
performance against budgets forecasts and prior
period results
Top management take appropriate corrective action
88
Category Control Activity
when progress reports indicate that performance is
significantly out of line with plans
Operational managers
review actual
performance against
targets
Managers at all activity levels review performance
reports analyse trends and measure results against
targets
Managers review and compare financial budgetary
and operational performance to planned or
expected results
Appropriate control activities are employed such as
reconciliations of summary information to supporting
detail checking the accuracy of summarisations of
operations and checking the reliability of data
sources and data systems
Comparisons are made relating different sets of data
to one another so that analyses of the relationships
can be made and corrective actions can be taken if
necessary
Investigation of unexpected results or unusual trends
leads to identification of circumstances in which the
achievement of goals and objectives may be
threatened and corrective action is taken
Analysis and review of performance indicators and
results are used for both operational and financial
reporting control purposes
Quality of performance measures and indicators
The organisation monitors
the quality of
performance measures
and indicators
The organisation periodically reviews and validates
the propriety and integrity of performance measures
and indicators
Performance measurement assessment factors are
evaluated to ensure they are linked to mission goals
and objectives and are balanced and set
appropriate incentives for achieving goals while
complying with law regulations and ethical
standards
Actual performance data is continually compared
against planned goals and differences are analysed
to establish whether the right things are being
measured in the right way
Human resource management
The organisation
effectively manages its
workforce to achieve
results
A clear and coherent shared vision of organisationrsquos
mission goals values and strategies is explicitly
identified in the strategic plan annual performance
plan and other guiding documents and that view
has been clearly and consistently communicated to
all employees
The organisation has a coherent overall manpower
planning strategy as evidenced in its strategic plan
performance plan or separate manpower planning
document and that strategy encompasses
manpower planning policies programs and
practices to guide the organisation
The organisation has a specific and explicit workforce
89
Category Control Activity
planning strategy linked to the overall strategic plan
and that allows for identification of current and future
manpower planning needs
Senior leaders and managers support teamwork
reinforce the shared vision of the organisation and
encourage feedback from employees as evidenced
by actions taken to communicate this to all
employees and the existence of opportunities for
management to obtain feedback
The organisationrsquos performance management system
is given a high priority by top-level officials and it is
designed to guide the workforce to achieve the
organisationrsquos shared visionmission
Procedures are in place to ensure that staff with
appropriate competencies are recruited and
retained for the work of the organisation including a
formal recruiting and hiring plan with explicit links to
skill needs the organisation has identified
Employees are provided with information training
and tools to perform their duties and responsibilities
improve performance enhance their capabilities
and meet the demands of changing organisational
needs
Qualified and continuous training is provided to
ensure that internal control objectives are being met
Meaningful honest constructive performance
evaluation and feedback are provided to help
employees understand the connection between their
performance and the achievement of the
organisationrsquos goals
Information processing
The organisation uses a
variety of control activities
suited to information
processing systems to
ensure accuracy and
completeness
Edit checks are used in controlling data entry
Accounting for transactions is performed in numerical
sequences
File totals are compared with control accounts
Exceptions or violations indicated by other control
activities are examined and acted upon
Access to data files and programs is appropriately
controlled
Physical Control Over Vulnerable Assets
The organisation uses
physical controls to secure
and safeguard vulnerable
assets
Physical safeguarding policies and procedures have
been developed implemented and communicated
to all staff
The organisation has developed a disaster recovery
plan which is regularly tested updated and
communicated to staff
The organisation has developed a plan for the
identification and protection of any critical
infrastructure assets
Assets that are particularly vulnerable to loss theft
90
Category Control Activity
damage or unauthorised use such as cash
securities supplies inventories and equipment are
physically secured and access to them controlled
Assets such as cash securities supplies inventories
and equipment are periodically counted and
compared to control records and exceptions
examined
Cash and negotiable securities are maintained under
lock and key and access to them strictly controlled
Forms such as blank checks and purchase orders are
sequentially pre-numbered and physically secured
and access to them strictly controlled
Mechanical check signers and signature plates are
physically protected and access to them strictly
controlled
Equipment vulnerable to theft is securely fastened or
protected in some other manner
Identification plates and numbers are attached to
office furniture and fixtures equipment and other
portable assets
Inventories supplies and finished itemsgoods are
stored in physically secured areas and protected from
damage
Facilities are protected from fire by fire alarms and
sprinkler systems
Access to premises and facilities is controlled by
fences guards andor other physical controls
Access to facilities is restricted and controlled during
nonworking hours (alarms CCTV etc)
Separation of duties
Key high risk and sensitive
duties and responsibilities
are divided or segregated
among different people
to reduce the risk of error
waste or fraud
No one individual is allowed to control all key aspects
of a transaction or event
Responsibilities and duties involving transactions and
events are separated among different employees
with respect to authorisation approval processing
and recording making payments or collection of
income review and auditing and the custodial
functions and handling of related assets
Duties are assigned systematically to a number of
individuals to ensure that effective checks and
balances exist
Where feasible no one individual is allowed to work
alone with cash securities or other assets
The responsibility for opening mail which contains
cash is assigned to individuals who have no
responsibilities for or access to files or documents
pertaining to accounts receivable or cash accounts
Bank accounts are reconciled by staff who have no
responsibilities for cash receipts disbursements or
custody
91
Category Control Activity
Authorisation for transactions or events
Appropriate staff is
authorised for transactions
and other significant
events
Controls ensure that only valid transactions and other
events are initiated or entered into in accordance
with management decisions and directives
Controls exist to ensure that all transactions and other
significant events are authorised and executed only
by employees acting within the scope of their
authority
Authorisations are clearly communicated to
managers and employees and include the specific
conditions and terms under which authorisations are
to be made
The terms of authorisations are in accordance with
directives and within limitations established by law
regulation and management
Recording transactions and events
Transactions and other
significant events are
properly classified and
promptly recorded
Transactions and events are appropriately classified
and promptly recorded so that they maintain their
relevance value and usefulness to management in
controlling operations and making decisions
Proper classification and recording take place for
each transaction or event
Accountability for and access restrictions to resources and records
Access to resources and
records is limited and
accountability for their
custody is clearly
allocated
The risk of unauthorised use or loss is controlled by
restricting access to resources and records only to
authorised staff
Accountability for resources and records custody and
use is assigned to specific individuals
Access restrictions and accountability assignments for
custody are recorded and periodically reviewed
Periodic comparison of resources with the recorded
accountability is made to determine if the two agree
and differences are examined
How frequently actual resources are compared to
records and the degree of access restrictions are
functions of the vulnerability of the resource to the risk
of errors fraud waste misuse theft or unauthorised
alteration
Management considers such factors as asset value
portability and exchangeability when determining
the appropriate degree of access restrictions
As a part of assigning and maintaining accountability
for resources and records management inform and
communicate those responsibilities to specific
individuals within the organisation and ensure that
those people are aware of their duties for appropriate
custody and use of those resources
Documentation
Internal control Written documentation exists covering the
92
Category Control Activity
transactions and other
significant events are
clearly documented
organisationrsquos internal control structure and for all
significant transactions and events
The documentation is readily available for
examination
The documentation for internal control includes
identification of the organisationrsquos activity-level
functions and related objectives and control activities
and appears in management directives
administrative policies manuals and other guidance
Documentation for internal control includes
documentation describing and covering
management information systems data collection
and handling and the specifics of general and
application control related to such systems
Documentation of transactions and other significant
events is complete and accurate and facilitates
tracing the transaction or event and related
information from authorisation and initiation through
its processing to after it is completed
Documentation whether in paper or electronic form
is useful to those involved in controlling evaluating or
analysing operations
All documentation and records are properly
managed maintained and periodically updated
General computer controls
The organisation
periodically performs a
comprehensive high-level
assessment of risks to its
information systems
Risk assessments are performed and documented
regularly and whenever systems facilities or other
conditions change
Risk assessments consider data sensitivity and
consistency
Effective computer
security controls are in
operation and are
monitored
The organisation has developed a plan that clearly
describes the organisation-wide security plan and
policies and procedures that support it
Senior management have established a structure to
implement and manage the IT security program
throughout the agency and security responsibilities
are clearly defined
The organisation monitors the security planrsquos
effectiveness and makes changes as needed
- Corrective actions are promptly and effectively
implemented and tested and they are continually
monitored
Effective computer
access controls are in
place and are monitored
Information resources are classified according to their
criticality and sensitivity
Resource classifications and related criteria have
been established and communicated to resource
owners
Resource owners have classified their information
resources based on approved criteria and with
regard to risk determinations and assessments and
have documented those classifications
93
Category Control Activity
Resource owners have identified authorised users
and their access to the information has been formally
authorised
The organisation monitors information systems access
investigates apparent violations and takes
appropriate remedial action
The organisation has established physical and logical
controls to prevent or detect unauthorised access
Application software
development and
change controls are in
place and are monitored
Application software modifications are properly
authorised
All new or revised software is thoroughly tested and
approved
The organisation has established procedures to ensure
control of its software libraries including labelling
access restrictions and use of inventories and
separate libraries
All key activities are monitored
Effective system software
controls are in place and
are monitored
The organisation limits access to system software
based on job responsibilities and access authorisation
is documented
Access to and use of system software are controlled
and monitored
The organisation controls changes made to system
software
There is effective
separation of duties for IT
operations
Incompatible duties have been identified and policies
implemented to segregate those duties
Access controls have been established to enforce
segregation of duties
Controls ensure the
continuity of IT services
The criticality and sensitivity of computerised
operations have been assessed and prioritised and
supporting resources have been identified
The organisation has taken steps to prevent and
minimise potential damage and interruption through
the use of data and program backup procedures
including offsite storage of backup data as well as
environmental controls staff training and hardware
maintenance and management
Management have developed and documented a
comprehensive IT service contingency plan
The organisation periodically tests the contingency
plan and adjusts it as appropriate
Computer application controls
Source documents are
controlled and require
authorisation
Access to blank source documents is restricted
Source documents are pre-numbered sequentially
Key source documents require authorising signatures
For batch application systems batch control sheets
are used providing information such as date control
number number of documents and control totals for
key fields
94
Category Control Activity
Senior management or independent review of data
occurs before it is entered into the application system
Data entry terminals have restricted access
Master files and exception reporting are used to
ensure that all data processed are authorised
Completeness controls All authorised transactions are entered into and
processed by the computer
Reconciliations are performed to verify data
completeness
Accuracy controls The organisationrsquos data entry design features
contribute to data accuracy
Data validation and editing are performed to identify
erroneous data
Erroneous data is captured reported investigated
and promptly corrected
Output reports are reviewed to help maintain data
accuracy and validity
Control Over Integrity of
Processing and Data Files
Procedures ensure that the current version of
programs and data files are used during processing
Programs include routines to verify that the proper
version of the computer file is used during processing
Programs include routines for checking internal file
header labels before processing
The application protects against concurrent file
updates
95
Annex 3 - Illustrations for cost benefit analysis
Example 1
You are considering hiring a junior clerk to carry out a 100 per cent check on all payments
your spending unit makes (checking each agrees to the supporting documents) to ensure the
correct amount is paid This is an ex-ante control as the check is made prior to the payment
You estimate that this task will occupy the junior clerk for 100 per cent of their working time
Cost of the junior clerk 2500 YTL a month (1200 salary plus 1300 contribution to overheads
eg heating the building)
Scenario A
Benefit your experience of such a checking control is that it will find on average errors of
overpayment of 3000 YTL a month
Decision ndash this control activity is cost effective and the junior clerk should be employed to
do this checking
Scenario B
Cost same as above
Benefit your experience of such a checking control is that it will find on average errors of
overpayment of 2000 YTL a month
Decision ndash this control activity is not cost effective and the junior clerk should not be
employed on a full time basis to do this checking You can rely on other controls instead
Possibilities
Focus checking on only the highest value or riskiest payments ndash this will only employ the clerk
for 50 per cent of their time If you estimate that it will find on average errors of
overpayment of 1600 YTL a month (ie over 50 per cent of the clerkrsquos cost) this is a better
alternative control or
Donrsquot do any checking ndash rely on separation of duties control (different clerk raises payment
to the one that enacts the payment) to prevent fraudulent overpayments
Example 2
You do not currently employ any public relations expert
In the absence of any control on dealings with the press you assess the risk of reputational
damage as being high likelihood and high impact
Cost of the expert in public relations 4500 YTL a month (2500 salary plus 2000 contribution
to overheads eg heating the building)
Scenario 1
96
You have a low risk appetite in terms of reputational damage and consider that the benefit
of all dealings with the press going through the expert in public relations will successfully mitigate
the risk to within your risk appetite (by considerably reducing the likelihood of reputational damage
through ill-advised comments being given to the press) You consider that this risk mitigation is so
important to your administration that it justifies the employment of the expert in public relations
Decision you employ the expert in public relations
Scenario 2
You have a high risk appetite in terms of reputational damage and consider that the risk of
reputational damage through ill-advised comments being given to the press without employing the
expert in public relations is equal to or less than your risk appetite for this risk You thus consider that
the benefit of employing the expert is outweighed by the cost You therefore consider that it is not
cost-effective to employ the expert in public relations
Decision you do not employ the expert in public relations
Action as you are equal to or less than your risk appetite for the reputational risk you need
not select an alternative control activity but you should continue to review in the future as the
decision may be changed if your risk appetite reduces or your assessment of the likelihood andor
impact of the risk increases
97
INFORMATION AND COMMUNICATION
1 INTRODUCTION Information and communication as the fourth component of the five components of COSO
internal control model ensures the relation between control environment risk assessment and
control activities through sharing information and communication and has an important role in
increasing the functionality and operational competence of internal control system which is
regarded as a tool for attaining organisational objectives and aims as it regulates information flow
within the administration
Aim of this chapter of the manual is to give information within the framework of internal
control standards about structures and practices related to use of information and communication
mechanisms and to provide guidance for users about reporting registry and filing systems and
methods to be used in notifying faults irregularities and corruptions with a view to ensuring that
administrations carry out their activities in line with their objectives as well as accounting for their
activities
Communication refers to transformation and conveyance of information within the organisation
vertically and horizontally and externally via proper mechanisms to relevant people
administrations and bodies Administrations must aim to establish an effectively managed and well
coordinated communication system for the information that meets the information needs of
managers staff and the public
In the event that information and communication systems do not function as expected
managers and staff may came up against the risk of not being able make timely and right
decisions not being able to implement those decisions and ultimately not being able to achieve
the objectives In this regard information should be accessible useful timely accurate complete
and up-to-date
2 Information and Communication Standards Information and communication includes the information communication record system which will
ensure transfer of required information to the person personnel and the administrator who need
the information in determined format and in a time period which enable the concerned to fulfil
internal control and their other responsibilities
IC Box 1 Information and Communication Standards
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Environment
Standard 13 Information and communication
The administrations shall have a suitable information and communication system with a view to ensuring that the
performance of the units and the personnel is monitored decision making processes operate soundly and
efficiency and satisfaction in providing service
Standard 14 Reporting
Goals objectives indicators and activities of the administration and the results of them shall be reported in
accordance with the principles of transparency and accountability
Standard 15 Record and filing system
The administrations shall have a comprehensive and up-to-date system where the works and transactions
including incoming and outgoing documents are recorded classified and filed
Standard 16 Notification of faults irregularities and corruptions
The administrations shall develop methods which will ensure that the faults irregularities and corruptions are
notified in a specific order
98
3 ROLES AND RESPONSIBILITIES IN INFORMATION AND COMMUNICATION
Minister
Ensures coordination and cooperation with other ministries and informs the public opinion and
the TGNA about the annual performance programme and activity report submitted to him by the
administration
Head of Administration
The Head of Administration (Head of Administration) must publish an announcement via the
internal communication network or an official letter on what to do before the preparation of such
documents as strategic plan performance program activity report Risk Strategy and Policy Paper
which need to be prepared in way which will ensure attainment of pre-identified objectives in the
fields the administration is responsible for
Another duty of the Head of Administration is to sign the internal control assurance declaration
and inform the public opinion and the Minister
As the quality of the information exchange and communication between the Head of
Administration and the other actors has a direct effect on the accountability of the Head of
Administration the Head of Administration must guide the relevant units about the frequency and
methods of feedback he prefers
The Head of Administration must take notice whether the current information system meets the
needs during the set up and integration of new information systems If a new system is to be set up
it must be designed by taking integration with the other information systems into consideration
Internal Auditor
As prescribed by the Law no 5018 the internal auditors work to assess the internal control system
under the head of administration In this regard internal auditors report whether internal control
system functions properly or not to the Head of Administration Therefore to be able carry out their
duties internal auditors should be given unlimited access to every kind of information they need
Setting up of such a mechanism is up to the robust communication and flow of information
between the internal auditors and Head of Administrations
The Head of Administration is entitled to take preventive or corrective actions and develop new
control activities based on the report submitted by the internal auditor or request additional reports
Authorising Officer
Authorising Officers must ensure that tasks powers and responsibilities of staff are defined
clearly and in writing and communicated to all staff In this framework a chart of duties which
demonstrate the functional reporting network must be produced and communicated to the staff
A communication network that ensures quick and timely access by the staff and managers to the
activities and the results must be used In this regard the organisational chart of the administration
can also include a diagram which shows the tasks of the sub-units and the responsible and
authorised staff on the intranet and internet Authorising Officer must ensure that sub-units are
informed about the activities of each other
Authorising officers
must ensure that an electronic communication and archiving system is used effectively for
the accurate and reliable acquisition storage and communication of the information
needed regarding the objectives activities and indicators that are relevant to their
respective units from among those included in the strategic plan and performance
program of the administration
must provide for the regular announcement of the status of realisation regarding the
performance objectives and indicators related to their respective units and the grounds for
the data on the webpage of the unit and
must provide information for periodical reporting to the SDUs that will be carried out by
authorising officers (information about objectives and risks of the unit status of realisation
etc)
99
should transfer timely complete and accurate information and documents regarding
financial transaction processes to the Accounting Officer and set up mechanisms to store
records and statistics
Realisation Officer
Realisation officers who are responsible for issuing spending orders must periodically brief the
authorising officer of the spending process In this regard information on the spending order being
complete accurate understandable and reliable plays a significant role in realisation officers
fulfilling their tasks as requested from them
Accounting Officer
The Accounting Officer is responsible for performing accounting services and keeping accounting
records in a regular transparent and accessible way Accounting Officers must regularly report to
the authorising officer on the accounting records
Strategy Development Units
SDU managers must review the information included in the activity reports performance
