This manual has been produced by the Twinning Project TR07

1

This manual has been produced by the Twinning Project TR07-IB-FI-02 which is funded by the European Union

2

TABLE OF CONTENTS

LIST OF ABBREVIATIONS 6

INTRODUCTION 7

TABLE OF ROLES AND RESPONSIBILITIES 10

CONTROL ENVIRONMENT 15 1 INTRODUCTION 15

2 Internal Control Standards 15

3 LEGISLATION 16

31 Legal Basis 16

4 ETHICAL VALUES AND INTEGRITY 19

41 What is Ethics 19

42 Current Legislation on Ethics 19

43 Main Ethical Behaviours that are Expected from Civil Servants 21

44 Ethical Behaviours That are Expected from Public Managers 21

45 Ethics Training 21

5 MISSION ORGANISATIONAL STRUCTURE AND DUTIES 21

51 Mission 22

52 Organisational Structure 22

53 Job Descriptions 23

6 COMPETENCE AND PERFORMANCE OF PERSONNEL 26

61 Transition to Human Resources Management from Personnel Management 27

62 Activity Areas in Human Resources Management 27

7 DELEGATION of AUTHORITY 28

71 Determination of Delegation of Authority 29

72 Delegation of Authority and Work Flow Process 29

73 Delegation of Authority and Responsibility 29

74 Factors of Delegation of Authority 29

75 Delegation of Authority and Communication 30

8 INTERNAL CONTROL AND RISK STEERING BOARD 30

81 Roles and Members of the Board 30

82 The Boardrsquos Scope of Duty 31

RISK MANAGEMENT 33 1 Introduction 33

2 Risk Management standards 33

3 Benefits of Risk Management for Administrations 33

4 Critical Achievement Factors for an Effective Risk Management 34

5 Risk Strategy and Policy Paper 34

6 TASKS AUTHORITIES AND RESPONSIBILITIES 35

61 Head of Administration 36

62 Internal Control and Risk Steering Board (ICRSB) 37

63 Administrative Risk Coordinator 37

64 Unit Risk Coordinator 38

65 Sub-Unit Risk Coordinator 38

66 Employees 38

67 Internal Auditor 39

68 Strategy Development Unit 39

69 Central Harmonisation Unit 39

7 RISK MANAGEMENT PROCESS 39

71 Identifying Risks 41

3

72 Risk Assessment 45

73 Responding to Risks 49

74 Reviewing Risks 54

75 Communication and Reporting 55

76 Learning 57

RISK MANAGEMENT ANNEXES 59 ANNEX 1 Using the brainstorming method to identify assess and record risks 59

ANNEX 2 Risk Voting Form 61

ANNEX 3 Risk Register 61


ANNEX 4 Consolidated Risk Report 64

ANNEX 5 Risk Assessment Criteria Table 66

ANNEX 6 Case Study Example of Inherent and Residual Risk 68

ANNEX 7 Case Study Example of completed Risk Voting Form Risk Register and

Consolidated Risk Report 69

CONTROL ACTIVITIES 72 1 Introduction 72

2 Control Activities Standards 72

3 Planning Process of Control Activities 73

4 Classification of control activities 73

4 1 Preventive controls 73

42 Corrective Controls 74

43 Directive Controls 74

44 Detective Controls 74

5 Methods of control activities 75

51 Authorisation and approval 76

52 Segregation of duties 76

53 Double signature system 76

54 Reconciliation of data 77

55 Supervision procedures 77

56 Ex-ante financial controls 77

57 Procedures for accounting operations 77

58 Anti-corruption 78

59 Access to assets and information 78

510 Documentation archiving and storing of information 78

511 Business continuity (or emergency plans) 79

512 Control activities related to Information Technology (IT) 79

513 Assessing costs and benefits of control activities 80

6 Practıcal Stages For Control Actıvıtıes 81

7 Steps to identify and implement control activities 83

Control Activities Annexes 84 Annex 1 ndash Examples of some common risks and controls 84

Annex 2 List of common control activities 87

Annex 3 - Illustrations for cost benefit analysis 95

INFORMATION AND COMMUNICATION 97 1 INTRODUCTION 97

2 Information and Communication Standards 97

3 ROLES AND RESPONSIBILITIES IN INFORMATION AND COMMUNICATION 98

Minister 98

Head of Administration 98

4

Internal Auditor 98

Authorising Officer 98

Realisation Officer 99

Accounting Officer 99

Strategy Development Units 99

Central Harmonisation Unit 99

4 INFORMATION 99

41 Characteristics of Information 99

42 Information Management 100

43 Information Security 106

5 MANAGEMENT INFORMATION SYSTEMS (MIS) 108

51 Stages of Establishing MIS 109

6 COMMUNICATION 110

61 Internal and External Communication 111

62 Communication Methods 113

7 WHISTLEBLOWING OF FAILURES IRREGULARITIES AND FRAUD 114

71 Concepts of Failure Irregularity Fraud and Whistleblowing 115

72 Scope of Notifications 115

73 The Responsibility for Detecting Faults Irregularities and Fraud 116

74 Whistleblowing System 116

8 RELATIONS AMONG UNITS 119

81 Information and Communication between the CHU and SDUs 119

82 Information and Communication between SDUs and Spending Units 119

INFORMATION AND COMMUNICATION ANNEXES 120

Annex 1 - Legislation on Information and Communication 120

Annex 2 - Widely Used Methods of Communication 121

Annex 3 Reports Prepared under PFMC Law No 5018 124

Annex 4a Whistle-Blowing Process Related to Ethical Values 125

Annex 4b Whistleblowing and Evaluation Process for Crimes Committed by Civil Servants

126

MONITORING 127 1 Introduction 127

2 Monitoring Internal Control Standards 128

3 Roles And Responsibilities 128

31 Senior Manager 128

32 Internal Audit 128


34 Authorising Officers 128

35 Strategy Development Units (SDU) 129

36 Other Managers and Employees 129

37 External Audit 129

38 Central Harmonisation Unit (CHU) 129

4 Guidance by the CHU 130

5 Assessment and Reporting Role of SDUs 131

51 Assessment of Internal Control System by SDUs 131

52 Reporting of Internal Control System Evaluation Results 132

53 Monitoring of Internal Control System Evaluation Reports 133

54 Work to be carried out by SDUs concerning Internal Audit Reports 134

6 Internal and External Audits 136


5


7 Internal Control Assurance Declarations 138

71 How to complete Internal Control Assurance Declarations 139

MONITORING ANNEXES 146 Annex 1 Internal Control System Question Form 146

Annex 2 Internal Control System Evaluation Report 162

Annex 3a Internal Control Assurance Declarations Senior Manager 163

Annex 3B Internal Control Assurance Declaration Authorising Officer 167

Annex 3b Internal Control Assurance Declaration Head Of SDU 170

Annex 4 Example Of A Complete Declaration 171

GLOSSARY 174

6

LIST OF ABBREVIATIONS

ARC Administrative risk coordinator

BiMER Prime Ministry Communication Centre

CHU Central Harmonisation Unit

COBIT Control Objectives for Information and Related Technology

COSO Committee of Sponsoring Organisations of the Treadway Commission

DHSDU Declaration by Head of Strategy Development Unit

e- SAC Electronic System Audit and Control

FMC Financial Management and Control

HRM Human Resources Management

ICAD Internal control assurance declaration

ICRSB Internal Control and Risk Steering Board

INTOSAI International Organisation of Supreme Audit Institutions

ISOIEC International Organisation for Standardization International Electrotechnical

Commission

IT Information Technology

MERNIS Central Civil Registration System

MIS Management Information System

PESTLE Political Economic Social Technological Legal and Environmental

RSPD Risk Strategy and Policy Document

SDU Strategy Development Unit

SMART Specific Measurable Achievable Relevant Time-related

SURC Sub-unit Risk Coordinator

SWOT Strengths Weaknesses Opportunities and Threats

TGNA Turkish Grand National Assembly

TSE Turkish Standards Institute

URC Unit Risk Coordinator

UYAP National Judicial Information System

7

INTRODUCTION

From the late 20th century onwards the focal point of governments in the whole world

has been to establish mechanisms to increase performance ldquoGood governancerdquo put

forward to serve this end has recently come to be a guiding principle both for the private

sector and the public sector Within the framework of the principle of good governance such

factors as ensuring accountability for the provision of better quality public services

improvement of transparency delegation of authorities and responsibilities by means of

managerial flexibility outcome-oriented management and budgeting understanding and

meeting the expectations of citizens have come to the foreground

On the other hand provision of quality public services has brought along the need for

the public resources to be used effectively efficiently and economically thus necessitating

the usage of effective tools in public administrations in many areas from organisational

structure to information and monitoring which are related to financial management and

control The most important tool for accountability adopted in this reform process is internal

control

Internal Control Internal control which is internationally used is a system designed to give reasonable

assurance to attain the objectives of a given administration Within the framework of

Committee of Sponsoring Organisation (COSO) which is the mostly widely-known system

among the others internal control aims to ensure compliance of actions and works with the

legislation as well as the reliability of financial and managerial reporting and effective and

efficient asset protection COSO which is made up of control environment risk management

control activities information and communication and monitoring components is such an

internal control model which is also accepted as a reference point by such institutions as the

International Organisation of Supreme Audit Institutions (INTOSAI) and the European

Commission The following figure shows the components of COSO

IN Figure 1 The COSO Cube

8

Our country on the other hand which has been carrying on membership negotiations

with the EU has been going through a reform process since the early 2000rsquos with a view to

strengthen its public internal control system The basic factors of the internal control system

which is recommended by the European Commission to all the candidate countries and is in

compliance with COSO can be summarized as financial management and control (FMC)

system based on managerial responsibility and accountability functionally independent

internal audit activity and Central Harmonisation Unit (CHU) responsible for the harmonisation

of these two areas in the whole public sector

FMC refers in the most general terms to the management and control processes

related to public revenues expenditures assets and obligations In this context public

managers of every level are responsible for the establishment and sustainability of a sound

FMC system to ensure resource-based planning programming budgeting accounting

controlling reporting archiving and monitoring Internal audit on the other hand which

assists the manager in assuming this responsibility and attaining the objectives gives based

on risk management objective assurance and provides guidance regarding the compliance

of the current FMC system with the identified rules and standards Furthermore a full capacity

and quality central harmonisation activity is required in order to identify and develop

methodologies legislation and standards in the areas of FMC and internal audit in public

administrations as well as to coordinate and monitor them and provide the training needed

In the light of the best practice examples our country has taken important steps in

strengthening transparency and accountability in public financial management and ensuring

an effective internal control function Public Financial Management and Control Law No