programmes and strategic plans by holding periodic meetings with the authorising officers of other
units Personnel of SDUs must obtain the information that is needed in the field of financial
management and control through these persons
Necessary coordination for the formation of the team to carry out the studies on the
establishment and development of Information Management Systems within the administration is
provided by the SDU
In fulfilment of the coordination duties of SDUs which are defined by laws Principles and
Procedures of Internal Control and Ex-ante Financial Control Strategy Planning Guideline
Legislation and Manual on Performance Programs to be Prepared in Public Administrations and
secondary and tertiary regulations such as Budget Preparation Manual must be taken into
consideration
SDUs must have webpage where they have forums good practice examples frequently asked
questions to ensure communication with internal and external stakeholders in order to carry out
their tasks more effectively
Central Harmonisation Unit
While carrying out its tasks in the filed of information and communication
CHU sets up a common (web-based) network where information can be shared
They organise trainings panels and conferences for the actors that take part in the field of
internal control
CHU members are assigned to be responsible for particular administrations to enhance
information and communication with SDUs of administrations They communicate SDUs and
provide them with information and guidance via official letters call centres telephone
forums etc
Please refer to the CHU Handbook for further details on the roles and responsibilities of CHU
Besides practices and methods in the area of information and communication given this
manual public administrations must also take into consideration those regulations in the legislation
which are directly related to the area of information and communication These basic regulations
are contained in IC Annex I
4 INFORMATION The prerequisite for reliable and proper information is immediate recording and suitable
classification of all operations and transactions Internal control includes obtaining classifying
recording utilising and reporting both financial and non-financial information
41 Characteristics of Information
Characteristics that the information which is used in public administrations must have are given
below
100
Timely Information should be obtained and transferred in the right time by the right
personnel
Related Information should be related to every activity work or action
Available Information holdings should be available to those who require them the moment
they need it and also later Technology should be available to users in order to facilitate
obtaining storing transferring and using information
Comprehensible The description of information holdings must have the same meaning for
users at all levels of the administration In addition information that is shared with external
stakeholders must be clear and meaningful for the users
Usable Information must meet the needs of its users in relation to the purposes for which it
was received
Complete Both the content and form of information should be complete in order to
provide for efficient and effective use of information holdings
Accurate Information must be able to reflect the points regarding the aims objectives and
activities it is related to accurately and correctly
Up-to-date Information must be up dated and related to the needs A lack of up-to-date
information can impair decision making and program delivery Managers and personnel
should take necessary actions to keep information up-to-date
42 Information Management
Information management is a process where information is planned and obtained from any
kind of source internally or externally classified stored communicated to relevant bodies in a
timely manner for interpretation reviewed for updating and destroyed The stages of this process
are complementary to each other In any stage there may occur a need to take into consideration
the phases of the previous or next stage
101
IC Figure Information Management Process
421 Planning Information Need
Planning stage starts with identifying strategic aims and objectives and performance
objectives as well as identifying information needs to achieve these objectives This stage includes
the assessment on who needs what information when and why how they can acquire it at all level
from the operational to the strategic activity level in order for the administration to maintain its
operations effectively
In the planning stage the following factors must be taken into consideration
Internal and external information users must be defined and classified Information
needs of users must be determined Information holdings must be examined to see
whether the current information need of the users can be met using them
While novel databases and information systems are designed the risk for the information
to be disseminated to the public must be considered
The benefit and cost of information in terms of the users must be analysed
The information need for new legislative strategic and operational aims must be
defined along with the relevant information system requirements furthermore the
person and the time to do this work must be set out
Emerging information needs must be compared to the present information and
information systems within and outside the administration
For increasing the value or productivity or decreasing the cost of the systems in use
such methods as combining information systems using novel technologies and standard
practices can be referred to
Value of information is not only about how it is used and kept but also about how and when
it is going to be destroyed Many factors such as legislation information policies and needs may
Planning
information need
Organising
information
Creating and
collecting
information
Reviewing and
keeping
information
Utilising and sharing
information
INFORMATION
MANAGEMENT PROCESS
102
have an impact on how long to keep that information Information which is being kept should be
destroyed in accordance with the relevant legislation after necessary approvals have been
received
422 Creating and Collecting Information
While producing and collecting information first of all the value of the information for the
administration must be set out and it should be made sure that the people in need of information
do have access to it on time
Information collection and creation process should focus on the followings and information
collected or created must have the capacity to meet the needs of the administration To this end
The holdings must be periodically reviewed in order to determine if the information that is
created or collected continues to meet the identified needs and it must be followed up
whether users really use the information Great deal of information can still be
unnecessarily collected for a reason that was identified in previous periods If the
administration decides to stop collecting that information firstly it must set out whether
any individual or program would be affected
Quality and scope of information as well as its relation to the defined needs and whether
it meets the needs or not should be understood in regular reviews In addition implicit
information of the staff must be turned into explicit information and incorporated into the
information inventory The information produced as a result of the process studies must be
classified starting from the most frequently used to the least
Information must be compiled in information pools to be created This information must be
clear and understandable The information in the pool must be open to access upon
being classified in accordance with the information hierarchy such as strategic and
operational Management of the information pool must be carried out by a team who
are competent in the processes to be formed within the administration
Legislation or policies may demand that certain information be collected by an
administration Therefore information that is collected must meet legislative and
institution-specific policy requirements
Information collection must be coordinated To this end
all information collection activities must be accounted for including all regions and
organisational units and information collected must be accessible
the administration must ensure that information collection conforms to the applicable
standards
information must be periodically reviewed in order to ensure that the requirements of the
relevant legislation are respected This might be done during the annual update of
personal information and
before information is created or collected existing information holdings must be reviewed
to determine if the information needs can be satisfied by existing holdings or readily
accessible external information sources
The following are the leading sources of information
instructions approvals invoices transaction orders petitions
interactions between clients vendors or other the ministries and agencies
planning documents-budgets forecasts work plans blueprints (technical or
engineering designs)
drafts schemes of information architecture
reports policy briefing notes other documents supporting the activities and
justifications
meeting documents-agendas records of decision
commission documents job descriptions member lists
requests for information and the responses emails forms used to collect responses
templates related instructions responses in every format
103
client records applications evaluations emails phone calls
every kind of data in electronic medium and
information resources which could provide additional information
Collecting Information from PublicPrivate Sector
The response burden should be minimised to the lowest level possible in this process To this end
the administration should determine from whom it will receive information at what
frequency and in what detail as well as what burden this process will create upon
respondents and
there should be cooperation with other administrations in such issues as undertaking joint
collection or information sharing
The forms should meet all statutory and policy requirements To this end
all the forms in both paper and electronic media must be reviewed before they are put
into use to ensure that applicable requirements are met Furthermore the responsible
person must be assigned
423 Organising Information
The aim of organising information is to establish a link between the operations of the
administration and usage sharing retrieving archiving and destroying of information and facilitate
the process for administrations and the other stakeholders
The following steps must be taken for an efficient information organisation
it must be ensured that users both internal and external to the administration are satisfied
with their access to information Methods should be established to measure user satisfaction
(such as user surveys and questionnaires applied after completion of certain services as well
as periodically applied questionnaires)
the custodians of information holdings (eg Data Processing Departments Library Services
etc) must identify the information needs of users and improve their services to better meet
the needs of users for quick and easy access eg shortening response time using efficient
and effective technology for transmission designing a user-friendly system
information must be available for public dissemination and communicated to the public
where and when appropriate For instance establishing such structures as e-libraries to
facilitate public access
information available for use by the other administrations must be checked to see whether
they are subject to any legal or policy constraints
administrations must have an up-to-date publications catalogue which must be deposited
in the administrationrsquos library Published material must be catalogued according to
established standards and
all the documents published by the administration must be accessible on webpage of the
administration
Registering Filing and Archiving of Information
Registry and Filing
To ensure an effective management any kind of document including electronic ones internal
communications operations and transactions must be recorded classified filed and archived
there must be a comprehensive and up-to-date system for this
If meaningful and valuable information for the control of activities and decision making is
desired all the operations and transaction must be instantly recorded
In order to ensure the quality of information and reporting fulfilment of internal control activities
and responsibilities and effective and efficient monitoring activities all transactions need to be
completely and clearly documented
These documents should be easily accessible where needed
104
The documents of the internal control system should include structure and policies of the
administration types of activities related objectives and control procedures
The process of registry should be applied in a way that it will cover all the stages of a
transaction including the start and approval stages until their final classification This is also the case
for the regular updating of documents
Regardless of the media they are received in (such as paper fax e-mail or electronic)
documents should be recorded and kept within the framework of a registry plan which is suitable
at least to one official file
Registry procedures must be communicated to staff in writing
In this context Standard Filing Plan no 20057 issued on the Official Gazette no 25766 dated 24
March 2005 prepared under the coordination by the Prime Ministry General Directorate of State
Archives must be taken as the basis to establish a common method for all public administrations to
file all the documents including electronic ones and ensure fast and easy access to them where
necessary
Ensuring standardisation in the filing system would help achieve harmony within the institution
and if it can be disseminated among all organisations it would form a basis for an efficient and
effective communication system across the country
Standardisation of Filing services would
ensure that documents about same issues are codified using same numbers in all
organisations
facilitate easy and fast access to the right information and documents requested and
make sorting classifying keeping the documents and putting them into service easier as
standard file numbers will refer to the same issues in all organisations
ensure integrity and easiness in the establishment of a tidy fast effective and efficient
system of document and file and communication
provide infrastructure for the automation of documents and correspondences and
establishment of information networks among organisations and
facilitate internal and inter-organisational file and operation tracking The document or
information looked for would be easily found in a short period of time
The task of carrying out studies on the registry usage and archiving of electronic documents
has been assigned to the General directorate of State Archives upon Decision no 7 dated 9
September 2004 of the e-Transformation Executive board in accordance with the Prime Ministry
Circular number 200816 on Electronic Document Standards published in the Official Gazette
number 26938 and dated 16 July 2008 and TSE Standard number 13298 has been published This
Standard is a main source for electronic document management systems to be used by all public
organisations
Electronic document management systems to be established by the administrations will comply
with the TSE Standard no 13298 and furthermore inter-organisational sharing of electronic
documents produced will be carried out by the criteria on electronic document sharing services as
set out on the web address wwwdevletarsivlerigovtr
Archiving Services
Archiving services include identification of the materials the administrations and the staff have
that will become archive materials in the future their protection against any losses preservation
under proper conditions utilisation in accordance with national interests cropping and disposal if
not deemed necessary to maintain Principles and procedures on archiving services have been set
out in the Regulation on State Archiving Services published in the Official Gazette number 19816
and dated 16 May 1988 and amended by the Official Gazette number 25735 and dated 22
February 2005
As per this regulation administrations have to take necessary precautions to protect
information and documents against disasters theft fire etc set out the procedures for the
preservation of confidential documents take the measures to ensure that the documents remain
legible in the future inform the managers and the staff about the proper periods of preservation for
the documents
105
424 Using and Sharing Information
Using and sharing information is crucial in terms of accountability and transparency for those
who take part in the activities of the administration and other stakeholders
Information is an asset which renews itself turns into a new form and becomes more valuable
as it is communicated and shared Therefore regular communication and circulation of
information within an administration is a principle of information management Sharing
administrative information reflects a cycle in which the information is communicated to the
relevant persons administrative works are notified reactions of the personnel is received reactions
are assessed evaluated and communicated back to the relevant persons
The following must be considered while using and sharing information
Comply with privacy security and legal restrictions
Whenever possible use electronic media to share information resources (email repositories
websites and so on)
Ensure that information remains complete accurate up-to-date relevant and
understandable
Verify the accuracy and reliability of information (especially when conducting web-related
research)
Take advantage of administrative investments in information resources (magazine and
journal subscriptions databases online library services and so on) while respecting
copyright licensing and intellectual property rights
When retaining information that has been lsquocopiedrsquo indicate the source whether it is from
an information resource already saved in organisation repository from a publication or
from a website
Furthermore transferring information from those who leave their jobs to those starting a new job
is crucial to the continuity of the activity in an administration In this context the following should be
taken into consideration
106
IC Table 1 what to do when leaving and starting a job
When leaving a job When starting a new job
Discussing your responsibilities with your manager
when leaving the job and determining and
monitoring the internal policies for the administrative
closure of your business processes
Providing pertinent information about everything
you leave for your successor explaining why it will
be needed
Backing up all the information in the electronic
medium related to job and transferring it to
information pool
Transferring the documents under your responsibility
to the relevant successor
Creating a list of job-related website addresses a
summary of ongoing projects and related contact
information and an inventory of information
resources (including file numbers) that will help your
successor get used to his or her new job
Returning or extending the deadline of the material
that was borrowed from the library
Removing former employeersquos name from distribution
lists
See if any electronic and
paper information resources
of business value have been
transferred to your custody
Take note of any instructions
or messages you receive
regarding access to
electronic tools such as a
shared drive business system
or repositories
Familiarise yourself with your
information management
responsibilities and practices
Take part in training sessions
on information management
and recording
Add new employeersquos name
on the distribution list
425 Reviewing and Protecting Information
Organisations must periodically review such main processes of information management as
planning producing collecting defining accessing and using information and share the results
with managers
Therefore attention must be paid to the following
Store the information in a manner that preserves its form and status keeping its structure
context and content intact
Mark each information resource according to its proper security classification either on the
paper or electronic document
Protect classified and protected information by ensuring it isnt left in waste or recycle
containers and by storing it in locked desks or cabinets after work hours and during
extended periods of absence
Implement effective access control procedures ensuring that classified and protected
information is only made available on a need-to-know basis to those who are authorised to
access it
The level of protection must be consistent with the level of risk
Take the requests for access and usage from other users into consideration and assess their
compliance with the legislation
Periodically back up the information for protection purposes
43 Information Security
Information can be stored on paper it can be kept in the electronic format or transferred
verbally as well Regardless of its form information must be properly recorded and protected
Information security means safeguarding valuable assets in an administration against loss misuse or
damage
The aim of information security is to ensure the following
Safeguarding data integrity
Preventing unauthorised access
Respecting privacy and secrecy
107
Continuity of the system
431 Information Security Management System
Information security management system is a systematic approach adopted for the organisationrsquos
sensitive information that needs protection to be managed properly and the main objective of this
system is the safeguarding storing and making the sensitive and critical information available
where necessary
Setting Up an Information Security Management System
In order to establish an information security management system
Primarily the decision must be taken on whether the system will cover the entire
organisation or a part of it
Secondly a policy that sets out the objectives must be introduced
Finally a systematic risk assessment approach must be adopted and potential risks
must be identified mitigated as appropriate
Requirements of an Information Security Management System
The following are the requirements for an efficiently operating Information Security
Management System
Support and ownership by top management and managers of the administration must be
ensured
Information management should not be regarded as merely a technical issue and a job
only for the Data Processing Department The system must have the potential to reach its
objectives with active participation by all staff of the administration
Establishment of an information security management system must not be regarded as en
extra burden and waste of time
ElementsPrinciples of Security
The risks of compromise to information security for example hacking need to be defined and
controls to mitigate those risks should be introduced If these controls are absent or ineffective that
will considerably decrease the efficiency of the information security system
The main principles of security are confidentiality integrity availability authentication non-
repudiation responsibility and Access control For more detailed information see Turkish Standards
Institute TSE-17799 ldquoInformation Security Management Standardrdquo document Furthermore there are
other international models aiming to ensure the security of electronically produced information
such as COBIT e-SAC (Electronic System Audit and Control) and System Trust while you can also
explore the standards ISOIEC 27001 and ISOIEC 27002 (International Organisation for
Standardisation)
Also please refer to ldquoRegulation on the Principles and Procedures Regarding the Implementation
of the Law on Electronic Signaturerdquo based on the Law on Electronic Signature number 5070 and e-
Transformation Turkey 2005 Action Plan ( Action 5 Current systems at public institutions particularly
central institutions using critical information will be analysed and information security policies and
measures will be developed accordingly and (Action 33 The needs of disaster management of
public information system will be identified and recommendations will be developed )
For preserving and storing documents that are kept in written environment please refer to the
section lsquo423 on organisation of Information Registry Filing and Archiving System
432 Information Security Control Activities
In order to set the level of importance of an item of information the degree of the effect on
the administration that stems from the risk of harm made on the ldquoconfidentiality integrity and
availabilityrdquo of the item of information must be defined in the first place The harm that can be
made on these three security features of information systems may have different degrees of effect
For instance disclosure of top secret information can cause serious harm on an administration while
it may not be that harmful if that information becomes unavailable
108
The risks to information security identified must be analysed and ranked and the cost of the
control activities to be established and operated to mitigate those risks must be in proportion to the
value of the information protected and the risk identified after examining potential threats For
some ideas of suitable control activities see the Control Activities chapter
IC Figure 1 Process of Control Activities for Information Security
The image above is an example of security related control activities It demonstrates 4 different
attacks As can be told from the image attack [1] is immediately prevented at the stage of
prevention while attacks [2] [3] and [4] are not Of the attacks that manage to survive the
prevention process attack [2] is identified at the stage of detection and eliminated Attacks [3]
and [4] manage to pass the detection stage At the stage of response which is the final stage that
has been designed in accordance with the level of tolerance decided attack [3] is eliminated
while attack [4] which survives all stages damages the system passing through all security
processes
5 MANAGEMENT INFORMATION SYSTEMS (MIS) Management information systems are computer-assisted systems (consisting of
computer hardware and software) which should ideally provide timely strategic information
needed by managers in the form they demand it so they can make the right decisions on an
informed basis
The aim is the transmission of the right and complete information to the right people in the
proper format (form report table graphics etc) A labour force is needed to run update and