5018 which is the most important step among the others and adopted in 2003 defines the

functioning of internal control system and the roles and responsibilities of the actors involved

in the system and assigns the Ministry of Finance (MoF) the duty of identifying standards and

methods as well as ensuring coordination and providing guidance in this area As per this

duty the MoF published a Public Internal Control Standards Communiqueacute in 2007 which was

in compliance of the international standards

Financial Management and Control Manual which is an extension of all these works

has been prepared with a view to supporting decision-making and implementation

processes for a better management and thus contributing to the rational usage of public

resources The Manual which has been started to be prepared in 2010 and completed in the

first quarter of 2011 is the outcome of a painstaking work carried out by the Experts both from

the United Kingdom and our country within the framework a twinning project financed by the

European Union

FMC Manual has been designed with a view to ensure the implementation of internal

control standards as a guideline which explains all the basic factors of internal control by

means of methods tools and examples which can be used by all the stakeholders In

addition it is also possible for administrations to use according to their own needs other tools

than this Manual which can be modified and revised in time in line with the changing

circumstances and needs in public administrations however it is foreseen than tools

adopted should not be in conflict with the basic requirements contained in the Manual

This Manual is made up of five main parts based on Internal Control Standards

Following this introduction there is a table showing the main responsibilities of the major actors

in financial management and control

In the first part conceptual explanations regarding ethical values and integrity

mission organisational structure and duties competence and performance of personnel and

delegation of authority which are the milestones of the control environment as well as

information on the legislation and implementing tools are given

In the second part information on the importance and aim of risk management

stages of risk management process and roles and responsibilities of the actors involved in the

process Risk Strategy and Policy Document and communication and reporting tools that can

be used is given

9

In the third part control strategies and methods identifying and documenting

procedure principle of separation of authorities hierarchical controls sustainability of

activities and information processing controls are explained within the framework of control

activities which is closely related to risk management and a set of control activities (approval

authorisation verification reconciliation of accounts etc) are dealt with

In the fourth part the concept of information and its management functioning of

Management Information Systems internal and external communication tools and reporting

mechanisms are handled within the framework of information and communication

component

In the fifth part information on the roles and responsibilities of Financial Management

and Control Central Harmonisation Unit (FMC CHU) in the overall public sector and of

Strategy Development Units (SDU)Financial Services Units in each public administration as

well as the tools used internal control system quality assurance development program roles

of internal and external audit content of Internal Control Assurance Declaration and

guidance on how to fill the Declaration is given within the framework of regular monitoring

and assessment of internal control system

In the last part of the manual a glossary of the concepts used in the manual is given

Users of the Manual Besides for the relevant stakeholders and users it is believed that this Manual will be a

reference document for the followings

Senior mangers responsible for establishing an effective and adequate FMC system as

well as observing and monitoring it

Authorising officers who have responsibility within the scope of their duties and

authorities to ensure the functionality of the internal control regarding administrative and

financial decisions and proceedings

Relevant managers and employees of the Ministry of Finance who carry out the

central harmonisation duty in the area of FMC

Managers of SDUs and financial services experts who have responsibility concerning

the development of internal control system and implementation of the standards

Realization officers and accounting officers who are involved in the financial

processes and accountable to authorising officers

The other public managers who have responsibilities arising from the activities

conducted in the area of FMC in units

All the employees working in public administration

Internal auditors who have the responsibility to assess and report to the Head of

Administration the effectiveness of FMC system

External auditors who responsible for examining the accounts financial transactions

and activities and internal control systems of public administrations as well as whether

resources are used effectively efficiently and economically as well as in compliance with

laws and reporting the results to the TGNA

10

TABLE OF ROLES AND RESPONSIBILITIES

RISK MANAGEMENT

INFORMATION AND

COMMUNICATION MONITORING

MINISTER

Within the framework of the

responsibility for ensuring

effective economic and efficient

utilisation of public resources the

Minister should be aware of the

potential risks to the

administrationrsquos objectives

He ensures coordination and

cooperation with the other

ministries and informs the public

opinion and the TGNA about the

annual performance programme

and activity report of the

administration





Minister is responsible for ensuring

effective monitoring of the

internal control system

HEAD OF ADMINISTRATION

He defines strategies and policies

for an effectively functioning risk

management system in

accordance with the aims and

objectives of his administration

He explicitly defines tasks roles

and responsibilities He ensures the

participation of the stakeholders

and the public opinion

As the quality of the information

exchange and communication

between the head of

administration and the other

actors has a direct effect on the

accountability of the head of

administration he must inform the

relevant units about the

frequency and methods of

feedback he prefers

He ensures effective

communication among spending

units SDUs and internal audit

He is responsible for observing

and monitoring the functioning of

financial management and

control system

He approves annual internal

control system evaluation reports

and signs the Internal Control

Assurance Declaration

INTERNAL CONTROL AND

RISK STEERING BOARD

The Board develops policies for

improvement of risk management

in the administration and submits

them for the approval of the

Head of Administration The Board

notifies the unit of the policies and

procedures for coordination

purposes ICRSB determines a

particular number of risks which it

deems significant as the key risks

It provides the Head of

Administration with timely and

accurate information about the

effectiveness of internal control

and risk management

It assesses internal control system

evaluation reports prepared by

the strategy development unit as

a result of annual evaluation of

internal control system and

following to defining shortcomings

of the report if any submits it with

the relevant opinions for the

approval of Head of

Administration

11

RISK MANAGEMENT

INFORMATION AND


among those risks that are

submitted to itself and reports

whether these key risks function

well or not to the Head of

Administration in regular periods

or whenever it deems necessary

AUTHORISING OFFICER

He acts as the unit risk

coordinator or assigns someone

to act so URC coordinates the

management of the unitrsquos risks

that may have an impact on

objectives of the administration

and provides guidance to this

end

He ensures that tasks authorities

and responsibilities of staff are

defined clearly and in writing and

communicated to all the staff

He ensures that sub-units are

informed about the activities of

each other

He ensures that an effective

communication and archiving

system is established for the

information related to the

objectives and activities of the

unit

He has responsibility for

continuously monitoring internal

control system

He provides necessary

information for strategy

development units regarding the

annual evaluation of internal

control system completes internal

control questionnaire and

annually signs internal control

assurance declaration to be

submitted to the Head of

Administration

HEAD OF DEPARTMENTUNIT

He is responsible for the

coordination of risk management

activities within sub-units (if having

such units or their management

at this level is deemed

appropriate) of the spending units

in administrations He is directly

accountable to URC regarding

risk management



system within the sub-unit is

established for the information

related to the objectives and

activities





He is accountable to the

authorising officer



control system

He supports the authorising officer

in providing SDUs with information

Every employee is directly Every employee is responsible for They observe the functioning of

12

RISK MANAGEMENT

INFORMATION AND


EMPLOYEES responsible for managing risks in

their fields of duty (identifying

assessing responding to

reviewing and reporting risks

delivering accurate and timely

information to managers

colleagues and stakeholders by

using right communication

means

internal control system and in

case of a problem they inform

senior management and

contribute to the evaluation

process of internal control system

by providing information

STRATEGY DEVELOPMENT

UNIT

It organises trainings on risk

management in the

administration and provides

guidance in this respect

It is responsible for providing the

Head of Administration and the

units with accurate and timely

information In addition it is

responsible for providing the unit

with guidance and trainings on

the area of internal control

It annually assesses internal

control system on behalf of the

Head of Administration It signs

the declaration on functioning of

internal control system with a view

to ensuring effective efficient

and economical execution of

administrationrsquos activities Staff of

Strategy Development Units take

active role in the evaluation

process of internal control systems

and guide the units in completing

the reports regarding evaluation

ACCOUNTING OFFICER

Within the scope of his duty the

Accounting Officer should identify

and manage the financial risks

The Accounting Officer is

responsible for performing

accounting services and keeping

accounting records in a regular

transparent and accessible way

Accounting Officers must

regularly report to the authorising

officer on the accounting

records

CENTRAL HARMONISATION

UNIT

It is responsible for such activities

as making regulations and

chances when necessary

carrying out developmental

activities as well as ensuring

guidance harmonisation inter-

administrational coordination and

reporting

It is responsible for making

arrangements setting out

standards providing guidance

and advice ensuring

harmonisation and coordination

among administrations

monitoring and reviewing the

implementation in the fields of


It annually assesses the

functioning of internal control

systems in public administrations

based on Internal Control

Evaluation Reports approved and

submitted by senior managers

and submits the evaluation report

it prepared to the Head of

Administration and the Minister of

13

RISK MANAGEMENT

INFORMATION AND


control and internal audit Finance

INTERNAL AUDIT

Internal auditor provides the

Head of Administration with

advice regarding risk

management by making

evaluations on whether risk

management process is effective

and risks are managed in the right

way or not

He examines the functioning of

information and communication

system in the administration and

reports the results to the Head of

Administration There must be an

effective communication system

between

Head of Administration and

internal audit

It has the function to provide the

management with information

about the sufficiency

effectiveness and functioning of

internal control system as well as

making evaluations and giving

recommendations

EXTERNAL AUDIT

Within the framework of

performance management it

can audit the functioning of risk

management processes in

administrations



can audit the functioning of


systems in administrations

Court of Accounts can assess

internal control systems in

administrations during the audits it

conducts and give

recommendations

14

15

CONTROL ENVIRONMENT

1 INTRODUCTION

According to the COSO model control environment is creation of the basic

infrastructure for the other components of internal control by providing internal control

awareness for employees working in a particular administration Control environment

generally includes internal control awareness values working styles and procedures of the

administration Basic factors of control environment are summarized below

CE Box 1 Basic Factors of control Environment

Creation and sustainability of a positive and supportive environment for internal

control by the management is of great importance As employees also have their relevant

roles in carrying out internal control all the individuals within the administration need to know

hisher responsibilities and authorities very well Employees need to uphold personal and

professional integrity and ethical values and comply with the current behavioural norms In a

well-functioning control environment the public administration should previously determine its

mission organisational structure and terms of reference and should regularly assess the

performance of personnel

2 Internal Control Standards

Four standards were determined regarding control environment among Public

Internal Control Standards

CE Box 2 Control Environment Standards

Standard 1 Ethical values and integrity

It should be ensured that rules which regulate how personnel behave are known by the

personnel

Standard 2 Mission organisational structure and duties

Mission of the administration and job descriptions for units and personnel should be set out

Risk Management

Control Environment

Control Activities

Info amp Communicattion

Monitoring

Principles of personal and professional integrity

Adoption of ethical values by management and personnel

Supportive attitude of senior management towards internal control

Organisational structure

Professional competence and performance of personnel

Human resources policies and practices

Management philosophy and working style

16

in writing and announced to the personnel and a suitable organisational structure should

be established in the administration

Standard 3 Competence and performance of personnel

Administrations should ensure the compatibility between the competence and duties of

personnel and take actions about performance appraisal and improvement

Standard 4 Delegation of authority

Administration should explicitly identify authorities and limits of delegation of authority and

announce them in writing Authority should be delegated by taking the importance and

risk of authority to be delegated into consideration

This part gives explanations regarding the relevant legislation and standards with a

view to rendering Public Internal Control Standards more comprehensible and to guide the

practices Besides it stresses upon the methods to be applied for ethical values and integrity

principles to be owned by senior management and adopted by personnel which is very

important for a well-functioning control environment Besides criteria are determined for the

assessment of competence and performance of personnel as well as giving explanations on

determination of mission organisational structure and duties Moreover the part explains how

the delegation of authority which is a priority for accountability needs to be conducted