maintain the systems MIS give information on how the administration is performing in terms of
financial information information regarding the staff information of the movableimmovable
assets performance information information from the organisationrsquos document archive etc
against key performance indicators MIS may also give information on risk management
Information should be registered classified calculated summarised reported stored Back up
copies of the system should be kept in case the system crashes If these processes are not done
systematically managers may have incorrect information and thus make the wrong decisions While designing MIS first the civil servants must understand the importance of acquiring and
recording reliable and accurate information and be aware of their responsibilities in this regard
then business processes related to the production of information must be defined completely and
clearly and finally support from IT must be obtained
Some organisations have dispersed information systems however the existence of such structure
does not necessarily mean they have MIS In some cases information is not related and integrated
with all the actions and units of an administration Data recorded by different units in different
Response Identification Prevention
109
systems is stored independently of the other units Duplication of information in different units of the
administration is an inefficient use of resources Data being entered into a central computerised
system ensures that managers should have access to information which covers all the
administration
The resistance to information sharing in administrations is a significant problem It is not possible to
transmit the accurate and timely information which management needs in the administrations
where information is not shared which is an obstacle for MIS Hence a culture of information
sharing should be encouraged
51 Stages of Establishing MIS
In the development of management information systems SDUs undertake the task of
coordination and provide technical assistance to the spending units The following process can be
followed by the SDUs and the spending units in establishing MIS
511 Establishment of the MIS Working Group
A participative method should be adopted in the establishment of MIS in administrations and the
work programme should be produced for a working group to be formed with the participation of
representatives from all the spending units under the coordination of the SDU and tasks should be
distributed
512 Preparation of the MIS Working Plan
In the working plan
To begin with a comprehensive need analysis should be carried out to identify which type
of information the management may need
Upon the completion of the need analysis data provider units for the MIS should be
identified This will provide a significant infrastructure for the information map to be
produced
The properties the current information system of the administration and related problems
and solution recommendations should be disclosed what needs to be done to solve the
problems and what is aimed should be determined and structures should be set up in the
administrations to support production and sharing of information
Cost and benefit aspects of the system planned to be established should be considered
The potential risks relating to MIS should be identified and a risk management process
should be carried out The control activities to be applied for the risks with high significance
and likelihood should be determined
A good MIS must be flexible enough to keep up with the changes occurring inside and
outside the administration Besides success criteria of the system such as inclusion of early
warning mechanisms should be determined
In the medium term a corporate information map must be prepared that will cover the
entire organisation Preparation of a corporate information map would ensure quick access
to the information and expertise needed Information map must be produced primarily at
unit level and then at individual level considering their level of expertise and experience
While forming such a structure organisational charts or documents for distribution of tasks
within the units at a more special level can be made use of Production of the corporate
information map and its proper operation would ensure that the following question is
responded easily
ldquoWho knows whatrdquo
For instance quick identification of who (which department which employee etc) has
information about staff budget or archives and of the relation among this information will
be ensured
Establishment of MIS can be initiated by pilot implementations in the units Using pilot
implementations as a starting point and ascertaining how the system works will ensure
economy both in terms of time and cost and labour force Potential mistakes to be made in
110
the further stages of the process can be prevented by eliminating the shortcomings and
correcting the mistakes observed during the pilot implementations
513 MonitoringAssessment
Periodic reports must be produced and presented to the top management during the
establishment of MIS to show the progress in the development of the system Action must be
taken against the problems identified at this stage to ensure performance of the activities as
planned
Studies about the fulfilment of MIS services in administrations must be carried out upon the
approval and under the supervision of head of administration Furthermore the head of
administration must inform the related units on the working method adopted
An MIS needs to be dynamic to keep pace with changes in technology or in the demands
for information by management
514 Related Legislation
Law no 5436 which amends Law no 5018 prescribes the establishment of SDUs and assigns them
with the task of providing the services related to MIS
In the Regulation on the Working Principles and Procedures of SDUs providing the services
regarding MIS and carrying out studies for the establishment of the system are listed among the
tasks of the SDUs
6 COMMUNICATION Communication is the exchange of information among individuals andor organisations to support
service delivery decision making and sharing carrying out and coordinating activities It plays a
central role in the development of a robust internal control system and helps management to
make decisions by providing feedback on how all the components of internal control are working
An administration needs information at all levels to achieve its objectives and manage risks
In this context information flows can take place both horizontally and vertically as well as from
outside the organisation
Information must be properly communicated within an administration to the managers
andor staff in need of it on a timely basis in order for them to fulfil their responsibilities and ensure
coordination with other units External communication with the beneficiaries suppliers and
stakeholders such as other public administrations is also essential for effective internal control
Communication can be verbal written or electronic or a combination of the three Where
verbal communication is deemed sufficient documenting only the important verbally
communicated information would be useful so records of key information are kept and can be
subsequently referred to by those who are given access to it
IC Box 2 Communication Channels
Management should establish communication channels that
provide accurate information at the right time
meet individual demands
inform employees of their roles and responsibilities
support reporting
allow employees to make recommendations for improvement
give messages that top management can understand enabling them to
make decisions
inform employees of the importance of internal control and of decisions
taken
are both internal and external and
have the right target group
111
61 Internal and External Communication
Administrations should consider the following general issues regarding their internal and external
communication
The public should be provided with timely accurate clear objective and complete
information about policies programmes services and activities
The language used should be comprehensible and plain Turkish
Administrations should be visible accessible and accountable to the public for the services
they provide
Various means and methods should be utilised in communication and information from a
variety of sources should be engaged to meet different needs
Communication needs should be regularly identified
Administrations should receive opinions from internal and external stakeholders while setting
out objectives and aims and formulating processes and should establish mechanisms to
assess these
Public administrations should work cooperatively with stakeholders when necessary in order to
ensure efficient communication
Services should be provided in a fair quick and responsive manner
Administrations should have the capacity and equipment to follow up innovations in
technology in the field of communication and allocate necessary resources to do so In this
context activities carried out should be proportionate to resources allocated and results
expected
IC Table 2 Communication Principles and Procedures
Internal
Communication Principles Method
Top management and employees should
understand the internal communication
system and be well aware of their
responsibilities
Internal communication activities and
processes should be reviewed regularly and
revised where necessary New
communication methods should be adopted
to stay in line with the changing
administrative structure
It must be ensured that staff
communicate their considerations
recommendations and questions to top
management
Staff should be regularly informed about
the operation of the internal communication
system what to do and the responsibilities in
writing or electronically (including
information and communication system for
risks)
Necessary mechanisms (Intranet
internet announcement boards compliant
and suggestion boxes top manager briefings
etc) should be established to inform the
employees about the mission vision and the
objectives of the administration
Communication between managers and
employees should be clear and cooperative
in order to achieve the goals and mission of
the administration
Staff objectives should be made
consistent with those of the administration
A more effective communication should
be ensured between Senior management
and personnel
Regular meetings and an electronic
mechanism that enables the SDUs to
coordinate spending units and produce
statistical data via necessary analysis
Recommendations and ideas of
personnel should be heard and action taken
to address them when appropriate
To this effect in-house communication
seminars and training programs should be
organised
Vertical communication A reporting system should be established
112
Personnel should convey the necessary
timely complete and accurate information
to their managers in time for the managers to
make decisions and achieve objectives
Personnel should notified by their
managers when in which scope in what
way and from which unit the information is
demanded
Managers should inform the staff about
the policies goal and objectives of the
administration
within the administration which flows from
staff to managers (minutes of meetings unit
activity reports exchange of information on
a weekly or daily basis in person or
electronically a reporting system that
enables the managers to monitor daily
activities etc)
Regular meetings between management
and internal auditors timely submission of
internal audit reports to top management
Horizontal Communication
Refers to the effective sharing of
information among employees of the same
hierarchical level in order to carry out the
tasks and activities in the administrations
Personnel and units to share
information should be announced to staff
and the duty to share information should be
included in the job descriptions of the
relevant personnel and units
Managers should hold regular meetings
to exchange ideas on their respective fields
of competence and the problems and
suggestions regarding management
Establishment of a system to monitor
meetings and activities of people of the
same level
Creation of an e-mail group for the
people from the same hierarchical level
Strengthening data processing
infrastructure and ensuring active operation
of units
Ensuring that top management have
more effective communication with
employees
Internal communication seminars and
training programmes should be organised
EXTERNAL
Communication Principles Method
The accessibility of the citizens to the
information and services of the
administrations should be enhanced
Services delivered by administrations within
the framework of ldquoe-staterdquo should be shared
with the other relevant administrations and
citizens (MERNIS UYAP etc)
The administrationrsquos website which provides
the necessary documents should be
established and some services should be
provided via this website 247
Documents and services provided online
should be updated regularly and the
administration should assign certain people
to manage the design and content of the
website
Furthermore English broadcast for the
access of foreign users to information will be
useful
Mechanisms should be set up to enable
citizens to express their complaints and
suggestions (forum frequently asked
questions activation of use of Information
Acquisition System and BIMER etc)
Administrations should inform the press
about issues deemed important for decision
The press should be invited to important
conferences and seminars
113
makers and the public
Services provided by the administration
should be advertised on TV or the internet
The head of administration should inform
the public annually about the performance
programme and activity report of the
administration and these should be
published on the administrationrsquos website
Active operation of the press and public
relations units should be ensured
62 Communication Methods
A communication system is made up of methods and records produced to determine
acquire change and transfer useful information Staff must be able to communicate with all the
units in the organisation including sharing risky information
With the advancements in technology numerous and various communication means are
now available in public administrations The most widely used means of communication are
detailed in IC Annex 2
621 Reporting
Reports are crucial tools for the establishment of an effective internal control system as they
facilitate the monitoring of control effectiveness
Managers should take reports submitted to them into consideration when making decisions
In this context accurate and succinct reports that have been prepared on time would help the
managers Furthermore communication and reporting is an important element of risk
management (see Risk Management Chapter)
Administrations should communicate financial and non-financial information and results
regarding their policies programs activities and projects to the relevant persons and bodies in
writing or verbally at particular times Within this framework vertical and horizontal reporting lines
within the administration should be determined in writing Furthermore each administration should
also take into consideration external reporting mechanisms
IC Figure 3 shows the mechanism of vertical reporting among the hierarchical stages
regarding the decisions and works at the strategic programming and operational levels and the
mechanism of horizontal reporting among the personnel of the same level Vertical reporting is the
reporting of personnel to managers Horizontal reporting on the other hand is the necessary flow
of information among the people and units that are on the same level
IC Figure 3 Reporting Lines
ObjectiveActivity
Other staff
Medium-
level managers
VERTICAL
REPORTING
Strategic
Operational
Top
Management
114
Examples of horizontal reporting within an administration
Staff attending a training program sharing with colleagues the report they prepare
about training results and
Minutes of Meeting shared with other units
Examples of vertical reporting within an administration
Consolidated Risk Report submitted to senior management
Minutes of Meeting copied to a senior manager for their information
Internal Audit Reports submitted to senior management and
Quarterly Reports Semi-Annual Reports submitted to senior management
Examples of reporting outside the administration
Internal Control System Evaluation Report prepared by the SDU and submitted to the
CHU and
Annual activity report for an administration prepared by the Head of Administration
published to the public and copied to the Turkish Court of Accounts and Ministry of
Finance
IC Box 3 Basic Principles for Effective Reporting
IC Annex 3 details the reports prescribed to be prepared as per the Public Financial
Management and Control Law No 5018 and the applicable regulations in the framework of the
principles of financial transparency and accountability
7 WHISTLEBLOWING OF FAILURES IRREGULARITIES AND FRAUD One of the most important elements of accountability and transparency is the existence of
a mechanism that ensures that staff and stakeholders are able to effectively express their concerns
Article 279 of Turkish Penal Code states that if a civil servant learns by means of the position
he holds that a crime which necessitates investigation and prosecution was committed and
neglects or delays notifying the competent authorities of this crime he will have committed a crime
It should be explicitly determined and announced to staff which reports will be
prepared by whom at what frequency and when they will be prepared and who
they will be submitted to and who will control them Reports must be in compliance
with tasks responsibilities and the principles of financial transparency and
accountability
The information included in the reports must be accurate up-to-date succinct
objective complete relevant and sufficient
Reports should use a common and clear language that everyone can understand
Reports must be produced at certain periods and on a consistent basis so that
comparisons can be made between years
Reports should attract the attention of readers be easy-to-read-and-understand
and include sufficient and appropriate visual material
All reports should have a conclusion and evaluation section
Desired format for the report should be determined in advance by
administrationunit requesting the report and notified to the relevant
administrationunit
HORIZONTAL
REPORTING
115
himself
71 Concepts of Failure Irregularity Fraud and Whistleblowing
Failure refers to an unintentional action against the legislation
Irregularity and fraud on the other hand refer to the behaviours of the administrationrsquos staff
or third parties on purpose against the present rules in order to achieve unfair or unlawful gain
Whistleblowing is the notification of illegal and unethical behaviours and actions to top
management third parties outside the management or authorised bodies or persons (who can be
inside or outside the administration) by the persons with information (employees or stakeholders)
Failure to blow the whistle can cause damage to the administration
In line with the above given information administrations must determine distinct methods for
evaluating irregularities fraud and failures they have been notified about
It should be borne in mind that person who makes the notification may be left alone
isolated his or her career may be undermined or he may not be taken seriously Therefore any kind
of biased or discriminative conduct against the personnel or third parties that blow the whistle
should be prevented
72 Scope of Notifications
There are three basic types of whistleblowing and complaints in public administrations
Those regarding the violation of ethical values
Those regarding faults irregularities and fraud
Complaints by civil servants regarding administrative actions and processes
implemented against them by managers or administrations
721 Whistleblowing and complaint in cases of violation of ethical values
Whistle blowing mechanisms are defined in the No 5176 Law on Establishment of Civil Servants
Ethical Board and Making Amendments on Some Laws and Legislation on Ethical Behaviour
Principles and Procedures for Civil Servants
Under this legislation cases of ethical behaviour violation by the director general and by those
who have a title at this level are notified to Ethical Board while cases of violation by the other
employees are notified to the relevant administrative manager to be directed to the
administrationrsquos disciplinary board Within this framework administrations carry out the process to
ensure compliance with the law
A flowchart showing the detailed process for whistleblowing and complaint in cases of violation
of ethical values is at Annex 4a
722 Whistleblowing and complaint regarding irregularities and fraud
Law no 4483 defines the procedures to be followed in cases of crimes committed by civil
servants by means which are in relation to their duties Accordingly cases of whistleblowing or
complaint about civil servants are filed processed and concluded under this Law
In cases when a complaint by a person is not processed he can appeal to administrative
court if he wishes The administration has to record all the cases of whistleblowing or complaint
processed or not
A flowchart showing the detailed process for whistleblowing and complaint in regarding
irregularities and fraud is at Annex 4b
723 Complaints by civil servants
Proceedings relating to complaints by civil servants regarding administrative actions and
processes implemented against them by their managers or administrations are carried out within
the framework of Article 21 of Law No 657 and Legislation on Complaint and Application Rights of
Civil Servants
116
73 The Responsibility for Detecting Faults Irregularities and Fraud
The responsibility for identifying and preventing failures irregularities and fraud rests with
management and all employees Under the ethical behaviour culture of the administration the
necessary actions should be taken to prevent failures irregularities and fraud under the supervision
of the responsible managers
74 Whistleblowing System
For employees to communicate their concerns and for these concerns to be taken seriously
administrations should have the related regulations that comply with their structures as well as
reporting mechanisms In these regulations the following should be included
the subject-matter of a whistleblowing
how to protect the confidentially of and provide security for a whistleblower who has good
faith
the stages of the whistleblowing procedure (first to manager then head of unit head of
internal audit head of human resources unit or head of financial services unit head of
administration)
how cases of whistleblowing are evaluated by the administration and what actions are
taken (examination inside the administration or official investigation etc)
information given with a view to informing the whistleblower about who the subject matter
concerns whether he can contact that person as well as about evaluation progress andor
results
Within this framework administrations should announce to the personnel all the ways of
whistleblowing and complaint
In cases of whistleblowing and complaint the identity of the whistleblower should be kept
confidential so that they are not exposed to discrimination
Administrations should receive cases of whistleblowing and complaint in the electronic
format via their web sites as well as in writing Besides administration should set up mechanisms to
facilitate it for the external stakeholders to whistleblow or complain and announce it on their
billboards and websites
Administration should not set up different mechanisms other than the preliminary
examination procedures that are determined in Law no 4483 for cases of whistleblowing and
complaint regarding corruptions and irregularities As a result of the preliminary examination the
situation whether investigation permit is given or not should be notified both to the Chief Public
Prosecutorrsquos Office and the whistleblower with a detailed justification and the letters regarding
these notifications should be kept in the whistleblowing files
For an effective whistleblowing system following basic requirements are taken into
consideration
117
IC Box 4 Basic requirements for Whistleblowing
IC Box 5 Issues to consider while evaluating whistleblowing notifications
Are the behaviours or actions in the administration unlawful
Are the behaviours or events taking place in the administration against the ethical
values (morals professional ethics etc)
When the whistleblowing is not in compliance with the procedure it must still be
definitely evaluated as long as it is based on concrete evidence
Seriousness and importance of the issues put forward should be taken into
consideration
There should be good will and public benefit
There should be a reasonable belief that the information and the allegations the
information includes are completely true and may uncover malpractice
Top management should announce the procedures for dealing with whistleblowing
and complaint from inside and outside the administration
Administrations should determine for central and local units who notifications will be
referred to
Methods must be developed for anonymous notifications from staff and third
persons (Telephone in a way that ensures evidenced delivery internet application
provided that forms given are completed anonymous letter suggestion boxes
etc)
Written spoken or electronic cases of whistleblowing should be recorded in a
separate folder by the authorised unit or person regardless of whether they are
based on enough evidence or not
Discriminative treatment towards whistleblower should be prevented
Periodical meetings should be held with staff in which their views should be heard
and their trust should be won in regard to reporting malpractices within the
administration
All the communication channels should be left open to ensure that personnel can
blow the whistle
In the event that the personnel that are proved right after examination and
evaluation process of the whistleblowing they should be rewarded by means of
secret methods to be determined by the administration
118
IC Figure 4 Whistleblowing Process
Whistle blower
Is it illegal
Is it unethical and immoral
Is it based on concrete evidence
Do I have good will
Do I draw benefit
from this
sec
ure
co
mm
un
ica
tion
ch
an
ne
ls (e-m
ail
ad
dre
sses te
leo
ph
on
e
nu
mb
ers
sec
ure
co
mm
un
ica
tion
ch
an
ne
ls (e-m
ail
ad
dre
sses te
leo
ph
on
e
nu
mb
ers
Unitperson to evaluate the case of
whistle blowing
Evaluation Criteria
Disciplinary Board Inspection BoardAudit
Unit
Chief Public Prosecuter
(investigation request is
from outside the
administration)
Authorising officer