3 LEGISLATION

31 Legal Basis

In utilising of public resources or in providing effective and efficient public services the

principles and procedures of a work financial or non-financial are determined by the

regulations made by laws or the central administration

Internal Control standards provide the minimum and overall framework for managers

for giving an assurance on the provision and sustainability of services In the following

diagram the international and national standards and legislation relating to Control

Environment are given

17

CE Figure 1 Legal Basis Framework regarding Control Environment

Part Five of Law No 5018 regulates lsquointernal control systemrsquo Within this framework in

order to establish an effective and sufficient internal control system the top manager and

the other managers should take necessary action to ensure that the following factors are

implemented

bull Having professional values and an integral management understanding

bull Assignment of financial authorities and responsibilities to informed and competent

managers and personnel

bull Compliance with the standards set

bull Prevention of actions that are opposed to the Legislation

bull Provision of a proper working environment and transparency with a comprehensive

management understanding

The main legislation related to control environment is given below

CE Table 1 Main Legislation on the Control Environment Standards

CONTROL

ENVIRONMENT

STANDARD

RELATED LEGISLATION

1 Ethical Values

and Integrity

Behaviour Principles and Application Principles Law No 5176 on

the Establishment of Civil Servants Ethical Board and Making

Amendments on Some Laws

Legislation on Ethical and Procedures of Civil Servants

2 Mission

organisational

structure and Tasks

Law No 3046

Decree of Law No 217 on the Establishment and Duty Principles

of State Personnel Presidency

Strategic Planning Guideline for Public Administrations

3 Competence

and Performance

of Personnel

Turkish Constitution

Law No 657 on Civil Servants Law No 2802 on Judges and

Public Prosecutors Law No 2914 on High Education Staff Law No

926 on Turkish Armed Forces Personnel Law No 3269 on

18

CONTROL

ENVIRONMENT

STANDARD

RELATED LEGISLATION

Specialized Sergeants Law No 3466 on Specialized Gendarmerie

Law No 4678 on Contracted Officers and Petty Officers to be

Recruited into Turkish Armed Forces

Regulation on Examinations for Those to be Appointed for Public

Duties for the First Time

Regulation on Appointment Conditions for Public Services of

Disabled Persons and Competition Examinations to be Conducted

Special Regulations Prepared by Administrations (expert

coordinator inspector etc)

General Regulation on Training of Candidate Civil Servants

Registry Regulation for Civil Servants

Regulation on Civil Servants to be Sent Abroad for Training

Purposes

General Regulation on the Principles of Promotion and Title

Change in Public Administrations and Entities

Regulation on Promotion and Title Change in Supreme Institutions

and Agencies of High Education

4 Delegation of

Authority

Law No 3046

Law No 2547 on High Education

Law No 5393

Organisational Laws

Communiqueacute Serial No 1 on Authorising Officers

19

4 ETHICAL VALUES AND INTEGRITY

41 What is Ethics

Ethics is a body of moral principles which forms the basis for the behaviours of a

person In other words ethics is the guidelines values principles and standards which help

people determine lsquohow to do worksrsquo Ethics is at the same time a process In this process while

making and implementing decisions actions are carried out upholding particular values

The aim of observing ethical behaviour principles is to prevent corruption and

upholding integrity in a state and community

42 Current Legislation on Ethics

Law No 5176

The Law determines the establishment duty and working principles and procedures for

Civil Servant Ethical Board to determine and monitor the implementation of such ethical

values that civil servants must observe as transparency impartiality accountability and

observing public interests However scope of the law is too narrow that it diverges from its

original aim (Provisions of the Law on President Members of TGNA Members of Council of

Ministers officials of Turkish Armed Forces and officials of jurisdiction are not enforced)

Civil Servants Ethical Board is authorised and responsible for determination of ethical

behaviour principles through the legislations it will prepare conduction of the relevant ex-

officio examinations and investigations as well as conduction of examinations and

investigations upon applications on ethical behaviour violations and notification of the results

to the relevant authorities carrying out studies to settle ethical behaviours in a community

and supporting studies to be carried out in this field

Within the framework of laws the Board can be applied to with allegations of violation

of ethical behaviour principles about the civil servants of at least director general or

equivalent positions in a public administration and institution

Applications to be made with allegations of violation of ethical principles about the

other civil servants are evaluated by the concerned boards of the relevant administrations to

see whether there is a condition that is opposed to ethical value principles or not Results of

the evaluations are communicated to the applicant and to whom it may concern

The Board conducts its examinations and investigations regarding the applications

referred to itself to see whether ethical value principles are violated or not The Board has to

conclude the examinations and investigations to be conducted upon the whistle blowing or

complaint applications in three months at most Results of the examinations and

investigations are communicated to the relevant authorities and to the Prime Ministry in

writing (For further information please refer to ldquoInformation and Communicationrdquo chapter

Legislation on Civil Servants Ethical Behaviour Principles and Application Procedures

Civil servants are liable to observe ethical behaviour principles while fulfilling their duties and

sign the Ethical Contract document Authorised appraisal managers in administrations and

institutions assess the performance and employment records of personnel in terms of

compliance to ethical values

CE Figure 2 demonstrates ethical behaviour principles determined in the Legislation

20

CE Figure 2 Ethical Behaviour Principles

Granting

decleration

of property

Relations with

the previous

civil servants

Accountability

requirement for

managers

Informing

transparency

and

participation

Binding

explanations

and unreal

declerations

Being

economic

Utilisation

of public

properties

and

resources

Prohibiton

of giving

presents and

drawing

benefits

Not abusing

duties and

authorities to

draw benefits

Avoiding

conflict of

interest

Notification

of authorised

bodies

Courtesy

and

respect

Esteem

and trust

Integrity and

Impartiality

Commit

ment to

aims and

mission

Compliance

with service

standards

Service

awareness

for public

Public service

awareness in

fullfilment of

duties

ETHICAL

BEHAVIOR

PRINCIPLES

21

43 Main Ethical Behaviours that are Expected from Civil Servants

Observing all the time high ethical standards and working to increase public belief in

the state and civil servants for public benefit

Behaving in compliance with the ethical values and principles when fulfilling duties

obtaining and using public resources and purchasing goods and services from

outside

Showing respect for colleagues and users of services exhibiting impartial and fair

behaviours

Having a participatory decision-making process by taking the views of colleagues

and users of the services into consideration

Appreciation and announcement of good works colleagues do

Not abusing public authorities and resources for personal benefits and not favouring

relatives or friends in using public services

Being careful about the possible and real conflict of interests

Assuming responsibility for decisions and behaviours

Filling in the property declaration forms in time accurately and without any reserve

Not working in a second job that is prohibited by the Legislation other than his public

service

Not establishing private relationships with the persons and firms that are in connection

with the administration that civil servant works in

Warning other civil servants whose behaviours are not in compliance with the ethical

principles and notifying authorities in case that warning turns out fruitless

44 Ethical Behaviours That are Expected from Public Managers

While fulfilling their duties managers should

Inform all the civil servants of the overall aims main objectives and values of the

administration

Create a positive working environment where behaviour expectations are clearly

defined and violations are identified and corrected if any

Assume all the responsibility for the activities of administration

Take into consideration the merits current behaviours and developmental potential of

personnel while appointing for a position

Behave in a fair equal and impartial way towards all the personnel

Solve the problems and conflicts in a quick and fair manner

Be consistent reliable predictable fair and objective in decisions and behaviours

Set a personal example in terms of ethical principles and values

Maintain the highest standards possible to be followed in the field of efficiency and

effectiveness at work

45 Ethics Training

One of the most important prerequisites of establishing a culture in the administration that

is based on ethical values and principles is ethics training All the personnel of every level that

are employed in public administrations and institutions need to be informed of the ethical

behaviour principles and their responsibilities related to these principles

Administration and institution managers are liable to include ethical behaviour principles

in the basic preparatory and in-house training programs that are implemented for civil

servants

5 MISSION ORGANISATIONAL STRUCTURE AND DUTIES

Mission of an administration is the cause of existence of the administration and its

place within the state structure Organisational structure ensures that duties that are carried

22

out to attain the objectives and aims of the administration are controlled and monitored

Duties that are carried out by the administration are led by the mission and organisational

structure These factors in question which complete each other form an important basis for

the other components of internal control system

51 Mission

Public administrations set out their missions visions aims objectives and strategies in

strategic plans As Strategic Planning Guideline for Public Administrations states mission is the

cause of existence of an administration In this regard mission covers all the services and

activities an administration carries out In other words mission is the answer to such questions

as what the public administration does and how and for whom it does what it does Mission

should be sound realistic and participatory to lead the administration and should be

developed according to the changing conditions and needs It will also be proper to receive

opinions from personnel and stakeholders in forming and updating the mission

The following should be taken into consideration in mission declarations of administrations

The mission should be up-to-date precise and clear

The mission should be determined in line with the established aims of

administration not process of service provision

While determining the mission tasks and authorities granted to the

administration with legal regulations should be taken into consideration

In mission promotion people and entities that the administration provides

services for and the goods and services that the administration offers should

be stated

CE Box 3 Mission Example

For the mission which is very important for public administration to be achieved

personnel should be informed enough about the mission of administration they are affiliated

to Being informed about the mission and adopting it will guide the decisions and activities of

the administration and help the personnel understand their duties within the administration To

this effect firstly mission should be set down in writing and it should be announced to the

personnel and a system should be developed for the mission to be adopted by the

personnel On the other hand job descriptions of the sub-units should be determined in

writing in compliance with the mission and compliance with the mission should be regularly

reviewed

52 Organisational Structure

Organisational structure of the administration is another important factor which

influences the control environment Organisational structure is the provision of a framework

for the attainment of the aims and objectives of administration

In order to establish a proper control environment organisational structure should

Indicate the division of authorities and responsibilities within the organisation

Include accountability mechanisms and relevant reporting line which will ensure

the functionality of these mechanisms

Indicate the coordination and integration points

Carrying out research training and publishing activities developing and supporting

projects for strengthening and increasing the problem-solving capacity of families and for

identification and solution of the problems in cooperation with the institutions and

organisations in the light of scientific and ethical valuesrsquorsquo

(General Directorate of Family and Social Research 2007-2011 Strategic Plan)

23

Organisational structures of administrations are generally determined by the

organisational laws that are prepared in compliance with the framework that is set in Law No

3046 and duties of administrative units (main services consultationaudit and support units)

are shaped in these organisational laws Duties of the sub-units of administrations on the

other hand are determined in administrative regulations such as circulars and regulations

not in the organisational laws

Furthermore organisational structures of public administrations which fall under the

scope of the local administration are determined by Law No 5393 on Municipalities Law No

5216 on Metropolitan Municipalities Law No 5302 on Special Provincial Administration and

Law No 5355 on Local Administration Unions

Mission of the administration is achieved by the activities carried out by the units of the

administration and their sub-units and the units of the local administration Within this

framework duties of both the units and sub units should be in compliance with the mission of

the administration

Relevant chances regarding the organisational structure units and sub-units of the

administration and duties that are carried out by these units and sub-units can be made by

amending organisational law or revising administrative regulations according to the

circumstances within the framework of the reviewing activities in question

53 Job Descriptions

As it is stated in Public Internal Control Standards written definition of duties to be

carried out by units and sub-units of administrations and formation of a task distribution chart

covering duties of the personnel in the administrative units and their relevant authorities and

responsibilities assume importance for the mission of the administration to be accomplished

Within this framework preparation stage of job descriptions is demonstrated below

Public administrations can prepare their job descriptions by following the below given

process

CE Figure 3 Preparation Process of Job Descriptions

Job analysis is a process in which information regarding

the quality of every job carried out in the administration and

working environment the job will be carried out in as well as

working conditions is collected and collected information is

systematically examined and assessed While making job

analysis the followings should be followed

Determination of jobs to be analysed taking into

consideration the organisational structure of the

administration

Determination of the objective

Formation of the team to make the analysis ( it is

essential that the team members to make the

analysis should be selected from inside the

administration However it possible to receive

counselling from outside when necessary)

MAKING JOB ANALYSIS

24

KEY QUESTIONS IN JOB ANALYSIS

What are the requirements of the job (In terms

of knowledge experience and competence)

How is the job done

When is the job done

Where is the job done

Why is the job done

What are the assistive tools for the job

(Equipment)

What kinds of outputs are obtained

Job analysis does not have a value on its own It is only

valuable when it contributes to attaining the objectives of

administration Therefore analysing should start by

understanding the philosophy mission and objectives of the

administration and the role and importance of every unit

within the administration and should continue in this

direction

The findings gathered from the job analysis should be

submitted in a systematic and consistent way and the job

descriptions that are formed according to these findings

should be submitted to the top management for the job

description whose final draft has been completed

At minimum job descriptions should include the following

Unitamp Sub Unit

Name of the job (Name of the position)

Title that the job has

Level of competence (areas of responsibility

information problem solving)

Basic duties and responsibilities

Authorities

Required skills and abilities for the job

Its relation with the other jobs

Approval section and section regarding communiqueacute to

personnel

25

State Personnel Presidency determined standard job descriptions for some

titles (chief programmer warehouse official statistician personnel titled as inspector in the

municipalities etc) In this process it is possible that public administrations receive guidance

form State Personnel Presidency

531 Sensitive Duties

Some of duties that are carried out in public administration assume more importance

because of their nature than the other duties do in terms of esteem of administration risk of

corruption disclosure of secret information etc Therefore integrity of the personnel who

carry out the duty in question is attached more importance

It would be convenient to assess at least the followings while deciding whether a duty

is sensitive or not

Capacity to make important decisions that can impact administrationrsquos objectives

Its relations with the third parties and administrations outside the administration

which can impact decisions

Regular accession to confidential information

Whether financial transactions of high value are involved

The duty requiring special expertise at high levels

Other criteria that can be introduced by administrations

According to the criteria in question administration should determine sensitive duties

develop control mechanisms to mitigate the risks identified and review the chances to occur

at the level of the risk

The following table demonstrates the fields of activity which can be sensitive for

administrations and gives examples regarding these fields

CE Table 2 Examples of Sensitive Duties

Areas of Management Examples for Sensitive Duties

Financial management Accounting

Managing payments

Analysing the financial reports

Job descriptions should be announced to the personnel for

them to learn what they need to do under which rules they

work and what their objectives are

Job descriptions should be reviewed and updated annually

ANNOUNCING JOB

DESCRIPTIONS TO THE

PERSONNEL

UPDATING JOB DESCRIPTIONS

26

Commitment process Membership for the Tender

Commission

Contracting process

Process of examining and accepting

Publishing tender documents

Human resources management Definition of positions

Job description

Recruitment process

Assessment

Implementation of salary system

Information management systems Accession to the system and controls

Security of the systems and key

documents

Developing the system

Support Services Controlling valuable stocks

532 Monitoring the Results of Duties

Administrations should continuously assess sensitive duties and decide what steps to

take in accordance with the changes in the level of the risks (such as renewing controls

identifying new sensitive duties re-evaluating sensitive dutiesrsquo risk levels by taking into

consideration the cost-effectiveness)

Managers carry out the activities of administrations through written or spoken

instructions However it may be difficult for the management to monitor the results of duties

due to such reasons as the structures of units organisational complexity scattered

organisations the number of the personnel being high and duties being varied Managers

should develop such methods as introducing reporting mechanisms and holding regular

meetings to overcome this difficulty

6 COMPETENCE AND PERFORMANCE OF PERSONNEL Good management of human resources aims to ensure the efficiency effectiveness and

productivity of personnel

27

CE Box 4 Humans first

The basic aim is the selection of proper personnel for the fulfilment of the mission of

administration appraisal of personnel career planning for those who are successful and

ensuring they have the basic skills and adequate knowledge with a high sense of

responsibility and identity

61 Transition to Human Resources Management from Personnel Management

As it assumes the responsibility for identifying policies objectives and standards in

human resources management (HRM) top management plays a significant role in HRM

Besides top management should create a transparent and accountable environment

complying with laws and legislation

The expertise that human resources managers have in this area should lead the

other unit managers to apply human resources standards at every level of the administration

Furthermore HRM is a responsibility for all levels of management starting from top

management In line with the policies in question the unit managers when they carry out in

an effective way the tasks given to them by the senior managers should also assume such

duties as orientation and training of the new personnel improvement of their work

performance developing a proper work environment and relations in which they will work in

cooperation boosting the moral and motivation of personnel safeguarding the health of

personnel and improving the working conditions of the personnel

62 Activity Areas in Human Resources Management

The basic functions of HRM can be listed as follows

Conduction of job analyses

Job descriptions

Job requirements

Labour force assessment

Staff analysis

Cost-benefit analysis

Limitations of various legal regulations (Budget Law Decree of Law on General Cadre

Procedure etc)

Recruitment process

SWOT analysis (of the recruitment process)

With the principle lsquogood people make good organisationsrsquo we can say the quality of the

employees of an administration is the quality of the outputs of that administration First of

all it must be kept in mind that employees are humans and a balance must be

established between the needs of administration and employees It is important for

personal motivation that assignments be conducted in line with merits and careers of

employees in every stage from recruitment to retirement The only capital an

administration has which can not be materially measured is human

Humans First

28

Announcements on newspapers internet and administrationrsquos billboards

Developing easy application methods which meet the needs are fair and do not

lead to discrimination

Examination process being open which will give confidence

Merit and career evaluation system

PromotionAchievement criteria

Personnel performance indicators

Appraisal system

Rewarding mechanisms

Training Activities

Training needs questionnaire

Training programs (theoretical and practical)

Abroad trainings and internships

Post-training assessments

Participation in such activities as conferences and workshops which support personal

development

Poor performance management and disciplinary practices

Determining the data on which decisions about non- appropriateness for duty will

based and announcing this to all the personnel

Clearly determining the criteria to terminate duties and announcing these criteria to

the personnel

7 DELEGATION of AUTHORITY Authority refers to the power of administrative bodies to make administrative decisions

and to conduct administrative transactions

Responsibility can be defined as a body of rules and sanctions that those who assume

roles in administrative activities are subject to

Delegation of authority is the transfer of authority and responsibility to make decisions

to another body within the framework of the applicable legislation Delegation of authority

does not remove the managerial responsibility of the delegator

Rigid and traditional administrative structures in which all the authorities as well as

transferring and execution functions gather in a single centre are not preferred In such

administrations motivation of employees and managers of lower levels will be decreased to

own the administration and produce services in line with the objectives of the administration

Administrations on the other hand in which managers delegate all their authorities to

lower levels with insufficient capacity and do not monitor the results are not desirable either

Delegation of authority forms a step for transition form an authoritarian management

understanding to a transparent and accountable management understanding In modern

administrative structures a proper control environment is created employees are assigned

responsibilities and authorities at the level of their duties and employees together with the

lower level managers are included into the decision-making mechanisms In such

administrations working motivation will increase therefore effectiveness and efficiency

indicators will go up with the attainment of the aims and objectives

In relation to delegation of authority authorities to be delegated and their limits are

defined by regulations on various laws The main regulations in this regard are as follows

Law No 3046 on Ministries

Law No 5442 on Provincial Administration


Law No 5393 on Municipalities

Law No 5018 on General Management

Organisational Laws of Administrations

29

71 Determination of Delegation of Authority

Delegation of authority should be carried out according to the hierarchical structure of

the organisation With a top-down approach authorities to be delegated from Minister to

undersecretary (-authorities to be delegated to Head of Administration-) to his deputies and

to heads of units from head of unit to head of department from head of department to

director of branch should be determined in writing and consulted with whom it may concern

72 Delegation of Authority and Work Flow Process

Work flow processes of administrations should be determined and the officials to take part

in the processes and their authorities and responsibilities should be set out These processes

which are determined should be analysed and who to be assigned which authority in the

processes should be determined

What is expected in the delegation of authority is that the official who is to be delegated

the authority should be well-informed of the process and have the quality and experience to

manage the process Employees that are delegated authority are expected to report the

current situation of the process to the delegator and the delegators are expected to seek for

this report

73 Delegation of Authority and Responsibility

We can handle responsibilities in three different categories

Managerial responsibility

It refers to the responsibility to the senior level in hierarchical terms Besides it is

defined as performance responsibility

Delegation of authority will not remove the managerial responsibility of the

delegator

Financial (Compensation) Responsibility

It is the financial responsibility for public andor personal loss caused by using

the authority delegated Financial responsibility to arise from the usage of this

authority will belong to the user of the authority

Legal (punitive) Responsibility

Legal responsibility covers managerial and financial responsibility Legal

responsibilities are defined in the Constitution organisational laws Turkish Penal

Code and special legislations It is a must that all the employees and political

authorities working in the public administration behave with legal responsibility

while carrying out their duties

74 Factors of Delegation of Authority

Those authorities that can be delegated and those that cannot be delegated

should be determined with their limits on senior management level and announced

The basic factors to be taken into consideration in delegation of authority are as

follows

Delegation of authority must be in writing

Legally there are authorities which can not be delegated and these are

not at the administrationrsquos discretion (For example authority to give

disciplinary punishment or the authority of administrative tutelage etc)