119
IC Box 6 Current Legislation relating to whistleblowing and complaint
Law No 5651 on Publications on the Internet and Suppression of Crimes Committed by
means of Such Publication
Law No 4982 on the Right to Information
Law No 3628 on Declaration of properties bribes and combating fraud
Law No 3071 on Official Letters
Ethics Law Regulation and Prime Ministry Circular
Principles and Procedures on the Complaint and application rights of Civil Servants
Compliant regulation under Public Procurement Law No 4734
8 RELATIONS AMONG UNITS
81 Information and Communication between the CHU and SDUs
The extent to which the tasks the CHU carries out are effective and efficient depends on the level
of communication it achieves with SDUs
The CHU must develop organisational communication mechanisms to ensure transfer of information
to the SDUs This could either be done via a call centre to be established within the CHU or
particular CHU staff (client representatives) can be matched with particular SDUs This would
enable CHU staff to better know the unit they are responsible for and therefore make evaluations
and problem solving easier This would also improve the influence of the CHU on other units
Furthermore ensuring face-to-face communication between CHU and SDU staff and organising
periodic meetings andor conference calls to review the internal control system can be another
method of information transfer
The CHU must set out the critical arrangements that are relevant to the SDUs using participative
methods where the participation of SDUs must be ensured Furthermore the level of participation
by the SDUs will enhance the level of communication
82 Information and Communication between SDUs and Spending Units Ensuring coordination with spending units for the adoption of various elements such as preparation
of activity reports and performance programmes and implementation of internal control which are
important elements of Public Financial Management is the responsibility of SDUs An effective and
efficient organisational communication with spending units would also contribute to the smooth
progress of coordination process
SDU staff and spending units must be matched Each member of SDU must be in constant
communication with the spending unit they are responsible for and transfer the necessary
information to the spending units periodically Spending units must also assign the
departmentbranchunit staff to be in continuous communication with Strategy SDU Such
matching plays a crucial role in the transfer of consistent and accurate information both from the
SDUs to the spending units and from the spending units to the SDUs
Furthermore these information flows must also be reviewed in the meetings to be held regularly
(advised frequency minimum monthly maximum quarterly) by the spending unit officials and SDU
managers and the actions to be taken and required development must be discussed in these
meetings
In the event that it is necessary for the SDUs to make decisions which would affect the spending
units officials from spending units must be able to get involved in this process depending on the
level of the decision
120
INFORMATION AND COMMUNICATION ANNEXES
Annex 1 - Legislation on Information and Communication
Regulation on the Principles and Procedures to be applied in Official
Correspondences by the Prime Ministry
Regulation on the Prime Ministry State Archiving Services published in the
Official Gazette number 19816 dated 16 May 1988
Regulation on Public Servants Ethical Behaviour Principles and Principles and
Procedures for Application
Regulation on Declaration of Assets published in the Official Gazette no 20696
dated 15 November 1990
Regulation on the Complaints and Application by Public Servants Assets
published in the Official Gazette no 17926 dated 12 January 1983
Prime Ministry circular on Standard Folder Plan no 20057 dated 24 March
2005
(Manual to be prepared by Central Harmonisation Unit can be included
including the FMC Manual)
Prime Ministry circular dated 19 March 2007 on Civil Servants Ethical Board
Regulation on Complaints under the Scope of the Law no 4734 on Public
Procurement (The arrangements to be made by the CHU including the FMC
Manual can be covered in this part)
Law no 406 Telegraph and Telephone
Radio Law no 2813
Law no 3071 on Official Letters
Law no 4982 on the Right to Information
Law no 5070 Electronic Signature
Law no 5651 on Publications on the Internet and Suppression of Crimes
Committed by means of Such Publication
Law no 5369 on Provision of Universal Service and Amendments to Certain
Laws
Law No 5176 on Establishment of Civil Servants Ethical Board and Making
Amendments on Some Laws
Law No 4483 on Trying cases against Civil Servants
Law No 3628 on Making Declaration of Property and Fight against Bribery and
Corruption
Law no 5809 on Electronic Communication
121
Annex 2 - Widely Used Methods of Communication
Means Objective Advantages Disadvantages
Meetings Informing
Receiving
opinion
Making joint
decisions
Relatively cheap
A method that
people are
accustomed to
Contribute to the
culture of
participation
Open to discussion
and dialogue
Opportunity to come
up with solutions to
problems in the
administration
Difficulty to measure the
success and value of the
method
Possibility that results may not be
useful
Possibility that a minor group
may dominate the meeting in
case of bad management
Reports
Informing
Receiving
opinion
Making
decisions
Evaluation
Informs the target
group about the
subject in a sound
manner
Facilitates decision-
making process of
the manager
Possibility to access
accurate up to date
relevant and
adequately detailed
information
Requirement for qualified staff
Its production is time consuming
Brochures
Periodicals
Informing
Promotion
Opportunity for
creative design
Comprehensible
Particular and wide
target groups
Opportunity to
establish long term
relation with target
group
Opportunity to make
regular up-dates
regarding the subject
Limited feedback
Difficulty to measure the impact
on target group
Questionnaire
Interview
(letter
telephone
face to face)
Receiving
opinion
Evaluation
A method that
people are
accustomed to
Opportunity to reach
a wide group
Opportunity to select
particular target
groups
Scientific methods
can be used
Expensive time consuming
Requirement of in-detail
information to use the method
accurately
Possibility that responding rate
may be low
Possibility that the subject may
not be examined enough
122
Means Objective Advantages Disadvantages
Press releases
and
conferences
Informing
Receiving
opinion
Cheap
Easy to organise
Opportunity to
communicate to
many people
Difficulty to understand whether
the subject reached the target
group or not
Difficulty to measure the success
and value of the method
Difficulty to examine the subject
thoroughly
No feedback or limited
feedback
Brainstorming Exchanging
ideas
Making joint
decisions
Obtaining many
ideas regarding a
subject
Contribution to the
culture of
participation
Cheap flexible easy
to organise
Possibility that results may not be
useful
Possibility that the subject may
not be examined enough
Workshop Informing
Receiving
opinion
Making joint
decisions
Opportunity to set up
new networks
Fun for participants
Chance of finding
solutions to problems
Cheap flexible easy
to organise
Chance of examining
the subject
thoroughly
Opportunity to select
particular target
groups
Easier participation
because of unofficial
atmosphere
Non-scientific
Possibility that results may not
useful
Possibility that a minor group
may dominate the meeting
Possible to receive wrong results
with a small and randomly
selected group
Conference Informing
Receiving
opinion
Making joint
decisions
Opportunity to
become creative
and flexible
Opportunity to work
together with
different groups
Opportunity to set up
new networks
Opportunity to select
particular target
groups
Opportunity to
examine the subject
thoroughly
Opportunity to
discuss different
Expensive time consuming
Possible to receive wrong results
with a small and randomly
selected group
Raising different expectations
Possibility that result may not be
useful
Possibility that a minor group
may dominate the meeting in
case of bad management
123
opinions and ideas
Means Objective Advantages Disadvantages
Focus Group Receiving
grouprsquos
opinion with
the
leadership
of a
moderator
Faster and cheaper
compared to one-to-
one interview
Opportunity to
discuss different
opinions and ideas
Spoken discussion
accelerates the
process that outputs
are reflected in
writing
Possibility that useless information
may emerge in case of bad
moderation
Quality of participators affect
the quality of data
Conference
Call
Making joint
decisions
Finding
common
solutions to
problems
Opportunity to
discuss different
opinions and ideas
Opportunity to
examine the subject
thoroughly
Experienced
decision-makers and
persons with deep
information
accumulation
coming together
Possibility that results may not be
useful in case of bad
management
Expensive time consuming
Possibility that a minor group
may dominate the meeting in
case of bad management
Websites and
intranet
e- mail
Informing
Receiving
opinion
Cheap
Easy to organise
Opportunity to reach
many people
Effective information
sharing
Need for updating
Problem that unfavourable
people may get access
124
Annex 3 Reports Prepared under PFMC Law No 5018
Name of report Responsible unit Submitted to
Unit Activity Report
(Art 41 of Law no 5018)
Spending Units- Authorising
Officers Head of Administration
Local Administrations Activity
Report
Spending Units- Authorising
Officers Head of Administration
Administration Activity Report
(Art 41 of Law no 5018)
Head of Administration
(General budget
administrations special budget
administrations and social
security institutions)
Ministry of Finance Court of
Accounts and Public Opinion
Local Administrations Activity
Report
(Art 41 of Law no 5018)
Head of Administration
(Local Administrations)
Ministry of Interior Court of
Accounts Public Opinion
General Activity Report
(Art 41 of Law no 5018)
Ministry of Finance
(Directorate General for Budget
and Fiscal Control)
Court of Accounts and Public
Opinion
Local Administrations General
Activity Report
(Art 41 of Law no 5018)
Ministry of Interior Court of Accounts Ministry of
Finance and Public opinion
Administration AR General AR
Local Administrations General AR
(Art 41 of Law no 5018)
Court of Accounts (Expressing its
own opinions considering its
external audit results)
TGNA
Draft Law on Final Accounts
(Art 42 of Law no 5018)
Ministry of Finance (DG Public
Accounts) TGNA Court of Accounts
External Audit Overall Assessment
Report
(Art 68 of Law no 5018)
Court of Accounts TGNA
Corporate Financial Status and
Expectations Report
Public Administrations under the
scope of General Management Public Opinion
Central Government Budget
Realisations and Expectations
Report
Ministry of Finance
(Directorate General for Budget
and Fiscal Control)
Public Opinion
Financial Statistics
(Art 52 53 54 of Law No 5018)
Ministry of Finance (DG Public
Accounts) Public Opinion
In the production and submission of the Activity Reports above Law no 5018 and the
principles and procedures set out in the Regulation on Activity Reports Prepared by Public
Administrations are taken into account
In preparation and declaration of the financial statistics of public administrations Law No 5018
and the principles and procedures set out in General Communiqueacute on Financial Statistics of
General Management are taken into consideration
125
Annex 4a Whistle-Blowing Process Related to Ethical Values
Application
Registry (Relevant unitperson)
If related to
EVALUATION
Written petition
electronic mail or oral
application that is
recorded
Registration in the
document registry
system (written
electronic)
a separate folder
system for notification
applications
NOTIFICATION
To the relevant person
(person who whistle-blowing
is about)
To the relevant
administration (conduction
of the work within the
framework of Law No 657)
To whistle-blower
NOTIFICATION
If it is decided that ethical
behavior principles have
been violated
To Prime Ministry
To Public Opinion (Published in official gazette
If it is not detected that
ethical behavior principles
have been violated
- To the Prime Ministry
- To whom it may concern
If related to Director
General and upper
level positions than
Director General
If related lower level
positions than Director
General
Ethical Board Head Office of the
Relevant
Administration
Disciplinary Board
126
Annex 4b Whistleblowing and Evaluation Process for Crimes Committed by Civil Servants
Application
Registry (Relevant unitperson)
Head of the relevant unit
Written petition
(person or a
particular event
serious allegations
name family
name signature
domicile address)
Registration in the
document registry
system (written or
electronic - a
separate folder
system for
notification
applications)
Preparation of preliminary examination report and submission of it to the
body authorised to give the permit
NOTIFICATION
Directly Chief
Public Prosecutor
Other positions or
civil servants
Requesting investigation permit
from body authorised to give
the permit (Article 3 of Law No
4483
Making notification to body
authorised to give the
investigation permit (Article 3 of
Law No 4483
Body authorised to give the
permit starting the preliminary
examination (44835)
Permitting the
investigation about the
complaint whistleblowing
or subject matter of the
allegation
Not permitting the
investigation about the
complaint whistleblowing
or subject matter of
allegation
OBJECTION
(to the Court of Appeals
or regional administrative
court by the civil servant
about whom investigation
is conducted)
to the Chief Public
Prosecutorrsquos Office
to the civil servant
about whom the
investigation is
conducted
to the whistleblower
OBJECTION
(to the Court of Appeals
or regional administrative
court by the Chief Public
Prosecutorrsquos Office or
complainant)
127
MONITORING
1 Introduction
Monitoring is the assessment of the internal control system in terms of harmonisation with the
internal control standards to see whether it makes the expected contribution to the achievement
of goals and objectives of an administration It is the identification of the actions regarding the
aspects open to improvement Within this framework monitoring is an integrated process in which
capacity is assessed in interaction with the other components of internal control system
M Figure 1 COSO Monitoring Process
The main elements of monitoring are formation of a sound infrastructure for monitoring
designing and implementing monitoring procedures assessment and reporting of the results
Monitoring if designed and carried out properly provides the administration with the
reasonable assurance that the internal control system operates efficiently An efficient monitoring
helps
Timely identify and eliminate the problems in the system of internal control
Produce more accurate and reliable information to be used in decision making
Produce correct and timely financial statements
Confirm regularly that the internal control system is effective
Present evidence for the internal control assurance declarations
Risk Management
Control Activities
Info amp Communication
Monitoring
Control Activities
128
Monitoring internal control systems requires participation Question forms internal and
external audit reports and requests and complaints from individuals andor organisations and the
opinions of unit directors must be benefited from during monitoring
2 Monitoring Internal Control Standards Monitoring includes all sorts of monitoring activities performed with the aim of quality
assessment of internal control system
M Box 1 Internal Control Standards
Standard 17 Assessment of internal control
The administrations shall assess their internal control systems at least once a year
Standard 18 Internal audit
The administrations shall ensure a functionally independent internal audit activity
3 Roles And Responsibilities
31 Senior Manager
The main responsibility for monitoring internal control system rests with Senior Manager This is
also emphasized in Article 11 of Law No 5018 and it is stated that Senior Managers are responsible
for observing and monitoring the functioning of financial management and control system
The Senior Manager fulfils this responsibility through internal auditors and Strategy
Development Units (SDU)
Approving the internal control system annual assessment report prepared by his
administration the Senior Manager ensures the submission of it to Central Harmonisation Unit (CHU)
Furthermore the Senior Manager annually states based on evidences that internal control
system gives reasonable assurance for attainment of the objectives and aims of his administration
through internal control assurance statements (Annex 3A)
On the other hand the Senior Manager ensures the implementation of recommendations
put forward as a result of internal and external audits
32 Internal Audit
Internal audit has the functions of providing information making assessments and making
recommendations on the adequacy efficiency and functioning of internal control system Within
this framework the Senior Manager who has the responsibility for a sound functioning of internal
control system receives opinions and support from internal auditors
33 Internal Control and Risk Steering Board (ICRSB)
ICRSB assesses Internal Control System Evaluation Reports prepared by SDU as a result of
annual assessment of internal control system (Annex 2) and following to defining shortcomings of
the report if any submits it with the relevant opinions for the approval of Senior Manager
34 Authorising Officers
Authorising officers have responsibilities regarding internal control and continuous
monitoring Furthermore Authorising Officers provide necessary information for SDUs regarding the
annual assessment of internal control system fill in the internal control question form (Annex 1) and
annually sign the internal control assurance declaration (Annex 3B) to be submitted to Senior
Manager
In addition Authorising Officers have the responsibility for taking relevant actions regarding the
recommendations contained in internal and external audit reports
129
35 Strategy Development Units (SDU)
Have been assigned the function by Law No 5018 and the applicable legislation3 to carry
out studies to establish implement and continuously develop internal control systems and to report
the study results to the Senior Manager
Within this framework SDUs annually assess internal control system on behalf of Senior
Manager Then they report assessment findings gained by means of forming a working group and
using such tools as check lists questionnaires and question forms to the Senior Manager with the
relevant opinions from Internal Control and Risk Steering Board
SDUs sign the declaration on functioning of internal control system with a view to ensure
effective efficient and economical execution of administrationrsquos activities
Personnel of SDUs take active role in the assessment process of internal control systems and
guide the units in filling the reports regarding assessment (Annex 1)
36 Other Managers and Employees
Other managers and employees are responsible for the effective functioning of internal
control system within their own fields Within this framework while carrying out their own duties they
observe the functioning of internal control system and in case of a problem they inform Senior
Manager and contribute to the assessment process of internal control system by providing
information
37 External Audit
External audit is conducted by Court of Accounts Within this framework Court of Accounts
can assess internal control systems in public administrations and can make recommendations
38 Central Harmonisation Unit (CHU)
In accordance with the Article 9 of Principles and Procedures regarding Internal Control
and Ex-ante Financial Control and Article 55 of Public Financial Management and Control Law No
5018 this unit develops standards and methods regarding internal control processes and provides
guidance services in public administrations
Furthermore CHU annually assesses the functioning of internal control systems in public
administrations based on Internal Control Assessment Reports approved and submitted by senior
mangers and submits the assessment report it prepared to the Senior Manager and Minister of
Finance
CHU in necessary cases carries out on-site monitoring activities regarding the factors
contained in reports prepared by public administrations
Within the framework of roles and responsibilities explained above the following scheme
demonstrates the exchange of information and reporting lines envisaged to be realized within the
scope of monitoring activities in the administration
3 Legislation on Principles and Procedures regarding Internal Control and Ex-ante Financial Control and Working
Principles and Procedures of Strategy Development Units
130
M Figure 2 ndash Reporting and information exchange process foreseen under monitoring
CENTRAL HARMONISATION UNIT
SENIOR MANAGER
INTERNAL AUDIT INTERNAL CONTROL RISK STEERING BOARD EXTERNAL AUDIT
(Report) Court of Accounts (Report)
STRATEGY DEVELOPMENT UNIT
AUTHORISING OFFICERS
SUB-UNIT MANAGERS
SUB-UNIT PERSONNEL
1) Straight arrows demonstrate the hierarchy in the reporting process
2) Dotted lines demonstrate the exchange of information
4 Guidance by the CHU4
Article 55 of Public Financial Management and Control Law no 5018 and Article 9 of the
Principles and Procedures on Internal Control and Ex-ante Financial Control prescribe that
standards and methods concerning financial management and control are developed and
harmonised by the Ministry of Finance and guidance is provided to the public administrations
In this context within the scope of its monitoring function the CHU
Monitors whether internal control standards are complied with
Monitors the operation of the systems by receiving information and reports from the
administrations regarding internal control and ex-ante financial control arrangements and
practices
Carries out researches on the national and international good practices and
conducts studies for their implementation
CHU annually assesses the operation of internal control system within the public sector
based on the Internal Control System Evaluation Reports submitted upon the approval by the
4 This part consists of general information on the guidance provided by the CHU detailed information can be found
on the CHU Handbook
131
heads of public administrations and where necessary carries out on-the-spot monitoring on the
issues included in the reports of the administrations
5 Assessment and Reporting Role of SDUs
Assessing internal control periodically and identifying and applying necessary actions are
crucially important to ensure the efficiency of the system In this context each organisation needs
to assess its internal control system Assessment of internal control system means analysing on the
basis of the internal control components whether the system makes the expected contribution to
the achievement of the aims and objectives an administration identifying the aspects open to
improvement and taking corrective actions
Public Internal Control Standards suggests that the internal control systems in the public
administrations must be assessed at least annually using ongoing monitoring or separate
evaluations In the assessment of the internal control system participation of all units is required and
internal and external audit reports and requests and complaints from individuals andor
organisations and the opinions of unit directors must be considered and the assessment process
must be methodological
51 Assessment of Internal Control System by SDUs
Assessment of Internal Control System by SDUs is carried out fundamentally be means of
Internal Control System Question Form Other tools such as checklists and questionnaires can also
be benefited from during the evaluation process Furthermore the opinions of the managers
requests and complaints from organisation andor individuals are taken into consideration in the
evaluations Evaluations are carried out at least annually Quarterly or semi-annual evaluations can
be carried out as well
Coordination of the assessment conveyance of the questionnaires to the relevant units and
consolidation of the responses are tasks of Internal Control sub-units in the SDUs
The staff to be assigned from the SDU must be determined to support the process of filling
the questionnaires and the evaluation process must be planned In the plan a representative must
be appointed for each unit and where the number of staff is insufficient at least one person must
be assigned as responsible and this must be communicated to the relevant units This responsible
person must provide guidance to the units in filling the questionnaires
Spending units are obliged to respond to the questions on Risk Assessment Control Activities
and Information and Communication Responding to the questions in the Control Environment and
Monitoring parts is at the discretion of spending units
SDUs must complete the sections on control environment and monitoring in the internal
control question forms which they will fill in as spending units
The following steps should be followed while evaluating the internal control system
Primarily unit managers should organise an opening meeting for the representatives from
the SDUs In this meeting guidance should be provided for responding the questionnaires
and the deadline for completing the questionnaire should be announced
The time table for the questionnaire SDU representative and their contact details should be
communicated to the unit manager along with the questionnaire itself The units must be
given a reasonable amount of time to complete the questionnaire which should be not less
than one week
The questionnaire should be completed with the participation by sub-unit managers and
staff under the coordination of the unit manager
Completing the questionnaire spending units should bear in mind that this is a kind of self
assessment therefore by means of answers they give to the questions they essentially assess
their own units Within this framework while completing the questionnaire they should make
an in-dept assessment about functioning of internal control in their own units
132
Where necessary support should be received from the SDU representatives
When the questionnaire is received by the SDU representative each question should be
checked and any misunderstanding should be corrected during this process To this end
SDU representative is entitled to get in touch with the unit manager regarding responses to
the questionnaire
Internal audit unitsinternal auditors can be asked for support and recommendation when
there is a need for checking the accuracy of information in the questionnaire
Following the submittal of all questionnaires the SDUs should consolidate the questionnaires
and prepare the evaluation report resorting to the questionnaires primarily and also the
following sources of information
Action plans produced on the basis of internal and external audit reports
Information on budget and ex-ante financial control and
Other sources of information (opinions of the managers requests or complaints by
individuals andor administrations)
Given that evaluation report will be produced using the above mentioned information
sources (questionnaire internal and external audit reports budget ex-ante financial control
information etc) it should be kept in mind that this process would take time
While assessing the results of the questionnaire the points should be added up and converted to a
percentage for each section For example the total number of points that can be scored for the
Control Environment section is 44 If the Unitrsquos score was 22 out of 44 the percentage result is 50
The percentage scores should be recorded for each section and a percentage score for the
whole questionnaire (using the total possible points total of 116)
The percentage scores should be interpreted as follows separately for each category and also for
the overall percentage score
M Table 1 ndash Interpretation of the Results of the Internal Control Question Form
score Interpretation
0-25 Evidence of some awareness and understanding but still in the early
stages of internal control development Direct action needed by SDU
to provide guidance
25-50 Evidence of implementation that is planned and in progress Action
needed by SDU to provide further guidance
50-75 Evidence of implementation in some key areas Further guidance may
be required by the SDU
75-95 Evidence that implementation of internal control is embedded and a
good capability is established SDU may wish to identify the best areas
as examples of best practice and inform CHU
95-100 Evidence of mature internal control system with excellent capability
established CHU will wish to use as example of best practice
52 Reporting of Internal Control System Evaluation Results
The SDU prepares a report regarding the activities carried out for establishing and
developing internal control system and evaluation on functioning effectiveness and efficiency of
the system It will be appropriate to use lsquoInternal Control System Evaluation Reportrsquo template
contained in Annex 2 in making the assessment results into a report
In the preparation of the aforementioned report ldquoInternal Control System Questionnairerdquo is
an important basis The report should include alongside information on the operation of the
internal control system the steps taken for strengthening it Furthermore the areas where the no or
insufficient controls exist where they do not work properly where the controls are excessive or the
plans and tables produced to address the problems identified should also be covered in the report
The report produced is reviewed by the ICRSB if there is one in the administration If not it is
reviewed by a board consisting of authorising officers or their assistants assigned by them chaired
133
by an authorising officer or a Deputy of the Senior Manager After eliminating any shortcomings it is
submitted to the Senior Manager for approval by the board
The annual evaluation report approved by the Senior Manager must be sent to the CHU by
the SDU until the end of the following March
53 Monitoring of Internal Control System Evaluation Reports
The measures and actions to be taken and the arrangements to be made regarding the
aspects identified in the Internal Control System Evaluation Report as requiring development must
be set out within the framework of managerial responsibility In certain areas in order to eliminate
the gaps the unit managers will have to take actions Furthermore if there are horizontal problems
on which most of the units are identified to score low actions for improvement should be initiated
by the Senior Manager
The measures and actions to be taken and arrangements to be made must be
implemented in the context of an action plan in a designated period of time SDUs must monitor
the implementation results of the aforementioned measures actions and arrangements at least
semi-annually and inform the Senior Manager about the implementation results
134
54 Work to be carried out by SDUs concerning Internal Audit Reports
In accordance with Article 64 of Law No 5018 reports submitted by internal auditors to the Senior Manager shall be sent to concerned unit and SDU
following to the assessment by the Senior Manager for taking necessary action It will be convenient that SDUs assess the report sent by the Senior
Manager in light of the following questions
M Table 2 ndash Evaluation of the Internal Audit Reports by the SDUs
Question 1 Question 2 Question 3 Question 4 Question 5 Question 6
What
information is
available in the
report about the
effectiveness of
internal control
system For
example what
information
does internal
audit report
include on risk
management
Are there any
problems
according to
internal audit
report
What are the
problems in
question
What are the works
to be carried out by
spending units for
fixing these
problems
It is possible that
SDUs provide
spending units
with guidance
on actions to be
taken
What are the works to be carried
out by SDU for fixing these
problems
Taking these problems into
consideration SDU identifies
measures to be taken in Internal
Control System Evaluation
Report to be submitted to senior
management
Identifying the training need
within the framework of
shortcomings related to internal
control system SDU can
demand that new training
programs be developed or
available program be revised
Has SDU done what is
necessary for fixing these
problems
It should be found out
whether SDU has done
necessary works
(delivering
trainingsgiving
recommendations) for
fixing the problems
135
136
6 Internal and External Audits
In accordance with the Law No 5018 the audit of our financial management and control
system is divided into two categories internal audit and external audit Internal audit is carried out
by the internal auditors working in the administration within the scope of the general government
with the exception of regulatory and supervisory institutions External audit of the administrations
under the general government on the other hand is carried out by the Turkish Court of Accounts
61 Internal Audit
Articles 63-67 of Law No 5018 sets out the overall scope of the internal audit system and the
professional framework has been established with the secondary and tertiary legislation
Activities and transactions of all the units of public administrations including those abroad
and in the countryside have been undergoing internal audit in line with audit standards within the
scope of risk based audit plans and programmes using a systematic consistent and well-disciplined
approach
The most distinctive difference between the current inspection boards and the internal
audit designed by the aforementioned Law is that internal auditors have a limited authority which
merely enables them to notify the most senior person in the administration when they find out cases
requiring investigation during the course of or following the audit However inspectors have the
authority to initiate investigations and directly submit reports containing findings of the
investigations to legal authorities
611 Definition and Aim of Internal Audit
Internal audit is defined in the Article 63 of Law No 5018 as follows
M Box 2 ndash Article 63 of Law No 5018
ldquo Internal audit is an activity of providing independent and objective assurance
and consultancy performed in order to improve and add value to the activities of
the public administrations by evaluating whether the resources are managed in
conformity with the principles of economy effectiveness and efficiency and by
providing guidance Such activities are performed with a systematic regular and
disciplined approach and in accordance with generally accepted standards
aiming to evaluate and improve the efficiency of risk management and of
management and control processes on the management and control structures
and financial transactions of administrationsrdquo
In the above definition ldquoobjective assurancerdquo refers to providing sufficient assurance within
and outside the organisation that an efficient internal control system exists in the organisation its risk
management internal control system and business processes operates efficiently the information
produced accurate and complete the assets are safeguarded and the activities are carried out
in an efficient economic and productive manner in line with the legislation
Along side the objective assurance it ensures internal audit provides independent and
impartial consultancy to assist the administrations in developing their risk management control and
management processes Consultancy covers providing recommendations to evaluate and
improve the activities and business processes of the administration aimed at the achievement of its
objectives in a systematic and regular manner
Internal auditors get involved neither in the arrangement or implementation of internal
control systems nor in the selection of control actions
137
612 Monitoring within the scope of Internal Audit
Internal auditors submit their reports directly to the Senior Manager of public administration
Following the evaluation of the Senior Manager these reports shall be given to the concerned units
and SDU for taking necessary action Internal audit reports and the actions taken about them shall
be sent by the head of public administration latest in two months to the Internal Audit
Coordination Board
Audit results are monitored within the framework of Public Internal Control Reporting
Standards which has been published by Board The corrective actions and advice recommended
by the internal auditor following the internal audit activity shall be completed by the auditee within
the time period indicated in the relevant report Senior Manager shall follow up whether the
measures stated in the report have been taken or not Senior Manager can fulfil this duty through
internal audit units (through internal auditors in administrations where there is no unit) Internal audit
units (internal auditors in administrations where there is no unit) prepare a follow up system to
monitor the implementation of internal reports
Unit directors the necessary actions regarding the recommendations included in the audit
report about the audited activities In the event that no action could be taken head of internal
audit unit informs the Senior Manager
If the recommendation or corrective measure to be taken will take a certain period of time
this shall be stated in the response to the audit report and the relevant unit shall communicate the
developments to the internal audit unit in the form of six-months periods at least
Actions taken by the audited units upon the report or the justifications for not taking actions
are sent to the internal audit unit to be submitted to the internal auditor
62 External Audit
Another means that contributes into accountability is external audit In this context external
audit has an important role in fulfilment of the legislative bodyrsquos budget right and effective
efficient and economic use of public resources Turkish court of Accounts carries out the audit of
the financial activities and transactions of public administrations in the name of the legislative
body
621 Aim of External Audit
The purpose of the ex post external audit to be performed by the Court of Accounts is to
audit within the framework of the accountability of public administrations within the scope of
general government the financial activities decisions and transactions of management in terms of
their compliance with the laws institutional purposes targets and plans and to report their results to
the Turkish Grand National Assembly
622 Scope of External Audit
External audit is divided into two categories namely regularity audit and performance
audit
Regularity audit is carried out by means of the followings
Detecting whether revenues expenditures and goods of public administrations and related
accounts and proceedings are in compliance with the laws and the other legal regulations
Giving opinions about their accuracy and reliability after assessing financial reports and
statements of public administrations and all those documents produced in relation to these
reports and statements
Assessing financial management and internal control system
Performance audit on the other hand is an act of measuring activity results in light of the
objectives and indicators identified by administrations within the framework of
accountability
623 Functioning of External Audit
External audit makes use of the accounts and other relevant documents of the public
administration In the event the TCA needs reports by the internal auditors can also be requested
138
Reports produced upon the audits are consolidated by the administrations submitted to the Senior
Manager to be responded and finally external audit overall evaluation report produced
considering the external audit reports and the responses to them is submitted to the Turkish Grand
National Assembly It is possible to make external audit results into administration-based or topic-
based reports and submit them to the TGNA as individual reports
624 Coordination between External Audit and Internal Audit
Ensuring coordination and cooperation based upon communication common
understanding and trust between external audit and internal audit assumes importance in
increasing the efficiency of both external audit and internal audit Furthermore such coordination
and communication will ensure effective use of audit resources by preventing unnecessary
repetitions of audit
In accordance with Law No 5018 Court of Accounts can make use of internal audit reports
within the framework of such coordination and communication Moreover it is expressed in internal
audit standards that head of internal audit unit shall share available information with the other
internal and external auditors and conduct his activities in coordination with these people
7 Internal Control Assurance Declarations The new financial management and control understanding brings forward the concepts of
financial transparency and accountability Briefing the public and judicial organ on activities of a
public administration which are carried out in order to attain the objectives and aims and their
results is one of the most important requirements of managerial accountability
This way it is ensured that ones carrying out public services feel more responsible and work
outcome-oriented and beneficiaries of the public services are informed on how they use the taxes
they pay and on the performance of public administrations and it is encouraged that public audit
is strengthened as well as legislative audit To this effect in the new financial management and
control system it is provisioned that authorising officers5 prepare unit activity report Ministry of
Internal Affairs prepare Assessment Report regarding the activities of local administrations Ministry
of Finance prepare Overall Activity Report and it is ensured that the Court of Accounts inform
Turkish Grand National Assembly with its own assessments
In order to deliver the concepts of financial transparency and accountability the actors of
the system Senior Managers and authorising officers allocated with appropriations from the
budget have been commissioned to prepare internal control assurance declarations and attach
these declarations to the activity reports of the administrations and those of the units6
Within this framework those who need to give internal control assurance declaration and
the type of declaration they will give are demonstrated in the following scheme
M Table 3 Types of Internal Control Assurance Declarations
THOSE WHO WILL GIVE INTERNAL
CONTROL ASSURANCE DECLARATION
TYPE OF INTERNAL CONTROL ASSURANCE
DECLARATION
SENIOR MANAGER INTERNAL CONTROL ASSURANCE DECLARATION
(SENIOR MANAGER) (ANNEX-3A)
AUTHORISING OFFICERS INTERNAL CONTROL ASSURANCE DECLARATION
(AUTHORISING OFFICER) (ANNEX-3B)
HEAD OF SDU DECLARATION OF THE HEAD OF SDU (ANNEX-3C)
5 Unit activity report and internal control assurance decalaration are prepared by those authorising officers to whom an
appropriation is allocated to in the budget 6 Art 8 of Principles and Procedures regarding Internal Control and Ex-ante financial Control Art 19 of By-law on the
Preparation of the Activity Reports of Public Administrations Annex234
139
On the other hand every authority signing the internal control assurance declaration should
be sure that the assurance he gave is supported by evaluation reports issued by the SDU internal
and external audit reports other external assessments and similar sound evidences Furthermore
while filling internal control assurance declaration of his administration the Senior Manager should
assess the Assurance Declarations of authorising officers and Head of SDU and should state in the
Internal Control Assurance Declaration that the reasonable assurance these declarations gave to
him formed an important basis for his own declaration
71 How to complete Internal Control Assurance Declarations
Guidance on the internal control assurance declarations to be completed by the Senior
Manager (Annex 3A) Authorising Officer (Annex 3B) and the Head of SDU (Annex 3C) is as follows
711 Guidance on Internal Control Assurance Declarations for Senior Manager
and Authorising Officer
Internal Control Assurance Declaration (ICAD) is comprised of four main parts namely
Responsibility Basis of Internal Control System and Assurance Declaration Risk Management and
Assessment of Internal Control System (Annex 3A and Annex 3B)
In completing the two Annexes 3A and 3B Senior Managers and Authorising Officers should
observe the standard templates and complete the relevant boxes Each box has a cross reference
to where more information can be found in the main body of this chapter
7111 Responsibility
The Senior Manager is responsible for establishing operating and monitoring an effective
financial management and control system which will contribute to the realization of the objectives
and aims of his administration Within this framework he is obliged to take necessary measures in
order to ensure that regulations regarding internal control system are adopted by employees and
that internal control standards are observed Authorising officer is responsible for compliance of
spending orders with the budget principles laws legislations by-laws and regulations as well as for
economical and efficient usage of subsidies and functioning of the internal control within the
framework of his duties and authorities
As the paragraph of ICAD regarding responsibilities is regulated within this framework name
of the relevant administration should be written only in the part written as [administration] other
than this no change should be made on the text
7112 Basis of Internal Control System and Assurance Declaration
Aim of the internal control system is to ensure the followings in order to give a reasonable
assurance on realization of the strategic objectives of administration
Effective efficient and economical management of public revenues expenditures
assets and obligations
Public administrations carrying out their activities in line with the law and the other
applicable regulations
Prevention of corruption and irregularity in every kind of financial decision and
operation
Gaining regular timely and reliable information and reports to make decisions and
to monitor and
Prevention of abuse and waste of assets and protection against losses
However internal control system will not give absolute assurance to administration for
realization of aims mentioned above even in the case that it is designed and operated very well
Because some factors outside the influence and control of administration can affect the capacity
of administration to attain its objectives Therefore we need to admit that internal control system
gives reasonable not absolute assurance to management for realization of objectives
The cost of internal control should not exceed the obtained benefit The management has
to take into consideration the control costs and its benefits while making decisions on regulation of
140
responses to risks and control activities Authorising officer in the same manner has to take into
consideration these factors while identifying and assessing the risks related to his unit
On the other hand while identifying weaknesses in internal control system correcting the
faults and contributing to the development of the system Senior Managerauthorising officer
receives support from internal and external assessments made within the framework of
management information systems evaluation reports issued by the SDU internal and external audit
reports and internal and external assessments Therefore it will be appropriate that such support
provided within this line be explained in ICAD by Senior Managerauthorising officer
7113 Management Information Systems
Managers need financial and non-financial information in order to detect whether the
administration has attained its objectives and aims or not and whether accountability function has
been fulfilled or not for an effective economical and efficient usage of resources Therefore best
fulfilment of such requirements and timely and accurate decisions are possible if there is proper
accurate timely and accessible information
Therefore management information system in the administration should be designed in a
way to produce the necessary information and reports needed by the management and to give
the opportunity to make analysis
Senior mangerauthorising officer should briefly touch upon in ICAD the management
information system that is available in administrationunit and explain what kind of contributions this
system make to functioning of internal control system
7114 Internal Audit
Responsibility for establishing an adequate and effective internal control system rests with
Senior Manager By giving information to the management on effectiveness adequacy and
functioning of internal control system making assessments and recommendations internal audit
takes an important part in helping senior management this responsibility
Within this framework during the audits carried out by internal auditors followings are
realized
It is detected whether internal control system functions in a sound manner and
Success of internal control system in compliance to the legislation and relevant
regulations in the accuracy of accounts and operations and in the reliability of
financial system tables in providing an effective economical and efficient
execution of activities programs and projects of the administration is determined
Senior Manager on the other hand assesses the factors which are envisaged to be
corrected and improved in internal audit reports and takes necessary measures
First of all Senior Manager should state in ICAD whether his administration has an internal
audit unit or not Internal audit unit if any should give a brief summary of what measures they take
regarding the adequacy effectiveness and functioning of internal control system in line with the
recommendations and assessments of internal auditors in this part of the declaration
The Senior Manager can make explanations in ICAD on how action plans that have been
prepared by the audited units regarding the measures to be taken by the administration as a result
of internal audits are monitored and also he can touch upon the support provided by internal
audit unit if provided regarding the monitoring activity in question
Authorising officer on the hand can make explanations in ICAD on action plans prepared
on the measures needed to be taken by his unit as a result of internal audit and their
implementation
7115 External Audit
Senior Managerauthorising officer should include in Internal Control Assurance Declaration
a summary of the relevant findings and assessments if the Court of Accounts has conducted an
external audit as well as of the operations carried out by the administration in response to these
findings and assessments
141
If an operation in relation to external audit reports of the previous years has been carried
out within the year the summary of such operation should be contained in this part of the
declaration
7116 Strategic Development Unit (SDU)
SDU carries out studies in such fields as establishing internal control system implementing
and developing the standards and submits the study results to Senior Manager
Although standard and method setting duty in financial management and internal control
processes is assigned to the Ministry of Finance every kind of method process and standards
regarding special operations which are considered to be necessary are prepared and submitted
for the approval of Senior Manager by the SDU provided that they are not opposed to Law No
5018 and the standards set by Ministry of Finance Authorising Officers bases his activities on the
relevant regulation along with the legislation
Furthermore SDU prepares an annual Internal Control Evaluation Report on functioning of
internal control system and submits them to senior manger Therefore the Senior Manager should
mention in ICAD these regulations and Internal Control Evaluation Reports regarding financial
management and control system prepared by SDU and enforced following to his approval
Within this framework authorising officer should touch upon in ICAD the guidance
provided by SDU for a sound functioning of internal control system in the unit
7117 Risk Management
Administrations introduce their missions and visions as well as their objectives aims and basic
policies in their strategic plans Besides preparing their strategic plans administrations analyse their
institutional strengths weaknesses threats and opportunities
With the help of such techniques as SWOT and PESTLE analyses administrations have the
chance to identify define and assess the risks they can come across in carrying out their activities
Generally risk is an uncertain event that may occur and its unfavourable outcomes and impacts
Risk is generally considered to be the threats which prevent the realization of aims and objectives
however well managed risks paves the way to benefit from probable opportunities
The two most important components of administrative risks are probability and impact
Therefore while addressing risks both the probability to occur and the impact it may create if
occurs are handled The most important feature of the risk concept is that it is inevitable Therefore
administration should prefer managing risks instead of overlooking them and referring to crisis