Limits of the authority to be delegated must be set out

As long the as the delegation of authority continues the delegator will not

be able to use that authority

That the official delegatingdelegated authority leaving the job will

terminate the authority

30

75 Delegation of Authority and Communication

Employees taking over the authority should periodically report the current situation of

the process to the delegator and the delegator should seek for this report which will provide

feedback to Head of Administration regarding the process This forms an example about

monitoring function

8 INTERNAL CONTROL AND RISK STEERING BOARD

81 Roles and Members of the Board

The Board has a consultation role which will provide additional value for the activities

of administration in development of methods and processes regarding internal control system

such as monitoring internal control practices preparation of action plans and implementation

of the current plans

The Board is formed by the approval of Head of Administration for commencement of

studies on the internal control system within the framework of Action Plan Manual on

Harmonisation with Public Internal Control Standards The Board consists of authorising officers

(or their deputies) under the chairmanship of the deputy Head of Administration and when

the deputy Head of Administration is not available an authorising officer to be assigned by

the Head of Administration will take over as chairman All or some of the authorising officers

are selected for the ICRSB and how many to select should be determined with a view to

provide efficiency in line with the organisational structure When deemed necessary The

Head of Administration can invite those authorising officers who are not members of the

Board to meetings of Board to get their opinions provided that they are not included in the

decision-making Secretarial services of the Board are provided by strategy development

units

The Board periodically convenes Experts from inside and outside the administration

can be invited to the Board if deemed necessary in order to contribute to the objectives and

aims The Board is free within the framework of the duties and responsibilities given to itself in

determination of the dates and content of meetings and notifies the relevant persons of the

relevant arrangements in advance

Decisions are made based on majority voting Each member has only one voting right

including Chairman of the Board However when the voting of both sides is equal the

majority is considered to be the side that the chairman takes Those members who do not

side with the decisions state their justifications for not siding with the decision in writing

Deputy senior manager authorising officers or the deputies they assign should have a single

equivalent voting right in the meetings however the other representatives and experts

whose opinions are received should not have a voting right The Head of Administration on

the other hand should be able to participate in the Board meetings without having a voting

right and should encourage the participation of authorising officers for strengthening internal

control system For meetings which are not participated by Head of Administration briefing

should be made through reporting system

Details about how the Board works should be specified in the relevant legislation

The Board regularly monitors internal communication activities and processes and

revises them when deemed necessary and determines new communication methods to fit

the changing organisational structure

31

CE Figure 4 Information Flow in Internal Control and Risk Steering Board

82 The Boardrsquos Scope of Duty

The Board works to support the accountability of senior management in the fields of

management internal control and especially risk and is authorised to carry out the followings

with the approval of senior manager Within this framework its duties in the field of risk can be

listed as follows

It prepares the Risk Strategy and Policy Document (RSPD) or reviews the available RSPD

and submits it for the approval of senior manager

It determines policies in establishment of the risk management culture in the

administration

It determines the risks of spending units to be managed in partnership and the related

policies and procedures and communicates them to the unitrsquos risk coordinator for

coordination purposes

It determines the risks to be managed in partnership with the other administrations and

communicates them to the relevant administrative risk coordinator to ensure that

necessary precautions are taken for management in partnership with the relevant

administrations

The Board periodically assembles to assess whether risk management process functions

well or not and the level achieved regarding risks and reports the level achieved to the

senior manager

The Board fulfils following duties other than risk management

Assessing internal audit reports and providing guidance for implementation of

recommendation and ideas regarding internal control environment and the other

components in line with the requirements of the administration

Monitoring the activities of the administration carried out within the framework of

strategic plans and policies of the administration by means of periodical meetings

Making decisions on dissemination of good practice examples both inside and outside

the administration as a result of monitoring activities that are carried out

Deputy Head of

Administration

Internal Control and

Risk Steering Board Strategy

Development

Unit

Authorising

Officer

(A) Spending Unit (B) Spending Unit (C) Spending Unit

Authorising

Officer Authorising

Officer

32

33

RISK MANAGEMENT

1 Introduction Administrations utilise the resources allocated for them in order to reach the set out

objectives Activities processes and projects which are carried out for utilisation of these

resources bring along risks Risk management is a good tool for administrations to achieve the

aims they set out in accordance with their missions and visions Box RM1 describes Risk

RM Box 1 Definition of Risk

Risk is the uncertainty of events that may emerge in the future (if positive it is an opportunity if

negative then it is a threat) For the administrations this means that aims and the objectives

they set out to achieve these aims can be affected positively or negatively by internal or

external factors

Risk management covers risk assessment determination of effective control activities

monitoring and continuous improvement of these processes Risk management must be

practised corporately for consistency purposes which brings us to the concept of Corporate

Risk Management Corporate risk management covers the entire administration and ensures

that risk management processes are considered and handled as a whole

2 Risk Management standards Administrations while implementing risk management take into account the following

standards

RM Box 2 Risk Management Standards

3 Benefits of Risk Management for Administrations

The followings are the important benefits of a properly applied risk management in

corporate terms

Helps improve performance of administrations and assists administrations in attaining

their aims and objectives

Helps provide the continuity of services the administration provide and improve the

quality of activities the administration carries out

Info amp Communication

Monitoring

Control Activities

Risk Management

Control Environment

Standard 5 Planning and Programming

The administrations shall establish and announce their activities goals objectives and indicators as well as the

plans and programs including the resources which are required for the realization of above listed elements They shall

also ensure that the activities are in compliance with plans and programs

Standard 6 Determination and assessment of risks

The administrations shall define and assess the internal and external risks that could prevent the achievement of

goals and objectives by performing a systematic analysis and determine the measures to be taken

34

Ensures cost-benefit balance between the risks identified and the controls applied

and therefore increases the efficiency in resource allocation

Helps control the impacts of potential losses and decrease the costs of such losses

Ensures compliance with the legislation and regulations

Helps strengthen decision making mechanisms by supporting evidence and risk-based

decision making

Enhances accountability by supporting the clear definition of tasks roles and

responsibilities within the administration

Helps the administration have a more positive image in the eyes of public opinion

4 Critical Achievement Factors for an Effective Risk Management

For administrations to obtain the expected benefits from risk management the

followings are required

Ownership of the risk management process and determination of a risk strategy

encouraging its implementation in accordance with the mission and vision

Establishment of necessary mechanisms to have a single risk management language

Provision of sufficient information guidance and advice regarding risk management

Simplicity flexibility and practicality of risk management processes and integrated

planning and implementation with the other basic processes (strategic planning

performance management human resources management etc)

Supporting the assessments regarding risks with reliable evidence at all times

Systematic monitoring reporting and evaluation of risk management processes

Increasing within the administration awareness that everyone has an important role to

play in risk management and risk management should be fulfilled as an integral part of

the existent processes

Having an organisational communication strategy and proper and functional

communication channels inside and outside the administration

5 Risk Strategy and Policy Paper Risk Strategy is the organisational approach defined for risk management and top

level policies whereas Risk Strategy and Policy Paper (RSPP) is the document in which this

approach and policies are set down in writing Risk strategy sets out the administrationrsquos

attitudes towards risks and forms a framework for the risk management process The RSPP of

an administration is prepared by the Internal Control and Risk Steering Board (ICRSB) for the

endorsement of the head of administration and should be available to and known by all

staff

The Organisational risk strategy should clearly set out the structures regarding the

management and ownership of risks how to address risks at strategic level and program and

activity levels the structures regarding communication monitoring assessment and getting

assurance the criteria for key risks risk register format and risk measurement criteria Attention

must be paid the risk policies of the organisation comply with national level policy papers

The Risk strategy must be set out to reflect the risk appetite of the administration at

strategic level As risk appetite can change in time based on various conditions (for example

risk appetite may be low in periods of financial crisis) risk strategy of the administration should

be reviewed at least once a year and updated when deemed necessary Box RM3 gives a

basic explanation about Risk Appetite

RM Box 3 Risk Appetite

Risk appetite is the amount of risk an administration is ready to take at any time

(toleratebe exposed to) in accordance with its mission vision and objectives Risk

appetite should be taken into consideration while preparing strategic plans

35

Risk appetite is affected by internal and external environment people business systems

and policies Within this framework risk appetite should be set out with a top down

guidance

It is possible for the administration to set different appetite levels as long as the

administration does not exceed its overall risk appetite limits

Both taking too many risks and taking too few risks may lead to failure Although low risk

appetite is considered to be a reliable management method it may constrain the

administration in terms of creativity innovation and taking advantage of

opportunities

Another prerequisite in risk management is the existence of a common risk language

While producing this common language what is needed is a joint terminology and

mechanisms to disseminate it Otherwise it is not possible to build a strong common

understanding to manage risks

Corporate risk management requires a contribution from all employees Ownership of

the risk management process by the staff (Identifying addressing responding reviewing and

monitoring the risks) and considering it as a part of their jobs can increase the effectiveness of

corporate risk management

In order for the risk management to contribute the achievement of objectives and to

improve management quality and also to reduce costs it should be embedded in the

activities Embedding risk management in the processes means that activities are carried out

as a whole including risk management

Box RM4 gives details of the content of the Risk Strategy and Policy Paper

RM Box 4 Risk Strategy and Policy Paper

6 TASKS AUTHORITIES AND RESPONSIBILITIES Good risk management is only possible if the administration is well organised Clear definition

of tasks roles and responsibilities awareness of staff on the expectations of them within the

framework of policies and practices of the administration existence of horizontal and vertical

communication mechanisms and mechanisms for communication that are outside the

administration are the requirements for a good control environment The assignment of tasks

roles and responsibilities to appropriate competent and authorised people in risk

management will provide a strong infrastructure for risk management in the administration

While it is necessary to define roles and responsibilities all staff are responsible for risk

management Diagram RM1 explains the structure of roles and responsibilities in risk

management

RM Figure 1 Tasks and Responsibilities in Risk Management

RSPP should include at least the following

Aim of risk management

Risk appetite

Compliance with the legislation and binding policy papers

Risk methodology to be adopted

How to determine key risks (criteria)

Organisational structure and duties

Roles and contributions of the employees

Communication Plan

36

61 Head of Administration

This person is defined within the framework of Law no 5018 on Public Financial

Management and Control and is authorised and responsible for risk management at the

highest level

Regarding risk management the Head of Administration

Ensures the establishment of the strategy regarding the management of risks in

accordance with the aims and objectives of his administration at the outset of each year

and approves the Risk Strategy Policy Paper (RSPP) which demonstrates how the strategy

will be implemented and notifies all staff of this in writing

In the RSPP he clearly defines all the tasks roles and responsibilities and the necessary

structures (for example the ICRSB) within the scope of this manual for risk management