management in case it occurs It should be emphasized that as time and resources to manage risks
are limited and it is impossible to eliminate risks necessary control activities are conducted to keep
risks at a tolerable level
Risk perception risk awareness and risk appetite can be different according to the
organisational structure human resources and activities of an administration Therefore Senior
Manager should include in ICAD the following elements relating them to the activities and
functioning of administration (Authorising Officers should take into consideration only the parts
included in their own ICADs)
7118 Risk perception of administration
Leadership that Senior Manager has in risk management process
How the risk awareness is raised among the staff and how the staff is encouraged for
practicing risk management
Administrative risk appetite and how it is perceived by the staff
Whether there is a common agreed risk perception among the staff
should be summarized
7119 Capacity to cope with risks
For and effective risk management
How a training is provided and awareness is raised among the staff
142
How the staff is guided in addressing relevant risks in relation to their duties and
responsibilities how and when they will consult with senior management in the field
of risk management
How risk management is internalized within the framework of overall activities of
administrationunit should be explained
71110 Risk identification and assessment
What affects the activities of an administration is not merely financial risks In relation to the
activities of an administrationunit such risks as follows can also be encountered
Risks with outer sources such as political economical social cultural technological
environmental legal and ethical risks
Risks with inner sources such as assets infrastructure labour force and organisational
structure
Assessing the risks with outer sources can be handled within the strategic risks of an administration
Spending units should give more attention to the operational and functional risks related to their
own fields of activity Various risk categories in relation to the activities of administration and how
such risks are assessed should be briefly explained in ICAD (for example whether risk have such
definitions as risks to be eliminated to be transferred to be managed to be tolerated or not)
71111 Addressing controlling monitoring and reporting risks
Responses to be given to identified risks and the method to address risks should be briefly
explained It should be emphasized whether risk register report on risk status consolidated risk
report and similar methodologies are functional in the administration or not
Identifying control environment by defining the followings and reporting after an effective
monitoring will strengthen the effectiveness of internal control
Impact
Probability
Responses to be given measures to be taken
Ownership and
Type and frequency of reporting
Taking into consideration that ICAD is a declaration made within the framework of
accountability that internal control system of administration gives a reasonable assurance
supported with evidence a summary should be made within the above mentioned explanations
regarding risk perception and risk management
71112 Assessment of Internal Control System
While preparing ICAD an assessment related to the effectiveness of internal control system
in the activity period should be included It is quite useful to touch upon especially the specific high
risk areas and positive and negative developments regarding internal system in these areas As
such areas in question can vary according to the organisational structures and activities it is
appropriate to make the assessment according to the following headings
Human resources differences regarding the key personnel of administrationunit
differences regarding the qualities that activities necessitate wage policy working
conditions developments regarding underemployment over-employment
Physical infrastructure and assets developments which can influence the
fundamental activities of administrationunit in physical infrastructure and all the
assets of administrationunit
Information and communication infrastructure information infrastructure software
and hardware park that administrationunit uses important developments regarding
information systems new or updated information systems
Data security assessment of the effectiveness of controls regarding the security of
strategic information of administrationunit which has confidentiality
143
New structures and changing fields of activity how structures that emerged in
administrationunit as a result of changes occurred in the foundation law of
administration or new duty and activity division among administrations reflect in the
internal control system
Problems encountered in main fields of activity or examples of good practice Senior
Managerauthorising officer should include in assurance declaration the problems
which are experienced because of inner and outer factors and rooted in the
weaknesses of internal control system Besides measures to be taken in order to
overcome such problems should be summarized in the declaration Likewise threats
eliminated with the help of an effective internal control system should be touched
upon within the scope of lsquogood practicesrsquo
Developments regarding weaknesses stated in previous years Senior
Managerauthorising officer should include in this part the measures taken and
improvements experienced regarding the weaknesses and problems contained in
the assurance declarations of previous years and
Other developments Senior Managerauthorising officer should include in this part
important developments if any which are not within the scope of the above
mentioned headings
Senior Managerauthorising officer may not feel comfortable touching upon the
weaknesses and problems listed above in ICAD However it is clear that no assurance declaration
which does not mention any thread problem and weakness will be convincing and meet the
requirements of transparency and accountability principles What is important is to emphasize that
controls are developed and internal control system is strengthened for the identified problems and
weaknesses
Proceedings which are not found to be appropriate following to ex-ante financial control
authorising officer should include in this part the proceedings performed which are found to be
inappropriate by financial services if any Supporting opinion report and evidence of authorising
officer despite the negative opinion should be summarized to contribute to accountability 7 If
there is not such a proceeding as mentioned above then the expression ldquothere is not such a
proceeding I performed that is not found to be appropriate by SDUrdquo should be available in the
assurance declaration
On the other hand Senior Manager should state while filling Internal Control Assurance
Declaration that he evaluated the Assurance Declarations of Authorising Officers and the head of
SDU and that reasonable assurance provided by these declarations formed an important basis for
his own declaration
In case that Senior Manager received support from support and consultation boardsBoards
established officially and unofficially (ad hoc) such support should be explained in ICAD It is
possible that these boardsBoards prepare reports regarding the assessment of internal control
system emphasizing risk strategy and risk management to be submitted to Senior Manager In the
case that a similar supportconsultation unit to those which are called Consultation Board Audit
Board Risk Board or Steering Board and show differences among countriesadministrations in terms
of composition and working style is established the support received from such a Board should be
summarized which will strengthen the assurance that declaration provides
712 Guidance for Internal Control Assurance Declaration of Head of SDU
7 Regulation on Principles and Procedures regarding Internal Control and Ex-Ante Financial Control ndash Article 28
Financial services unit keeps a record of transactions carried out by the authorising officers despite the fact that ex-ante
financial control declared them inappropriate and these records are submitted to the Senior Manager monthly The said
records are also provided to auditors during internal and external audit
144
The Declaration by the Head of SDU (DHSDU) is a very important element which lays the
groundwork for the assurance that the Senior Manager needs to provide regarding the internal
control system in their administration(ANNEX 3C)
In completing Annex 3C Head of SDUs should observe the standard templates and
complete the relevant boxes Each box has a cross reference to where more information can be
found in the main body of this chapter
Head of SDU is responsible to ensure that the internal control system is implemented
monitored and their opinions and recommendations are reported to the Senior Manager to take
the necessary actions in time in order to ensure that the activities in the administration are carried
out in accordance with the financial management and control legislation and other legislation
and public resources are utilised in an efficient effective and economic manner
As the Field of Competence part of the DHSDU is based on this framework this part should
not be changed either except for writing the name of the administration in the brackets
(administration)
Furthermore if the declaration is supported by the explanations under the following
headings it will be the basis for the reasonable assurance that the Senior Manager has to provide
to the public opinion
7121 Management Information Systems
The Head of SDU financial and non-financial information is needed to identify whether the
aims and objectives of the administration are reached resources are used effectively effectively
and economically accountability purposes are met Meeting these requirements and ensuring
timely and right decision making by the administrationrsquos management is only possible with the
existence of proper accurate timely up-to-date and accessible information
Therefore the management information system within the administration must be designed
in a manner to produce the information and reports needed buy the management and provide
them with the chance to make analysis
The Head of SDU in the declaration should included the explanations that the activities in
the administration have been carried out in compliance with the legislation and in line with the
budgets prepared according to the strategic plan and annual performance programmes and
provide supportive evidence They should explain the contribution made by the management
information systems utilised in the administration to the legality of the activities
7122 Development of Internal Control System
SDUs are responsible for the establishment internal control systems in the administrations and
carry out studies regarding the implementation and development of the standards Head of SDU
should mention the studies carried out to ensure that the internal control system of the
administration is harmonised with the Public Internal Control standards and briefly describe the
process for the design of job descriptions formation of business processes and preparation and
implementation of action plans in this part of the declaration
7123 Monitoring and Review
Head of SDU should include the supportive evidence regarding the ex-ante financial control
activities carried out in line with the legislation and approval form the Senior Manager and the
monitoring of the due process control In addition it should be suggested that the transactions
carried out by the authorising officers despite the negative opinion upon ex-ante financial control
are recorded and submitted to the Senior Manager on a monthly basis for information purposes
On the other hand it should be stated that financial decisions and transactions to be
subject to the ex-ante financial control by the SDU are grouped according to their type cost and
subject considering the risky areas and reviewed at least once a year
Among the duties of SDU are establishing performance and quality criteria in issues within
the duty field of administration collecting analysing and interpreting the data and information on
management of administration improvement of the services and performance in issues within the
145
duty field of the administration analysing the external factors which will affect services conducting
capacity research within the institution analysing the effectiveness of the services and level of
satisfaction by these services and doing a general research in that sense
In this context the Head of SDU should include the studies carried out to increase the quality
of the services provided by the administration and studies for analysing the external factors which
will affect services the capacity research within the institution to analyse the effectiveness of the
services and the conclusions of these evaluations in the declaration
In this part of the declaration Head of SDU should provide explanations about the
arrangements prepared by their unit and put into effect upon the approval form the Senior
Manager
Finally the studies regarding the establishment of the internal control system in the
administration implementation and development of the standards and the process where the
financial management and control system of the organisation is reviewed on an annual basis and
reported to the Senior Manager should be described
7124 Briefing and Advising
Providing necessary information and consultancy to the Senior Manager and Authorising
Officers regarding the implementation of financial laws and other related legislation are also
among the duties of SDUs
In this part of the DHSDU it should be underlined that coordination has been ensured while working
with the spending units regarding the establishment of internal control system and the
implementation and development of the standards A brief explanation that information and
consultancy to the Senior Manager and Authorising Officers has been provided regarding the
implementation of financial laws and other related legislation should be included
7125 Financial Information
The Heads of SDU should themselves be convinced that the information included in the
section IIIA-Financial Information of the Activity Report is reliable complete and accurate
depending on the supportive evidence
146
MONITORING ANNEXES
Annex 1 Internal Control System Question Form
INTERNAL CONTROL SYSTEM QUESTION FORM
This questionnaire is designed for the public administrations to see whether the internal
control system complies with the internal control standards Furthermore it will provide the
opportunity to identify to what extent the internal control system facilitates the achievement of risks
considering the changing conditions resources and risks It is of crucial importance that those
responding to this questionnaire give factual answers to the questions as the questionnaire will be
used to identify the level of advancement of the internal control system in the administration
Heads of units are responsible for making an in-dept assessment about the functioning of
internal control in their respective units and completing the internal control questionnaire Within
this framework the questionnaires completed by heads of units under the guidance by SDUs are
sent back to SDUs to be consolidated and formed into an overall evaluation report for the entire
administration SDUs submit the report produced using these questionnaires to the CHU following
the approval by the Senior Manager
Completing the questionnaire
This questionnaire is made up of five parts each of which is based on the components of Internal
Control
Control Environment
Risk Assessment
Control Activities
Information and Communication and
Monitoring
Each part includes questions regarding functioning of internal control system in the context
of the aforementioned components It should be paid attention that responses to the questionnaire
should be consistent with the administration action plans produced to achieve compliance with
the Public Internal Control Standards
Spending units are obliged to respond to the questions about Risk Assessment control
Activities and Information and Communication Responding to the questions about Control
Environment and Monitoring is at spending unitrsquos discretion
The response part is made up of three options YES NO and IN DEVELOPMENT There is also a
forth column titled EXPLANATION YES means that the issues included in the question are properly
understood and implemented within the administrationunit NO means that the issues included in
the question are not understood or implemented within the unit overall administration IN
DEVELOPMENT means that the issues included in the question are partially understood or
implemented in unitsome divisions of administration In explanations part evidence and
recommendations should be written if any Guidance is given following the questions with a view
to helping better understand the questions
The questionnaire will be evaluated by means of scores assigned to answers to each
question The answer ldquoYesrdquo will correspond to score ldquo2rdquo while the answer ldquoIn Developmentrdquo to
score ldquo1rdquo and the answer ldquoNordquo to score ldquo0rdquo For each chapter of the questionnaire there will be a
total score calculated Besides there will be a total score for the whole questionnaire
If answer ldquoNordquo is given in response to a question steps should be taken to improve the
relevant areas by Head of UnitSenior Manager
If answer ldquoIn Developmentrdquo is given in response to a question head of unitSenior Manager
should assess what can be done to achieve progress in the relevant area
147
If answer ldquoYesrdquo is given in response to a question then it means that there is no factor in that
area which needs improvement
Taking into consideration that this questionnaire is a kind of self-assessment and internal
control system is a new practice for administrations please give realistic and reliable answers
In the event that you have some hesitations in completing the questionnaire please refer to
the SDU
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
1 Are the public internal control standards
well known in your administration It will
be convenient to deliver trainings and
hold meetings with a view to raising
awareness in this subject
CONTROL ENVIRONMENT
CONTROL ENVIRONMENT Control environment provides a general framework that is the
basis for the other components of the internal control system and it is concept used to
describe the setting out of the goals and objectives of the administration their
communication to the staff and creation of a due organisational structure and culture
Great influence on the control environment have personal and professional integrity ethic
values of the employees and the management supportive attitude towards internal
control written procedures and the practices for human resources management
organisational structure management philosophy and the operating style
2 Are there mechanisms in your
administration that ensure familiarization
of all employees with the code of
ethics
For example are trainings provided or
meetings organised to adapt the public
code of ethics to your administration
and to adopt them are leaflets
produced in this regard
3 Are there any codes of conductethics
available in addition to public codes of
ethics produced for your
administration
4 Has any standard been developed in
your administration in terms of duration
and method for services directly
delivered to citizens
8 If the response is ldquoYesrdquo evidence (details of the activities carried out etc) must be provided in the ldquoExplanationsrdquo column
9 If the response is ldquoIn Developmentrdquo necessary information (details of the activities carried out etc) must be provided in
the ldquoExplanationsrdquo column
148
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
5 Is it ensured that authorised bodies and
staff have access to outputs related to
all the works and transactions
6 Are there mechanisms available in your
administration for staff and the other
people who are delivered service by
the administration to submit their
recommendations assessments and
questions (questionnaires face-to-face
meetings group meetings electronic
applications etc)
It is recommended that questionnaires
to be developed be based upon the
principle of confidentiality
7 Is your administrationrsquos mission written
down and announced Mission can be
announced to the staff via bulletin
boards intranet or e-mail
Production of a strategic plan indicates
that the mission has been set out
8 Are there any directives circulars or
approvals in your administration
regarding job descriptions of units sub-
units and staff
Job descriptions for the units and sub-
units as well as for staff must be written
down and announced in order to
ensure that your administrationrsquos mission
is being carried out
If the response is ldquoNordquo when this is going
to be done must be stated
9 Does organisational chart of your
administration demonstrate key areas of
authority and responsibility reporting
lines which are appropriate to
accountability and coordination and
integration points
If the response is ldquoYesrdquo roles and
responsibilities regarding each objective
must be set our clearly
Organisational chart for units must be
produced
149
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
10 Have procedures regarding sensitive
tasks been set out in your
administration
It is recommended that procedures in
question be defined in writing and
announced to staff and that rotation
policy regarding sensitive duties be set
out
For detailed information on sensitive
duties refer to Control Environment
Chapter of the Manual
11 Do mechanisms available in your
administration to enable managers from
each level to monitor the results of tasks
assigned
If the response is ldquoYesrdquo these
mechanisms (reports work plans
regular meetings automation programs
etc) must be stated
12 Have competence skill and knowledge
each task entails been identified in your
administration
Answering this question it must be
assessed whether factors mentioned
above are taken into consideration or
not while recruiting staff
13 Have promotion procedures been
defined in writing in your administration
Factors mentioned above must be
defined taking into consideration staff
performance and these factors must
be announced to staff
14 In your administration is there a unit
responsible for trainings which identifies
training needs for each task identified
and ensures that training activities to
satisfy the needs are planned and
carried out each year
15 Do managers of your administration
share results of assessments they make
on staff competence and performance
with the staff
It is recommended that that the Senior
Managers share the results of the
150
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
assessments with the staff
16 Is action taken to increase the
performance of the staff whose
performance is deemed unsatisfactory
upon the performance assessment For
example is any action such as
providing private training for that
person discussing the areas where their
performance is deemed unsatisfactory
assigning them under the supervision of
more experienced staff taken
17 Are there rewarding mechanisms in your
administration geared towards those
staff who give a high performance and
are these mechanisms applied
It is recommended that rewarding
mechanisms be developed for staff who
give a high performance (picking
employee of the month abroad
assignments etc) and that these criteria
be announced to all the staff
18 Have procedures regarding human
resources (staff employment
replacement promotion training
performance appraisal personal rights
etc) been documented
If so examples must be provided
Procedures mentioned above must also
be announced to staff
19 Are the bodies of signature and
approval set out in the flowcharts
If the response is ldquoNordquo it is
recommended that these business flow
processes are defined bodies of
signature and approval are identified
and communicated
20 In your administration have delegations
been defined in writing
Delegations must include the
information on its scope quantity
duration and whether the authority
delegated can be delegated to
another person
Furthermore striking a balance
151
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
between authority and responsibility
should be paid attention in delegation
of power
21 Have minimum requirements
(knowledge skill and experience) been
identified in your administration for staff
to be delegated authority
Please explain how you define these
knowledge skills and experience and
how you ensure that the person to
whom the authority is delegated have
them
22 Does the employee who receives the
authority report information to the
delegator on a certain basis about the
utilisation of the authority
Reporting period must be proportionate
to the duration of the delegation
TOTAL POINTS - CONTROL ENVIRONMENT
RISK ASSESSMENT
RISK ASSESSMENT RISK ASSESSMENT is the process where the risks that might prevent the
achievement of the administrationrsquos objectives are defined analysed and necessary
actions are taken In this section the risk perception and risk handling capacity of the
administration must be self-assessed using the following questions
1 Have methodologies and responsibilities
as well as reporting procedures for
monitoring and assessing the
performance given in achievement of
objectives been identified in strategic
plans
If answer is ldquoYesrdquo how monitoring and
assessment processes work in practice
must be explained briefly
2 Have strategic plan and performance
programs been taken into consideration
in budget preparations
The activities and projects carried out to
reach the aims and objectives set out in
the strategic plan the indicators to be
followed and the resource needs for
these activates and projects must be
shown in the performance programmes
There these strategic plans and
152
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
performance programmes must be
taken into consideration during the
budget preparations fort he
administrations
3 Do activates carried out in your
administrationunit comply with the aims
and objectives set out in the strategic
plans and performance programmes
Administrations must focus on the aims
and objectives set out in the strategic
plans and performance programmes for
effective efficient and economic use of
resources
4 While setting out the objectives of your
administration and units has it been
ensured that they are SMART
5 Have your units set out within their area
of competency specific objectives in