Provides the Administrative Risk Co-ordinator (ARC) with necessary support regarding the

risks to be jointly managed with other administrations

Ensures that the proper mechanisms are established to provide for the necessary

sensitivity and participation regarding the management of risks for the public opinion and

the stakeholders

Sets out the strategic actions for the future in accordance with the considerations and

recommendations by the ICRSB and the ARC

Receives assurance on risk management from the ICRSB and presents an assurance

declaration to the Minister on whether the risks are managed effectively

He encourages the consistency of risk management processes

He reviews monitoring of reports and encourages the effectiveness of risk management

He sets an example in terms of his behaviours particularly in strategic risk management

He encourages the employees for identification of risks

He should show leadership in risk management

37

62 Internal Control and Risk Steering Board (ICRSB)

The Board develops policies for the improvement of risk management in the

administration and submits them for the approval of Head of Administration The Board

notifies the units of the policies and procedures On the advice of the ARC the ICRSB

determines a particular number of risks which it deems significant as the key risks among the

risks that are submitted to itself and reports whether these key risks are managed well or not

to Head of Administration in regular periods or whenever it deems necessary

Secretarial services of the board are carried out by the Administrative Risk

Coordinator (Head of SDU) Whenever necessary people with the relevant expertise from

within or outside the administration can be invited to the meetings ICRSB has the authority to

enforce the elements it determined regarding the following duties with the approval of the

Head of Administration

Regarding risk management the ICRSB carries out the following

Preparing Risk Strategy and Policy Paper (RSPP) of the administration or annually

reviewing the already available RSPP and submitting it to the Head of Administration

for approval

Defining policies for establishment of a risk management culture

Ensuring that risks are consistently managed in the administration

Determining critically strategic risks of the administration

Determining the risks of spending units which require a joint management and related

procedures and policies and submitting them to URC for coordination purposes

Setting out the risks that require joint management with other administrations and

ensure that necessary measures are taken for the joint management by notifying the

ARC

Meeting at least quarterly in order to consider whether the risk management processes

in the administration work effectively and assess the current status of risks and

reporting it to the Head of Administration

Ensuring that good practice cases are determined and spread to a larger place

63 Administrative Risk Coordinator

It is advisable that the Head of the SDU takes the role of Administrative Risk Co-

ordinator The ARC is a member of the ICRSB and is responsible to the Head of Administration

for consistency of risk management processes of the administration and their compliance

with the standards

Regarding risk management the ARC

Is responsible for the efficient operation and coordination of all risks processes in all units

Calls the relevant Unit Risk Coordinators (URC) for meeting at least once in three months

Prepares the Consolidated Risk Report (using the report form in this manual) on the basis

of the reports submitted by the URCs and submits this Consolidated Risk Report to the top

management and the ICRSB on a quarterly basis The report should include the ARCrsquos

personal considerations on the key risks

Carries out secretarial services of ICRSB and such tasks as setting out meeting agendas for

the Board keeping minutes of meetings submitting decisions of the Board to Head of

Administration for approval

Discusses the issues on common risk fields with the ARCs of other administrations and

coordinates these within the administration

ARC provides technical support to the units on risk management of the administration

Identifies the needs of units regarding risk management and reports them to the ICRSB

and the Head of Administration before each meeting

Sends feedback to URCs regarding opinions advice and decisions of ICRSB and takes

necessary precautions for the consistency of risk management processes of the

administration

38

64 Unit Risk Coordinator

The Unit Risk Coordinator (URC) is the authorising officer or the person who is determined

by the authorising officer Regarding risk management URC

Coordinates the identification of the unitrsquos risks that may have an impact on the

objectives of the administration and provides relevant guidance at the beginning of the

year URC associates risks that are determined with the activities of the sub-units using

their knowledge and expertise and pays attention to ensure that all important issues are

addressed Important risks included in the risk register are submitted to the ARC to be

presented to the ICRSB for consideration

Reviews the risk registers and relevant reports that are annually prepared on periods (such

as monthly quarterly semi-annually) to be set out by the administration and reports them

to the ARC

Monitors the risks managed and reported by the Sub-Unit Risk Coordinators (SURCs) at unit

level Evaluates the changes on the risks or the arising risks if any and reports them to the

ARC upon the approval from the unit director

Submits an assurance declaration to the ICRSB on whether the risks are managed

effectively

Provides feedback to SURCs regarding opinions advice and decisions of ARC and ICRSB

Determines training needs regarding risk management

65 Sub-Unit Risk Coordinator

The SURC is responsible for the coordination of risk management activities within sub-

units of the units in administrations (if such units exist or it is seen to be appropriate to manage

the risks at this level) and is the person to be determined by the authorising officer Heshe is

directly accountable to URC regarding risk management Sub-unit risk coordinators must be

selected from among those who have the sufficient competence and experience

Regarding risk management the SURC

Coordinates the conduction of tasks of identifying assessing addressing reviewing and

reporting of the sub-unitrsquos risks that are associated with the objectives of the

administration

Reports in line with the risk strategy of administration the recently identified risks that are

related to the activities of the sub-unit those risks with changing scores and the

effectiveness of controls carried out to decrease these risks to the Unit Risk Coordinator

(URC) on periods determined by URC

Is accountable to the URC and furthermore responsible for providing the Administrative

Risk Coordinator (ARC) with requested information and documents

66 Employees

The most important factor for risk management to be successful is the ownership of risk

management by employees Therefore every employee is responsible for managing risks in

their field of duty (identifying assessing responding to reviewing and reporting risks)

Regarding risk management employees

o Contribute to the risk management processes in their respective units by defining

communicating and responding to the expected emerging and changing risks

Manage the risks within their own fields of responsibility through the power and

responsibility assigned to them by the administration

Provide evidence to the SURCURC regarding the effectiveness of the management of

risks in their respective fields

Employees should not hesitate to identify risks and submit them to the relevant risk

coordinator It is important to bear in mind that just one loose screw could cause a plane

crash

39

67 Internal Auditor

The Internal Auditor provides the Head of Administration with advice regarding risk

management by making evaluations on whether risk management process is effective and

risks are managed in the right way or not Internal Audit can also provide advice on whether

any key risks have been overlooked or inappropriately controlled

68 Strategy Development Unit

The Strategy Development Unit (SDU) is responsible for providing training identifying

training needs and facilitating delivery of necessary training They are also responsible for

identifying best practice in risk management encouraging such practice to be shared and

providing guidance where necessary

69 Central Harmonisation Unit

The Central Harmonisation Unit (CHU) carries out such activities as making regulations

on internal control including risk management and activities for the development of risk

management The CHU also provides guidance ensures harmonisation and inter-

administrational coordination and reports on the effectiveness of risk management

7 RISK MANAGEMENT PROCESS

Basically the risk management process should start simultaneously1 with strategic planning

studies In cases when strategic plans should be renewed or amended studies concerning

risks should be carried out with current amendments in mind Within the framework of risks

identified in light of strategic objectives attitude of an administration towards risk

management are set out in the Risk Strategy and Policy Paper with information on risk

appetite involved Within this framework administrations identify risks at strategic

programproject level and operational (activity) level In identifying risks an administration

can start with strategic level (top-down) or activity level (bottom-up) or it can start the risk

management process by implementing both methods together

Figure RM2 shows the Risk Management process

1 If strategic plans are already prepared the risk management process should then begin as soon as possible

40

RM Figure 2 Risk Management process

The administration should manage the risks at strategic programme and operational level as

shown in figure RM3

RM Figure 3 Hierarchy of Risk

Administration level This is the area which covers the whole administration where decisions

related to strategic objectives are made and for which senior management of administration

is responsible Strategic objectives are medium and long term objectives and are associated

Idetification of

risks

Assessment of

risks

Monitoring and

reviewing risks

Responding to

risks

Risk

Managament

strategy

Risk Managament

Process

Idetification of

risks

Assessment of

risks

Monitoring and

reviewing risks

Responding to

risks

Risk

Managament

strategy

Risk Managament

Process

41

with senior level policy documents Therefore while making decisions for the future decision-

makers (top management) have to take into consideration a lot of uncertainties This is the

area where risks have the highest impact Besides this is the area which is affected most by

external risks such as governmental policies general economy and technological

developments This area assumes specific importance as those risks which are not managed

well at strategic level affect the other levels as well

Unit level This refers to units where policies of senior management are implemented and

which are responsible at the highest level for the usage of public resources within the

administration Impacts of such risks last for a shorter period of time comparing to those of the

strategic risks This is the area where units should identify their objectives and manage related

risks for the administration to achieve its strategic objectives This is the area which is affected

by risks both form inside and outside the administration For risks from upper and lower levels

to be assessed and coordinated it is vital that this level be managed well Besides there

should be strong communication in this area

Sub-Unit level In this area there are only those works which are carried out at operational

level with a view to achieving unitrsquos objectives Daily activities of all employees fall within the

scope of this area This is the area where short-term-decisions are made products and

services are produced and fewer uncertainties are experienced This area is affected more

by internal risks than external risks Risks not being managed well at this level may affect the

achievement of strategic objectives

71 Identifying Risks

Risk identification process which is the first stage of risk management is the process of

identifying categorising and updating the risks that prevent or limit the achievement of

administrationrsquos strategic objectives using previously defined methods The following box

suggests some questions to be considered when starting to identify risks

RM Box 5 Questions to be considered when starting to identify risks

The following should be considered while identifying risks

As a generally accepted rule strategic risks that can affect the administration are

determined at the stage of strategic plan preparation and risks identified are included

in the strategic plan

Risks should also be identified at programme and operational level Programme and

operational risks should include all the strategic risks However when identifying the

programme and operational risks we should not limit our scope with strategic risks but

have a wider spectrum

When identifying risks the administration can determine a top-down or bottom-up

method preferably used at the same time

What are the main objectives

What are the key activities

Who are the stakeholders

42

Risks identified should be associated with objectives of the administration It must be

taken into consideration that some risks can indirectly affect the objectives such as

those which damage the reputation of the administration

Risks should be identified systematically with previously determined methods These

methods can vary according to the characteristics of administrations and its activities

In this process administration can either use one or more of the below defined

methods or develop a new method in line with its own needs

Risks identified should be expressed as lsquoxrsquo risk or risk that lsquox may emergersquo It will be

convenient to register them this way in the risk register (see Annex 3 for the risk register

form)

Assess whether risks identified are internal or external risks

o Internal risks are the risks stemming from the events directly controlled by the

administration itself Internal risks can be grouped into three as strategic risks

program risks and activity risks

o External risks on the other hand are the uncertainties arising due to the

events that are out of the control of the administration which hampers or

prevents the achievement of objectives While identifying external risks it will

be useful to classify them by their subjects (Generally PESTLE analysis is used

see Box RM7)

After risks are identified their owner or the person to be responsible from them must

be defined and this information must be included in the risk register

Since risk identification is a dynamic process emerging risks should be identified and

changes to the existing risks should be consistently followed-up

RM Box 6 Factors and methods to be taken into consideration during the process of

identifying risk

The following box explains the PESTLE and SWOT analysis

HHHooowww dddooo III iiidddeeennnttt iiifffyyy rrriiissskkksss

Firstly decide how to identify the risks namely at strategic

level operational level or both

Identify and categorise the risks (social cultural political

scientific etc) taking into consideration the threats

opportunities and the scope

Decide on the required human resource tools and methods

Mostly the following methods are used to identify risks

However administrations can determine different methods

other than these methods in light of their needs

o PESTLE analysis (see Box RM7)

o SWOT Analysis (see Box RM7)

o Brainstorming (this method can be used both for

identification and assessment See Annex 1)

Group risks as internal and external ones

Make a stakeholder analysis (identify the risk tolerance

position and attitude of the stakeholders )

Repeat the identification regularly and in periods of change

43

PPPEEESSSTTTLLLEEE AAAnnnaaalllyyysssiiisss Pestle Analysis is the identification of risks by making assessments based on the

following categories

Politic

Economic

Social

Technologic

Legal

Environmental

Example

o Politic change of governmental priorities

o Economic inflation rate going above the expected levels

o Social population growth rate going much above the

expected levels

o Technologic information process infrastructure not being set up

o Legal cases in courts turning against

the administration

o Environmental an earthquake strike

SSSWWWOOOTTT AAAnnnaaalllyyysssiiisss (((IIInnn---hhhooouuussseee aaannnaaalllyyysssiiisss)))

SSStttrrreeennngggttthhhsss

WWWeeeaaakkknnneeesssssseeesss

OOOppppppooorrrtttuuunnniii tttiiieeesss

TTThhhrrreeeaaatttsss

EEExxxaaammmpppllleee

SSSttt rrreeennngggttthhhsss SSSpppeeeccciiiaaalll iiissseeeddd pppeeerrrsssooonnnnnneeelll

WWWeeeaaakkknnneeesssssseeesss OOOlllddd ttteeeccchhhnnnooolllooogggyyy

OOOppppppooorrr tttuuunnniii ttt iiieeesss EEEcccooonnnooommmiiiccc gggrrrooowwwttthhh

TTThhhrrreeeaaatttsss SSSuuuddddddeeennn pppooolll iiicccyyy ccchhhaaannngggeee

For detailed information refer to Strategic Planning Guideline for Public Administrations SPO June

2009

RM Box 7 PESTLE and SWOT analysis

44

What could go wrong in the achievement of

objectives

What are the critical achievement factors

Who are our stakeholders and what can their

negative or positives impact be on our activities

What are our risk categories Tables diagrams etc

What are our weaknesses

Which assets assume more critical importance

What areas are open to irregularities and fraud

Which events or situations can hamper our

activities

What are our most critical sources of information

In which areas do we spend most

Which activities or processes are more

complicated

In which areas are we subject to penal sanctions

What are the legal requirements

What are the resource limitations

The following two boxes give some tips for the process of risk identification and some questions to

ask

RM Box 8 Tips for Risk Identification

RM Box 9 Questions to ask in the process of risk identification

WWWhhhaaattt aaarrreee ttthhheee TTTiiipppsss

Whether there is available information regarding the risks and how

accurate it is if any should be taken into consideration

A working group including different fields of expertise would

increase the likelihood of identifying new risks

Using brainstorming method yields effective results (See Annex 1)

Having open communication lines and acting farsighted are the

key points

45

72 Risk Assessment

Risk assessment refers to analysing the factors that may have an impact on the

achievement of administrationrsquos objectives and evaluating the seriousness of the risk in terms

of impact and probability While assessing risks in addition to the potential events the

administration can face aspects which are specific to the administration (for example size of

the administration complexity of activities legislation it is subject to in relation to its activities

its political priorities public interest) should be considered

After risks are identified comes the stage where the risks are measured and prioritised

Prioritisation is listing down the risks in accordance with their priority in line with the scores they

are given Risk assessment helps decide whether to respond to identified risks and if so select

the best response with regards to the costbenefit balance

The following box gives some questions to be considered before starting the risk

assessment process

RM Box 10 Questions to be considered before starting the risk assessment process

Three important principles in risk assessment are

1 Identifying the impact and probability of each risk In assessment probability and impact

are analysed Probability refers to the chance of an event to occur at a particular period

On the other hand impact is the outcome or the effect produced

Three categories are used while assessing risks low risk level (shown in green) medium

risk level (shown in yellow) and high risk level (shown in red) These colours as in the

traffic lights facilitate understanding the degree of importance of the risks These are

shown in the following diagram

Probability and impact of the risks can also be shown using numbers In the following

diagram Point 1 indicates that there is almost no probability for that risk to occur while

point 10 means that it is almost certain that it is going to occur In terms of impact

point 1 is used where the outcome of the realisation of a risk has little importance

whereas point 10 means that this outcome is highly important Risks are scored

between 1 and 10 for their probability and impact (See Annex 5) In assessing impacts

and probabilities of risks one of the methods to be used is voting method (See Annex

2)

Risk maps are made use of to see the severity of the risks better A basic

demonstration of risks on the risk map is given in the following diagram

What are the objectives

What are the present controls

What are the possible results if the risk occurs

Do activities of some other administrationsunits affect my

risk

Who are the stakeholders and what is their level of

experience and expertise

46

RM Figure 3 Risk map

2 Assessing the risks on the basis of inherent risks and residual risks

Inherent risk refers to the amount of risk before it is managed or any action is taken

These inherent risks are transferred to the risk register (see Annex 3 for the Risk Register

form) after assessing their probability and impact In assessment as has been

suggested above the probability and the impact of the risk is scored between 1 and

10 Multiplication of the scores of probability and the impact indicates the risk score

The administration at this stage must decide on the risk appetite It must also be set

out which risks placed between which numbers are low medium or high risks in

accordance with the designated risk strategy of the administration and the risk map

of the administration must be produced in this framework (See Box RM3 Risk Map)

After risk score has been set risks are prioritised starting from the one with the highest

score Responses to be given to risks are determined Controls are identified and

applied considering the methods of responding to risks

The management must identify the level of the remaining risk after the control

activities it carries out to manage the risk Residual risk refers to the remaining risk after

an action has been taken to mitigate the probability and impact of a risk If the level

of the residual risk is still higher than the risk appetite the efficiency and competence

of the present control activities must be questioned and if deemed necessary

responses to be given to the risks must be reviewed The following box gives an

example of inherent and residual risk

RM Box 11 Example of inherent and residual risk

3 Recording the risks

Recording the risks contributes to the prioritisation of the risks and therefore to the

efficiency of the allocation of resources and to production of evidence for the decisions

taken helps people to understand their responsibility within risk management facilitates

the acquisition and communication of information to the right people at the right time

Activity using a car

Inherent risk having an accident because you are inexperienced

Control action getting a licence taking driving courses

Residual risk another inexperienced driver crashing into your car

47

via the reporting mechanism and enables the reviewing and monitoring processes of the

risk

Risk records are reported in two stages Risk Register (see Annex 3) used in the

identification and registry of risks Consolidated Risk Report (see Annex 4)used for the

reporting of risks to the senior managers (see Annex 7 for an example of a completed Risk

Register)

The following box gives some tips for the risk assessment process

RM Box 12 Tips for risk assessment

RM Box 13 Example of the Risk Assessment process

Measure the impacts and probabilities of the risks identified for a

particular period of time

While determining the impact score assess the impact the risk will have

on the objective that is foreseen to be hampered

Utilise proper methods in the assessment

Bear in mind that risk assessment of a job can best be made by the

person who does this job

Note that activities of other administrationunit can have impacts on

your risks and risks are not independent of each other

Utilise such table as risk maps to be able see all the risks together

Prioritise risks in line with the risk scores (Impact X Probability)

48

You are going to deliver training on your subject of expertise

Your Objective Audience understands the subject you explain

You identify your risks

Risk 1 As you arrive late you may not have sufficient time to deliver the training

Risk 2 You may deliver your presentation using an inappropriate approach as you do not know who

the audience is

Risk 3 You may have difficulty in supporting what you explain as you donrsquot have the softcopy of the

presentation

Letrsquos see the likelihood of the Risks 1 2 and 3 and how it would affect your objectives if they occur

RRRiiissskkk 111 Likelihood The traffic would be bad at that hour In addition you have a lot of other things to do that day

Likelihood 7

Impact You can arrive late but you know the subject very well Even if you deliver it in very short time it still

would be understandable for the audience The impact of arriving late on your objective is 3

Risk Score 7x3 = 21

RRRiiissskkk 222

Likelihood In the letter you have been told what the subject is but not who the audience is and you donrsquot have

the chance to ring someone and learn Likelihood 5

Impact If you are to deliver the training to the experts who already know the issue you get into details but if

your audience is made up of people who donrsquot know anything about it you only draw the general framework

If you cannot learn who the audience is and you deliver the training in detail while the audience is unaware of

the subject and they would not understand or you give little information to the people who already know about

it they would not learn anything new The impact of using the wrong approach in the delivery is 9

Risk Score 5x9 = 45

RRRiiissskkk 333

Likelihood You generally carry your computer around You also have habit to carry your pen drive in your

bag after saving your studies in it Likelihood 2

Impact Even if you donrsquot Project the presentation on the screen you know the subject very well You could

still effectively deliver it to the audience The impact of not having the soft copy with you on your objective 3

Risk Score 2x3 = 6

As shown in the risk map

Imp

act

10 10 20 30 40 50 60 70 80 90 100 9 9 18 27 36 45 54 63 72 81 90 8 8 16 24 32 40 48 56 64 72 80

7 7 14 21 28 35 42 49 56 63 70 6 6 12 18 24 30 36 42 48 54 60 5 5 10 15 20 25 30 35 40 45 50

4 4 8 12 16 20 24 28 32 36 40 3 3 6 9 12 15 18 21 24 27 30

2 2 4 6 8 10 12 14 16 18 20 1 1 2 3 4 5 6 7 8 9 10

1 2 3 4 5 6 7 8 9 10

Likelihood

Prioritisation

1 Risk 2 (Risk Score 45)



(Note that risks are not always assessed according to the scores Some strategic risks should be taken into

consideration even if they have a low score Emergency precautionsplans should be available You may not

always foresee what will happen Your plans should be flexible Therefore you will be able to handle the

situation when something unexpected emerges

49

73 Responding to Risks

Responding to risks refers to setting out the responses to the risks identified and assessed within

the risk appetites by the public administration and mitigating the potential threats or taking

the arising opportunities Before deciding on the method to respond to risks a costbenefit

analysis must essentially be carried out The objective desired to be reached by responding

to risks is to mitigate the likelihood of the risk and its impact and achieving the foreseen

objective in the most efficient manner

Box RM 14 Questions to consider in responding to risks

The following figure shows within the framework of risk appetite how inherent risk turns into

residual risk as a result of responses controls actions (also see Box RM3 Risk Appetite)