accordance with the objectives of the
administration
Responses to this question by the units
that are unable to set out specific
objectives (such as support services)
must be considered during the
evaluation
Furthermore specific objectives that
have been set out must be announced
to staff
6 Does your administration have a risk
strategy and policy document which is
approved b Senior Manager and
accessible to all the staff
Administrationrsquos risk strategy must be
reviewed at least once every year and
updated when deemed necessary
7 Are contributions from employees
received in risk management process
Employees feeling a sense of ownership
for risk management (identifying
handling responding to reviewing and
monitoring risks) and regarding risk
management as a part of their works
will produce a strong corporate reflex
against risks
153
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
If answer to this question is ldquoYesrdquo please
explain how you ensure this
contribution
8 Is risk management which covers
identifying assessing responding to and
reviewing risks for your objectives and
aims implemented in your
administration
While identifying the risks on the
achievement of aims and objectives a
methodology and a certain process
must be adopted and it must definitely
be documented (risk register risk
progress report consolidated risk report
and so on)
Measures to mitigate risks taken by the
administrations must be applied within
the framework of action plans
9 Are annual Internal Control Evaluation
Reports prepared in your administration
about how effectively risk management
process works in your administration
These reports must cover information
about what has been done throughout
the year to mitigate risks
TOTAL POINTS - RISK ASSESSMENT
CONTROL ACTIVITIES
CONTROL ACTIVITIES Control activates are the policies and procedures produced to
ensure that the administrationrsquos aims and objectives are achieved and the risks identified
are managed
1 In your administration are efficient
control strategies and methods set out
and practised for each activity and risk
Defined controls must comply with the
risks different control methods must be
applied for different types of risks
Control strategies and methods must be
set out and applied in the form of
periodical reviews control by sampling
comparison approval reporting
coordination confirmation analysis
authorisation supervision review
154
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
monitoring periodical check and
security of assets etc
The controls within the administration
must also cover ex-ante process and
ex-post controls where necessary
2 Is cost-effectiveness analysis made in
your administration in identifying control
activities
The expected benefit and the cost of
the set out control activity must
compared controls with costs
exceeding the benefits must be
identified and less costly alternative
controls must be selected
3 Are there written procedures regarding
your administrationrsquos activities financial
decisions and transactions
There must be written procedures
regarding your administrationrsquos
activities financial decisions and
transactions These procedures and
relevant documents must cover the
initiation implementation and
conclusion phases of the activity
financial decision or transaction
Procedures and relevant documents
must be up-to-date comprehensive in
compliance with the legislation
understandable by and accessible to
the relevant staff
4 Do managers of your administration
carry out necessary controls for
effective and continuous
implementation of procedures
Activities and transactions of the
administration must be carried out in
accordance with the regulations
developed in this area Managers must
systematically check whether these
regulations are complied with or not (in
this regard such control processes as
initials assent control lists and physical
counts can be defined) Within this
framework managers should monitor
whether works carried out by staff are in
155
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
compliance with the regulations or not
Manager instructions must be produced
about how to remedy faults and
irregularities detected
5 Is the principle lsquosegregation of dutiesrsquo
practised in your administration
The tasks of approving implementing
recording and controlling each activity
or financial decision must be carried out
by different people and that the
principle of segregation duties is
complied with must be supported by
written documents
Where segregation of duties is not
possible due to insufficient number staff
the managers must be aware of the risks
and take necessary precautions In such
cases other control procedures must be
established to manager the risk
6 Are necessary measures taken against
the factors that affect the continuity of
operation in your administration
Necessary measures must be taken
against the factors that affect the
continuity of operation such as
insufficient number of staff temporary or
permanent leaves adoption of new
information systems changes to the
methods or the legislation and
emergencies
If the response is ldquoYesrdquo efficient written
procedures trainings guidance and
planning can be provided as evidence
7 Is the system of deputation applied
efficiently in your administration
Where necessary deputies must be
assigned in accordance with the
relevant procedures The person
assigned as a deputy must have the
necessary qualifications Detailed
internal arrangements must be carried
out regarding the deputation
procedures included in the personnel
laws and the qualification required from
the deputies must be defined in detail
156
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
8 Do the staff leaving their positions report
to their successors about status of works
and transactions they have
conducted
Managers must ensure that the staff
leaving their positions prepare a report
on the status of the task and the
operations along with the necessary
documents and submit it to their
recently assigned successors The report
must include the list of the important
tasks being carried out the risks to be
considered as priority list of periodic
tasks and so on
9 Are there defined authorisations for
data and information input and access
to the information system in the
administration
Information system must only be
accessible to authorised staff To this
end regularly updated information
security softwarersquos must be used for
Access to the computer programmes
Arrangements regarding the
designated level of security must be
complied with while working on
documents
10 Are there sufficient back-up
mechanisms and tested disaster
recovery plansaction plans for the
information system
TOTAL POINTS - CONTROL ACTIVITIES
INFORMATION AND COMMUNICATION
INFORMATION AND COMMUNICATION Information and communication includes a proper
system of information communication and registry that ensures necessary information is
communicated to the person employee or manager who needs it in a certain format and
in a timely manner that the objectives are reached and that enables the relevant people
fulfil their internal control responsibilities
1 In your administration is there an
efficient written electronic or verbal
internal communication system that
covers both horizontal and vertical
communication
The response to this question should
157
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
include the meansmethods (in person
via telephone e-mail in writing etc) the
staff use to communicate with each
other or their managers and the
consideration on whether these are
appropriate andor efficient
In order for the employees receive the
information they need to carry out their
uninterruptedly it must be ensured that
they are in touch with managers from all
levels including top management
2 Is there an external communication
system to ensure efficient
communication with external
stakeholders
This system monitors communication and
checks whether the questions can be
answered or not
3 Do the present internal and external
communication systems ensure that the
staff or external stakeholders can
communicate their expectations
recommendations and complaints
For example whether the Law no 4982
on right to Information is efficiently
executed within the administration
requests and complaints are responded
in time should be considered
4 Is it ensured that all the information and
documents regarding the activities of
your administration are accurate
complete reliable useful and
understandable
Information systems must ensure timely
Access to the accurate complete
reliable and understandable
information required while carrying out
the operations
The response to this question must
include a statement whether
mechanisms (decision support systems
archive and document management
systems etc) for ensuring the
aforementioned principles exist
158
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
5 Do the present information systems
ensure that the objectives set by the
administration are monitored and
activities regarding these objectives are
efficiently supervised and assessed
Management Information
System must be designed in a way that
it produces the information and reports
that the managers need during decision
making processes and provide them
with the chance to make analysis
6 Are there reporting mechanisms with
rules and standards set out in line with
the monitoring of objectives supervision
of activities and accountability
purposes
The performance programmes
published financial progress reports that
include the expectations and objectives
and the content of the activity reports
must be in line with the requirements of
the relevant legislation
7 Is there a documentation and archiving
system that complies with certain
standards for the record classification
protection of and access to the
operations and transactions of the
administration
While responding to this question
Standard 15 of Public Internal Control
Standards and the legislation on
archiving and documentation must be
considered
8 Are there available tools to report from
inside and outside the administration
faults irregularities and possible or
ongoing problems
Employees and outer stakeholders must
be informed enough about these tools
There must be a whistle-blowing process
and a procedure for protecting
personnel and they must be informed
about these
Managers must take necessary actions
to prevent discrimination and ill
159
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
treatment against whistle-blowers
TOTAL POINTS- INFORMATION AND COMMUNICATION
MONITORING
MONITORING Internal control system is a dynamic process where the administration has
to continuously adapt to the risks and changes it faces Therefore the internal control
system needs to be monitored in order to ensure that it adapts to the changing objectives
environment resources and risks as necessary The basis for an effective and efficient
monitoring is the design and implementation of monitoring procedures that are relevant to
the administrationrsquos objectives and that assess the important controls regarding
meaningful risks
When monitoring is designed and implemented properly it provides correct and
convincing information on the efficiency of the internal control system identifies internal
control failures on time and notifies the people responsible for taking action and the top
management where necessary This will ensure that the problems faced are corrected
before they harm the objectives of the administration Monitoring is carried out by the
management and internal and external audit
1 Is the internal control system monitored
and assesses at least once a year
Please explain at what intervals the
internal control system in your
administration is assessed and the
methods used
Internal control system must be assessed
via ongoing evaluations or separate
evaluations It is recommended that
these two methods are applied at the
same time(Separate evaluation of the
internal control system can be carried
out by setting up working groups or via
questionnaires)
2 Are processes and methods set out in
your administration to identify and
disclose the shortcomings of internal
control and improper control methods
and to take the necessary actions
If the response is ldquoYesrdquo please briefly
mention the process and method
adopted in your administration It is
recommended that the processes and
methods are put into practice upon the
approval by the Senior Manager Please
give brief information on the responsible
staff notified in the event of an
incomplete or improper control method
160
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
the time limit set for taking action and
how these procedures are monitored
Management fulfils this responsibility via
SDUs and internal auditors
3 Are trainings plenary sessions and
meetings held which will create the
atmosphere in which managers will be
provided with feedback about whether
internal control functions effectively or
not
4 Are the units of the administration
involved in the evaluation of internal
control
If answer is ldquoYesrdquo please explain how
participation is ensured It must be
ensured that units take active part in the
process and the task of evaluating
internal control system must not be
perceived as the responsibility of only
the Senior Manager internal auditor
and SDU
5 Is there internal audit unitinternal
auditor in your administration
6 Is there efficient cooperation among
internal audit unit management and
staff
What has been done to increase the
level of awareness of the manager and
the staff on internal audit activities
What has been done to see the
relations with the internal audit unit and
the expectations Please explain briefly
7 While evaluating internal control are
the opinions of the managers requests
and complaints by
peopleorganisations and the reports
produced upon internal and external
audit taken into consideration
The method to adopt for the collection
assessment and reporting of the
information required for the evaluation
of internal control must be set out
Please refer to the staff responsible for
161
No Questions
Yes
8
No
In D
evel
op
men
t9 Explanation
Points 2 0 1
assessing the internal and external audit
findings and recommendations for the
evaluation of internal control the time
limits for these assessments and the
management level to which this
information is communicated
Compare the internal and external
audit reports with the results of the
internal control system evaluation by
the SDU for consistency In the event
that any inconsistency is identified the
reasons for this must be questioned
8 Are recommendations from internal
audit and SDU about how to improve
internal control taken into consideration
by management
9 Are action plan(s) where internal control
evaluation results and
recommendations made upon internal
and external audit produced and
implemented Are they followed-up
If the timing is appropriate action plans
can be combined Please give brief
information on the staff responsible for
following-up the action plans and the
method used Furthermore please
provide information on the method
used fort he follow-up of internal audit
reports if there is any With which level
of management are the results of the
follow-up shared and how often Please
explain
TOTAL POINTS ndash MONITORING
GRAND TOTAL
162
Annex 2 Internal Control System Evaluation Report
helliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphellip(NAME OF ADMINISTRATION)
INTERNAL CONTROL SYSTEM EVALUATION REPORT
I INTRODUCTION
11 Mission
12 Aims and Objectives
13 Organisational Structure
II INTERNAL CONTROL QUESTIONNAIRE RESULTS
II1 Consolidated Summary on strengths and aspects open to improvement regarding the entire
organisation relevant to each COSO component
- Control Environment
- Risk Management
- Control Activities
- Information and Communication and
- Monitoring
III OTHER INFORMATION
III1 Internal Audit Reports
III2 External Audit Reports
III3 Other Information Sources
III31 Budget Information
III32 Data on Ex-ante Financial Control
III33 Requests by Individuals andor Administrations
III34 Other Information
IV CHANGE SINCE THE LAST REPORT
IV1 For each COSO component has the position got better or worse and why
V CONCLUSION
V1 Strengths
V2 Aspects Open to Improvement
V3 Recommendations for action
163
Annex 3a Internal Control Assurance Declarations Senior Manager
I RESPONSIBILITY
As the Senior Manager I am responsible for ensuring the establishment delivery and
oversight of an efficient financial management and control system that will contribute to the
achievement of the policies goals and objectives of [the administration] In this regard I declare
that I have taken the necessary measures to make sure that the arrangements of internal control
are adopted by the staff and that the internal control standards are practised
II PILLARS OF INTERNAL CONTROL SYSTEM AND ASSURANCE DECLARATION
I declare that my administrationrsquos budget has been prepared and implemented in line with
the development plan annual programmes strategic plan performance objectives and service
requirements resources allocated from the budget for the achievement of aims and objectives are
utilised in compliance with the planned targets and in accordance with good financial
management principles
In this context I announce that the internal control system provides sufficient and
reasonable assurance that my administrationrsquos revenues expenditures assets and liabilities are
managed effectively economically and efficiently my administration operates in line with the laws
and other regulations irregularities and fraud are prevented in each financial decision and
transaction regular timely and reliable reports and information are acquired for decision making
and monitoring assets are safeguarded against abuse waste and losses
This assurance is based on my knowledge and considerations as the Senior Manager
management information systems internal and external evaluations carried out within the context
of quality assurance development programme studies of the SDU internal and external audit
reports (if available)
In the following part the Senior Manager must explain the support by the management
information systems internal and external evaluations within the framework of the quality assurance
development programme internal and external audit and SDU
Management Information Systems
Please read section no 6113 before completing this part
Internal Audit
Please read section no 6114 before completing this part
External Audit
Please read section no 6115 before completing this part
SDU
Please read section no 6116 before completing this part
164
III RISK MANAGEMENT10
As the Senior Manager I have a key role and responsibility in the development of a risk
strategy in my administration production of a common corporate risk perception adopted by all
employees Recognising that risk management is the most important element of the internal control
system creation of the necessary organisational capacity and embedding risk management into
the general activities is valued
In the following part the authorising officer should address the risk perception of the
administration and its capacity to deal with risk
Risk perception of the administration should summarise
Please read section no 6117 and 6118 before completing this part
Capacity to handle risk
Please read section no 6119 before completing this part
My administration faces a wide range of risks during the course of its activities These risks are
considered in accordance with the principle that the cost of the internal controls to be developed
with control purposes do not exceed the benefit received from the controls A systematic
approach has been adopted in levels of management for the identification assessment
addressing monitoring and reporting of the relevant risks
In the following part the Senior Manager should set out the issues related to the
identification assessment addressing control environment monitoring and reporting of the
administrationrsquos risks
Identification and assessment of the risks
Please read section no 61110 before completing this part
Addressing control environment monitoring and reporting of the risks
Please read section no 61111 before completing this part
IV APPRAISAL OF THE INTERNAL CONTROL SYSTEM
As the Senior Manager during the preparation of the foregoing declaration I also
considered the assurance declarations by the Authorising Officers and Head of SDU The
10 This part must be completed when risk management process starts to function in the administration
165
information and evaluations I have received from these declarations pose an important basis
regarding the assurance I have to provide on the internal control system in my administration
Furthermore [advisory audit risk steering] boardscommittees have been set up within
[the administration] to provide support and guidance for the evaluation of the internal control
system in terms of particularly risk strategy and management Reports prepared by these boards
have made a great contribution to the evaluation on the internal control system
Regarding the main activities of my administration the most distinctive developments that
took place within this reporting term and how these developments have been handled are
summarised below
Please read section no 61112 before completing these parts
Human Resources
Physical infrastructure and assets
IT and communication infrastructure
Data security
New structures and changing fields of activity
Problems faced in the main fields of activity or examples of best practice
Developments regarding weaknesses stated in previous years
166
Other developments
(Date)
Signature
Name
Title
167
Annex 3B Internal Control Assurance Declaration Authorising Officer INTERNAL CONTROL ASSURANCE DECLARATION11
I RESPONSIBILITY
As the authorising officer within my field of competence I am responsible to ensure that my
expenditure orders are in line with the fundamentals and principles of the budget the laws rules
and regulations and other legislation the appropriations are utilised in an efficient effective and
economic manner and that the internal control operates properly
II PILLARS OF INTERNAL CONTROL SYSTEM AND ASSURANCE DECLARATION
I declare that the operations and transactions carried out by my spending unit comply with
the aims and objectives of the administration high financial management principles control
arrangements and the legislation resources allocated with the administration budget to the
spending unit has been utilised in line with the planned objectives and the internal control system
within my unit provides the sufficient and reasonable assurance
This declaration of assurance is based on my own information and evaluations as the
authorising officer and on the management information systems internal and external evaluations
carried out within the context of the quality assurance development programmes studies by the
SDU internal and external audit reports
In the following part the support provided by the management information systems the
internal and external evaluations carried out within the context of the quality assurance
development programmes studies by the SDU should be elaborated by the authorising officer
Management Information Systems
Please read section no 6113 before completing this part
Internal Audit
Please read section no 6114 before completing this part
External Audit
Please read section no 6115 before completing this part
SDU
Please read section no 6116 before completing this part
11 Please read section no 611 before completing this part
168
III RISK MANAGEMENT12
Within the framework of the overall risk perception strategy and awareness of the
administration the capacity to handle risk has been determined for the activities specific to my unit
and the necessary importance has been attached to embedding risk management in its activities
In the following part the authorising officer should address the capacity to handle risk
Capacity to handle risk
Please read section no 6119 before completing this part
My spending unit faces various risks during the course of its activities These risks are
considered in line with the principle where the cost of internal controls to be developed do not
exceed the benefit planned to be gained from them A systematic approach has been adopted in
the spending unit for the identification addressing assessment monitoring and reporting of the risks
faced
In the following part the authorising officer should set out the issues related to the
identification assessment addressing control environment monitoring and reporting of the
administrationrsquos risks
Identification and assessment of the risks
Please read section no 61110 before completing this part
Addressing control environment monitoring and reporting of the risks
Please read section no 61111 before completing this part
IV EVALUATION OF THE INTERNAL CONTROL SYSTEM
The following is the summary of the most significant developments experienced in the
activities of my unit within the period covered by the foregoing report and how these
developments have been addressed by the internal control system
Please read section no 61112 before completing these parts
Human Resources
IT and communication infrastructure
Data security
12 This part must be completed when risk management process starts to function in the administration
169
New structures and changing fields of activity
Problems faced in the main fields of activity or examples of best practice
Developments regarding weaknesses stated in previous years
Other developments
As the authorising officer I hereby declare that we have also carried out some transactions
overriding the opinion of the SDU Information and justifications for these transactions are as follows
There is no such a work I carried out that is not found to be appropriate by SDU
(In this part transactions if any carried out by the authorising officers despite the
negative opinion provided upon the ex-ante financial control If there is no such a
work as mentioned above then expression ldquothere is no such a work I carried out that
is not found to be appropriate by SDUrdquo should be included)
(Date)
Signature
Name
Title
170
Annex 3b Internal Control Assurance Declaration Head Of SDU INTERNAL CONTROL ASSURANCE DECLARATION
As the Head of SDU I declare that the internal control system has been implemented
monitored and my opinions and recommendations have been reported to the Senior Manager to
take the necessary actions in time in order to ensure that the activities in [the administration] are
carried out in accordance with the financial management and control legislation and other
legislation public resources are utilised in an efficient effective and economic manner
Please read section no 612 before completing this part
In the following part the studies should be explained regarding the management
information systems development of internal control system monitoring and review and briefing
and advising by the Head of SDU
Management Information Systems
Please read section no 6121 before completing this part
Development of Internal Control System
Please read section no 6122 before completing this part
Monitoring and Review
Please read section no 6123 before completing this part
Briefing and Advising
Please read section no 6124 before completing this part
Financial Information
Please read section no 6125 before completing this part
I confirm that the information included in the section IIIA-Financial Information of
the Activity Report (year) is reliable complete and accurate
(Date)
Signature
171
Annex 4 Example Of A Complete Declaration INTERNAL CONTROL ASSURANCE DECLARATION
(SENIOR MANAGER)
Name-Surname
Title
I RESPONSIBILITY
As the Senior Manager I am responsible for ensuring the establishment delivery and
oversight of an efficient financial management and control system that will contribute to the
achievement of the policies goals and objectives of the Ministry of Space Exploration In this
regard I declare that I have taken the necessary measures to make sure that the arrangements of
internal control are adopted by the staff and that the internal control standards are practised
II AIMS AND PILLARS OF INTERNAL CONTROL SYSTEM
I declare that my administrationrsquos budget has been prepared and implemented in line with
the development plan annual programmes strategic plan performance objectives and service
requirements resources allocated from the budget for the achievement of aims and objectives are
utilised in compliance with the planned targets and in accordance with good financial
management principles
In this context I announce that the internal control system provides sufficient and
reasonable assurance that my administrationrsquos revenues expenditures assets and liabilities are
managed effectively economically and efficiently my administration operates in line with the laws
and other regulations irregularities and fraud are prevented in each financial decision and
transaction regular timely and reliable reports and information are acquired for decision making
and monitoring assets are safeguarded against abuse waste and losses
This assurance is based on my knowledge and considerations as the Senior Manager
management information systems internal and external evaluations carried out within the context
of quality assurance development programme studies of the SDU internal and external audit
reports (if available)
Management Information Systems
Management information systems has been established in all General Directorates in order
to provide information for managers that enables effective decisions to be made and for
information on changing risks to be monitored in our Ministry However not all of our legacy IT
systems have been fully assessed for security risks As part of the measures being taken to
strengthen data security governance we will ensure that the IT systems supporting our most time
critical business processes are reviewed to establish a known risk position by December 2010 We
will carry out a review of our remaining systems during 2011
Internal and External Evaluations Carried Out Within The Context Of Quality Assurance Development
Programme
Presidency of Strategy Development has carried out one internal evaluation of the effectiveness of
internal control within the context of the quality assurance and development programme The
main findings of this evaluation are
That compliance with internal control standards was good in terms of effective control
activities in order to minimise risk
Internal Control and Risk Steering Board has been set up within the Ministry to contribute to
the evaluation of the internal control system
Unit managers needed to develop their skills regarding ongoing monitoring of internal
control systems
Based on the evaluation findings the Ministry has produced an action plan which is planned to
put into practice as of June 2010
There were no external evaluations carried out within the context of the quality assurance
and development programme but the CHU has declared that this is scheduled for 2013
172
Internal Audit
Our Ministryrsquos Internal Audit Unit continues to operate within the framework of a three-year audit
plan Internal Audit operated to requirements defined in the Public Internal Audit Standards Their
audit programme was focused around the Ministryrsquos key risks of internal control together with
recommendations for improvement The Director of Internal Audit Unit provided me with an annual
Internal Control Evaluation Report which contained an independent opinion on the adequacy
and effectiveness of internal control The conclusion of the Director of Internal Audit Unit was that
the following aspects of internal control should be improved
Awareness of the Deputy Undersecretaries and General Directors on internal control
responsibilities and risk management
Improvement of the present arrangements regarding promotion assignment and
appointment system to make it transparent and competence based
Improvement of communication between the central and provincial organisations of our
ministry
Review of management information systems to update old systems
Improvement of allowances and supplementary payments for personnel going to the
space
It has been decided that a working group consisting of managers from the SDU General
Directorate of Personnel and other relevant units to put these recommendations into an action
plan
External Audit
The TCA has approved the annual accounts of the Ministry
SDU
An evaluation on the internal control system has been carried out with the full participation
from the SDU Spending Unit managers and the staff and a report has been produced and
submitted to the CHU on 30th March 2010 The main findings of the review are listed above under
the heading ldquoInternal and External Evaluations Carried Out Within the Context of Quality Assurance
Development Programmerdquo in this document SDU staff also underwent training in risk management
during this year
III RISK MANAGEMENT
As the Senior Manager I have a key role and responsibility in the development of a risk
strategy in my administration production of a common corporate risk perception adopted by all
employees Recognising that risk management is the most important element of the internal control
system creation of the necessary organisational capacity and embedding risk management into
the general activities is valued
The SDU took the lead in embedding risk management in the organisation by reviewing and
updating the key corporate external and internal risks facing the Ministry each month The SDU also
began an exercise to identify long term risks that may have posed a significant threat to the Ministry
in the future These risks were recorded on a long term risk register and the intention is that they will
be reviewed every six months Should the threat increase then these risks will either be escalated to
my part for appropriate action to be taken
The Internal Control and Risk Steering Board also endorsed an action plan to further embed
good risk management practice within the Ministryrsquos processes and systems and to support
Innovation through well managed risk taking Work to establish this position will continue and focus
on those areas identified as still most in need of improvement This will include giving further
consideration to risk appetite where the focus will be on practical examples of how it can be
applied in practice thus making it easier to communicate its awareness among staff
Guidance was available to all staff on risk management through the risk management
intranet site In addition to a risk management policy specific guidance was available on
undertaking risk self assessment which includes guidance on applying risk management as an
integral part of the Ministryrsquos business planning process Risk management workshops were
available to all staff and practical guidance on its application had been incorporated into a wide
173
range of training courses These courses covered all ranges of staff and were tailored to be
appropriate to their authority and duties
My administration faces a wide range of risks while carrying out its activities These risks are
assessed in accordance with the principle that the const of the internal controls to be developed
with control purposes do not exceed the benefit received from the controls A systematic
approach has been adopted in levels of management for the identification assessment
addressing monitoring and reporting of the relevant risks
The risk management framework for our Ministry operated through the initial identification of
risks as part of the business planning process which threatened achievement of the Ministryrsquos
objectives These risks were then evaluated in terms of impact and probability This process
established the level of residual risk against which the Ministry was exposed and which was
monitored over time as part of performance management Ownership for each risk was assigned
to a named individual Reasonable assurance that risk mitigation activities were appropriate was
obtained through regular management reviews and internal audits of the key activities undertaken
in the Ministry
In order to further embed best practice in risk handling and to ensure a consistent
interpretation of the acceptable extent of residual risk our Ministry will review its risk appetite and
communicate it more effectively across the organisation
IV APPRAISAL OF THE INTERNAL CONTROL SYSTEM
As the Senior Manager during the preparation of the foregoing declaration I also
considered the assurance declarations by the Authorising Officers and Head of SDU The
information and evaluations I have received from these declarations pose an important basis
regarding the assurance I have to provide on the internal control system in my administration
Furthermore Internal Control and Risk Steering Board has been set up within the Ministry of
Space Research to provide support and guidance for the evaluation of the internal control system
in terms of particularly risk strategy and management Reports prepared by this Board have made
a great contribution to the evaluation on the internal control system
Regarding the main activities of my administration the most distinctive developments that
took place within this reporting term and how these developments have been handled are
summarised below
In our investment programmes the underspend reported last year in the spacecraft
development programme has been managed There is now less than 2 slippage in that
programme Underspends have arisen this year in other areas for example
The satellite programme TL 121 m Internal Audit Unit has reviewed the Investment Budget
management and an action plan is being developed to address the audit findings
Astronauts training programme TL 113m due to slower than expected take-up Processes
will be streamlined to reduce barriers and it is expected the budget will be fully used in the
next year
Renovation of launching stations programme TL 16m arising mainly from slippage in
international cooperation projects affecting the expected refurbishment programme
together with some incorrect historical data for tracking capital allocation New systems will
prevent the reoccurrence of this problem
Whilst recognising the above summarised issues good progress has been made in resolving them
and there are plans in place to further enhance internal control system and improve practice As
Senior Manager I provide reasonable assurance that the above issues do not represent a material
threat to operational effectiveness and that the our Ministry complies with the public internal
control standards on risk management internal control and governance
(Date)
Signature
Name
Title
174
GLOSSARY
CONCEPT DEFINITION
Explicit information is the information which can be created expressed obtained and
transferred in accordance with a specific system Aim is the concept which refers to the objectives contained in the strategic
plan that administration aims to attain Information Financial and non-financial data related to internal and external events
and activities which is created obtained and communicated in a
particular form and at a particular time to ensure that people carry out
their duties Information security refers to safeguarding valuable assets in an administration against loss
misuse or damage Information map is demonstration of information kept in units or their systems which can be
shared and expertise and experience of personnel and demonstration of
them on an organisational scheme or map in accordance with
organisational structure Information pool is the accessible area where information obtained in hard form or soft
form is stored and kept ready for re-use Information
architecture Organisation of information with a view to make it accessible
manageable and useful form infrastructure level to end-user level Information stock Financial and non-financial information available in administration at a
particular time Information
technology is a system that controls all activities including communication and
computers which are used for the purposes of collecting storing and
processing of information its transmission from one point to another
through communication systems and computers and to the service of
users Information technology is a concept that is used to refer to all
information services which can be connected through communication
and computer systems Information
management
is a process where information is planned and obtained from any kind of
source internally or externally classified stored communicated to
relevant bodies in a timely manner for interpretation reviewed for
updating and disposed External audit Within the framework of accountability responsibility of public
administrations within the scope of general management it is the activity
of examining the compliance of financial activities decisions and
procedures of the administration with laws administrative objectives aims
and plans and reporting the results to TGNA by Turkish Court Accounts Audit trail It requires the maintenance of records giving the full documentation and
justification at all stages of the life of a transaction together with the ability
to trace transactions from summarized totals down to the individual
details and to trace all reporting stages Inherent risk refers to those risks whose probability and impact cannot be changed
unless particular precautions are taken by administration When risks are
identified for the first time they are at inherent risk level Ethics Ethics is a body of moral principles values and standards which forms the
basis for the behaviours of a person and guides them on how to do works Cost-Benefit Analysis It is the identification and comparison of the costs and benefits regarding
the implementation of a planned work or activity In cases when benefits
outweigh costs the work or activity is considered to be cost-effective SWOT Analysis
is a method in which the administration systematically examine itself and
the conditions having an impact the administration In this framework
strengths and weaknesses of the administration as well as the threats and
opportunities that may occur outside the administration are identified This
is an analysis which forms the basis for strategic planning process Segregation of duties covers the duty of approval implementation recording and control of
175
each activity or financial decision and transaction shall be assigned to
different people Objective These are the specific and measurable sub-aims geared towards
attaining the aims contained in the strategic plan
Performance objectives are out-come oriented objectives administrations
plan to attain in a program period with a view to attaining the aims and
objectives contained in the strategic plan Internal audit is an independent and objective activity of giving assurance and
providing counselling with a view to providing guidance and assessing
whether resources are managed in compliance with principles of
effectiveness and efficiency in order to improve and add value to the
activities of the public administration Internal control is the body of financial and the other controls covering the organisation
method process and internal audit in an administration carried out with a
view to ensuring that activities are conducted effectively efficiently and
economically in line with the administrationrsquos aims its identified policies
and legislation assets and resources are protected accounting records
are kept accurately and completely and financial information and
managerial information is produced in a reliable and timely manner Internal control
assurance declaration is the declaration annually signed by senior managers authorising officers
and heads of strategy development units within the framework of
accountability and transparency to state that processes and transactions
are conducted in line with the principles of good financial management
control regulations and the legislation Internal Control and
Risk Steering Board The Board makes assessments concerning development of process and
methods related to internal control system such as determination of
policies about monitoring internal control practices and introduction of
risk in the administration Whistleblowing is the notification of illegal and unethical behaviours and actions to
internal and external authorities that have the power and authority to
solve the problem by persons with information (employees or
stakeholders) therefore administrations or third persons inside or outside
the administration are not affected Business continuity The plans that aim at ensuring continuity for the activities of the
administration or ensure continuity without any interruption after any
extra-ordinary situations Ex-post controls Are the controls applied by management to administrationrsquos activities
after they have been carried out using pre-identified methods Monitoring Monitoring is the activity of assessing within the framework of compliance
with internal control standards whether internal control system provides
the expected contribution to attaining objectives and aims of the
administration and determining the activities to be carried out in fields
that are open to improvement Residual risk refers to risks remaining after management has taken precautions to
reduce their probability and impact Control activities are actions aimed at reducing the impact andor the likelihood of a risk
occurring and thus increase the probability of attaining the goals and
objectives of the organisation or part of the organisation Financial
Management and
Control
is the development implementation monitoring and improvement of
suitable organisations methods and processes within the of managerial
responsibility to ensure effectiveness efficiency and economy in
obtaining and using resources as well as compliance with the identified
aims and objectives and the legislation Central Harmonisation
Unit is affiliated to the Ministry of Finance The unit develops and harmonises
methods and standards concerning financial and internal control
processes and provided related guidance for public administrations Mission mission is the cause of existence of an administration and its place within
176
the state structure In other words mission is the answer to such questions
as what the public administration does and how and for whom it does
what it does Focus group These are such meetings that are held among a target group composed
of 6-8 people to receive their thoughts and reactions in a detailed and
elaborate manner They are managed by a moderated within the
framework of a flow plan Probability refers to the likelihood that an event may occur Organisational
structure is general system covering all the activities and procedures undertaken to
attain the aims and objectives of the administration Ex-ante financial
control Ex-ante financial control is a control performed to check the compliance
of the financial decisions and operations of administrations regarding their
incomes expenditures assets and liabilities with the budget of the
administration Further checks are carried out with the available
appropriation amount expenditures programme financing programme
and the provisions of central government budget law and other financial
legislation It is also checked whether resources are used effectively
economically and efficiently Implicit information is the information in peoplersquos minds which is not regulated in accordance
with a particular system therefore not easy to transfer and circulate and
the registered information which is not accessible to employees Stakeholders are the people groups and administrations which are relevant to the
administrationrsquos products and services and can directly or indirectly
positively or negatively affect or be affected by the administration Risk can generally be defined as uncertainty of events that may occur in
future or undesirable outcomes and impacts of an event For
administrations risk can be defined as negative or positive effects of
internal and external factors that may occur in future on attaining the
objectives and aims of administrations In risk terminology positive aspects
of risk and wins it may bring along are referred to as opportunity and
negative aspects and losses it may cause are referred to as threat Risk assessment is analysing those factors which can have an impact on attaining the
objectives of administration Transferring risk is the response to the risks by taking some of them away from the
responsibility of the administration and transferring it to others Handling risks is the identification of responses to risks identified and assessed (within the
framework of risk appetite) by public administrations and reducing the
expected threats and benefiting from the opportunities that may emerge
within this context Impact of risk refers to outcomes or effects that risk posing event can produce once it
occurs Risk appetite is the amount of risk an administration is ready to accept (toleratebe
exposed to) at any time before deciding on the need to take any
relevant precautions in line with its strategic objectives mission and vision
In terms of threats it refers to exposure level which can be tolerated and
justified and in terms of opportunities it refers to how a person is ready to
actively take the risk to gain benefits of the opportunity Tolerating risks is a passive method of response given to risks which public administrations
are comfortable to undertake Avoiding risks is a response to risks by removing the activities in which risks are probable
to occur thus eliminating the risks that are probable to occur together
with the activities Controlling risks is a method of response to risks by means of control activities carried out
to keep tolerable risks at a certain level in public administrations
Preventive Controls These are controls carried out to prevent threats that
risk may pose and undesirable outcomes risk may produce once it occurs
Corrective Controls These are controls aiming at reducing the impact of
undesirable outcomes that arise from threats risk poses once it occurs
177
Directive Controls These are controls carried out to prevent the occurrence of
risk or avoid the impact it may produce once it occurs
Detective Controls These are controls applied to identify damages and
losses experienced once the risk is realised Risk profile documented and prioritised overall assessment of the range of specific
risks faced by the administration Risk management is a management tool and all the mechanisms related to identify and
assess risks that may have an impact on attaining aims and objectives of
administration identify responses to risks regularly review and update risks
and responses and monitor the whole process Corporate risk
management is a process which covers the entire administration and
ensures that risk management processes are considered and handled as
a whole Risk strategy the overall organisational approach to risk management as defined by
the Accounting Officer andor the Board This should be documented
and easily available throughout the organisation
Risk Strategy and
Policy Document
(RSPD)
corporate approach to risk management identified by Head of
Administration and senior level policies are called risk strategy and the
document in which this approach and policies are set down in writing is
called Risk Strategy and Policy Document (RSPB) Risk identification is the process of identifying ascertaining categorising and updating risks
that prevent or limit the achievement of administrationrsquos strategic
objectives using previously defined methods
Strategy Development
Unit refers to presidencies of strategy development units departments of
strategy development and directorates where strategy development and
financial services are undertaken They carry out studies to establish
implement and continuously develop internal control systems and report
the study results to the Head of Administration Irregularity Faults errors and negligence stemming from violation of regulations and
provisions related to financial management Delegation of authority is delegation of the responsibility and authority for making decisions to
another authority in writing in the way envisaged in the legislation Fraud Is misuse or insufficient use of documents and declarations for monetary
purposes or non-monetary private purposes as well as hiding information
or deliberate acts performed to abuse the benefit legally obtained and
negligence and illegal use of public power Management
Information system supporting systems which provide proper data for managers and
decision-makers for taking decisions and implementing them with a view
to more effectively attaining the previously identified objectives of the
administration by operating and communicating the information used in
administration
Managerial refers to management being accountable for the decisions they have
made regarding duties assigned as well as for effective use of public
resources to the Parliament Government and public opinion Governance Governance is the way in which organisations are directed and
controlled It defines the distribution of rights and responsibilities among
the different stakeholders and participants in the organisation determines
the rules and procedures for making decisions on corporate affairs
including the process through which the organisationrsquos objectives are set
and provides the means of attaining those objectives and monitoring
performance
Conference call A system of telecommunications technology that enables a number of
people in different locations to hold a discussion using the telephone