RM Figure 4 Risk Indication Table

(OGCrsquos Risk Dashboard from HM Treasuryrsquos publication named Thinking about Risk)

Figure RM4 demonstrates the followings Columns 1 and 5 Control activities successfully decrease the inherent risk so that the

remaining risk called the ldquoresidual riskrdquo is reduced to the same level as risk appetite

Such points where the risk appetite and residual risk of an administration overlap are

ideal situations in terms of risk management (cost-effect)

What is the level of risk

What happens if no response is given to the risk

Which risks must be controlled

Which risks can be transferred

What are the consequences of resorting to risk aversion as a public

administration

Is the opportunity good enough to take the risk

50

Columns 2 3 and 4 Control activities decreased the risk However residual risk is still

higher than the risk appetite (tolerable level) This shows that effectiveness and

adequacy of the controls implemented should be questioned and more control

activities should be implemented

In column 6 as the inherent risk is equal to risk appetite risk is tolerable However

these risks should be monitored just as the other risks because of the possibility of

changing

In column 7 on the other hand control activities decreased residual risk below the risk

appetite This shows that more than necessary controls are implemented and

resources are not used efficiently In these over-control cases control activities should

be decreased to a level at which residual risk is equal to risk appetite

There are four methods of responding to risk and these are shown in the following diagram

Figure RM5

RM Figure 5 Methods of responding to risk

Tolerating This is a passive method of response given to the risks which public administrations are

comfortable to undertake In the following cases risks can be accepted

If the inherent risk is within the limits of risk appetite then it is accepted

When it is understood that cost of the actions to be taken (controlling transferring or

avoiding) for an intolerable risk would exceed the potential impact of the risk then the risk

is accepted

Some risks are out of the control of the management Certain risks do not disappear

unless the activity is terminated whereas terminating an activity is not always possible or

desirable

Treating This is a method of response given to a risk by means of control activities carried out

with a view to keeping risks at a tolerable level (risk appetite) in public administrations

This method can be applied using the five following controls

Preventive Controls

Corrective Controls

Directive Controls

Detective Controls

Emergency Plans

Methods of responding to risk

Tolerating

Treating

Transferring

Avoiding

51

For detailed information refer to the Control Activities chapter

Transferring This is the response given to the risks by taking some of them away from the

responsibility of the administration and transferring it to others (Even if the risks are

transferred the responsibility cannot be transferred and they need to be managed under

the control of the administration because it is the administration that will be affected when

the risks are realised)

Risk transfer is carried out using the following methods

Completely and partly transferring the activity to another administration

Transferring its operation to third parties using a procurement method

Transferring it by means of insurance (when appropriate)

Avoiding if the risk we have to take is too big to manage and there are alternatives to the activity

performed it is possible to terminate this activity For example deciding not to build a factory

which is expected to cause too much air pollution or deciding not to purchase the computers

that are planned to be purchased because of budgetary cut

The following box summarises the process of responding to risk

Box RM 15 Process of responding to risk

While managing risks opportunities they bring along should also be taken into consideration

Alongside negative impacts risks can also lead to opportunities In order to be able to take these

opportunities that would make additional contribution to the achievement of administrationrsquos

objectives the administration must have designated strategies Taking the opportunity is not an

alternative method to respond to risks rather it is a method to be applied additionally

Opportunities are taken in the following cases

When the cases of taking the opportunity and reducing the threats coexist For example

making health and scientific researches to find a cure of a disease (Disease threat will

decrease and there will emerge the opportunity at the same time that cost will decrease

with less people going to hospitals)

When opportunities emerge before the negative event occurs For example using a new

technology to be able work better or reaching to a greater number of people via e-state

The following box gives some tips for use when responding to risk

List the Threats and Opportunities according to the analysis results

Define your attitude considering the content of the risk

Tolerate

Control

Transfer

Avoid

Ensure that the benefit that the response will provide is higher than the cost it will bring

52

RM Box 16 Tips for responding to risk

Prioritising risks helps decide on which risk to respond first

As a public administration while determining the responses to be

given to risks recipients of the services and the impacts on them

must be considered

Stay away from over-control measures while responding to risks

Over-control harms the efficiency of the administration as much

as insufficient controls do

The possibility that acting in coordination with other

administrations in responding to risks may be more efficient must

be considered

53

Your organisation has decided to buy a new IT system


Risk 1 The new system has inadequate response times

Risk 2 Data is not transferred accurately from the old IT system to the new system

Risk 3 You do not have the capability to operate the new IT system

Risk 4 The new IT system does not work

What responses can you give to these risks

RRRiiissskkk 111

Tolerate You have been assured that the new system has a five second response time

which is similar to the current system so you decide that it does not need to be quicker

RRRiiissskkk 222

Treat You need to introduce controls to make sure that data is transferred accurately

Preventive controls Testing done on the new IT system before it is introduced to

ensure that data is not corrupted on transfer

Corrective controls Testing is done comparing data transferred from the old system

to the data on the new system This control activity corrects the errors

Directive controls Requirement that IT staff working on developing the new system

have adequate skills and experience

Detective controls testing is done after one year of operating the new system to see

if standing data transferred from the old system is accurate

Emergency plan You should make sure that you can revert to using the old system in

the event that the new system does not have properly transferred data

RRRiiissskkk 333

Transfer You outsource the running of the new system to another organisation which has the

relevant expertise

RRRiiissskkk 444

Avoid If it is detected during testing that new IT system is not working you quit buying this

system and search for an alternative IT system

Take the opportunity

Your new IT system allows you to operate more efficiently freeing up staff time to do other

activities

The following box gives an example of the process of responding to risk

RM Box 17 Example of the process of responding to risk

54

74 Reviewing Risks

Risks can change in terms of their impact and likelihood due to various changing conditions

or measures taken Furthermore it is also possible that new risks areas are formed due to

changing conditions Therefore all the aspects of risks identified and the risk management

process should at least be reviewed on a regular basis Reviews can be carried out on

frequencies to be set by the administration according to the level of importance of the risks

In the event that extraordinary developments take place and this has a serious impact on the

risks Administrative Risk Coordinator (ARC) upon the spoken or written instruction by the

head of administration organises an emergency meeting for the Internal Control and Risk

Steering Board to assess the risks For example natural disasters economic crises early

election resolutions are extraordinary developments

Reviewing the risks and reviewing the risk management process are two different processes

and the fact that one of them is carried out does not necessarily mean that the other is

carried out as well Whereas each risk is reviewed by its respective owner the risk

management process is reviewed by the Head of Administration and or ARC Reviewing

risks regularly would provide flexibility in adapting to the changing conditions

Risks are reviewed as follows

Whether risks still exist new risks have arisen the likelihood or impact of a risk has

changed or not is reviewed

The priority should be given to key risks (those with the highest probability and impact)

during a review Other risks should be reviewed later

While reviewing strategic risks first and foremost amended policy papers if any

developments in the other counties expectations of the public for that period

Internal Audit Reports Inspection Reports External Audit Reports and other relevant

reports and documents should be considered

Under the light of the developments if there have been any changes to the risk

profile the risk register of the administrationunitsub-unit must be reviewed

The change must be communicated to the risk coordinator at the next senior level

within five working days

By reviewing the prioritisation of the keymain risks the assessment results should be

submitted within five working days by the ARC to the ICRSB in a revised Risk Report

The results of the assessment will be discussed by the ICRSB and the report is then

submitted to the Head of Administration by the ARC

Conclusion and evaluation part of the report must definitely include remarks on

whether the risks management process provides the necessary assurance and

whether new measures are needed or not

o Do we give reasonable assurance on the successful management of

risks

o Do we give reasonable assurance on the effective implementation of

the control activities

The process of reviewing risks is summarised in the box RM18 and questions to consider are

listed in box RM19

55

RM Box 18 Process for reviewing risk

RM Box 19 Questions to consider in the risk review process

75 Communication and Reporting

Communication within the context of risk management refers to accurate and timely

conveyance of the right information to the relevant people through various mechanisms at

the right time Communication is a vital process which needs to be effectively applied in all

phases of risk management

The following are important to communicate

The administrationrsquos objectives policies and procedures

The risk management strategy

The numbering system in the risk assessment stage and measurement mechanisms

Which controls are convenient in responding to risks

How well risks are managed in reviewing risks

It is important to bear in mind that this vertical and horizontal communication is mutual

(communication-feedback)

Set out a review period depending on the characteristic of the activity

Frequently review the first critical risks

During the review assess the probability and impact of the risks for that

period

Decide whether the risk is still a threat

Identify whether new risks have arisen for that period

The condition of the control activities must be reviewed according to the

change in the risk It would be appropriate to eliminate an activity which

became pointless as the risk has disappeared

Record the identified findings on the risk register

Report the risks of every level

Changes regarding the risks are reflected on the risk register however in

emergencies the managers must be informed as soon as possible

What are the changes in the environmental conditions

What are changes that impact on the operation of the activity

How do the changes affect the administration

Are present controls sufficient to address the changing situation

Is there sufficient evidence that the controls are effective

It would be useful to take into consideration the policy papers of

the government and the administration while assessing risks

56

To ensure effective communication the issues in Box RM20 should be considered

RM Box 20 Issues for effective communication

In addition to internal communication efficient communication lines are needed with the

partners where the services provided requires partnerships and with the citizen of NGOs who

are affected directly or indirectly by the services provided by the administration Therefore

while the administration is producing its Risk Strategy and Policy Paper it should prepare an

efficient communication plan which regulates the internal and external communication and

share it with all stakeholders

Reporting has a direct impact on the decision making processes in risk management The

reports should be as short and accurate as possible demonstrate the evidence regarding the

evaluations they should be relevant and submitted to the relevant people where necessary

Reporting must be carried out within the administration both vertically and horizontally It

should be explicitly set out who will report to whom and with what frequency in risk

management process Reporting will be done in the forms to be determined by

administrations and in pre-determined periods by at least using the information contained in

the forms shown in the Annex to this Manual When deemed necessary administrations can

develop different forms other than the forms contained in the Manual

Who will communicate with whom in which format

Who is responsible to whom about what

How the communication should be with high levels

How the communication with the Minister works

Who will communicate what information to which levels

How to ensure the accuracy of information

The expectation of top management from the employees regarding risk

management should be clearly defined and conveyed to all employees

57

Administrationrsquos Mission

Strategic Plan and Performance

Programme Budget

Annual Management Plan Activities Processes Projects

Identify

Measure (impact x

probability)

Prioritise

Tolerate

Control

Transfer

Avoid

Operational Level

Unit Level

Administration Level

Risk Assessment

Assess Manage Monitor

Risk Register

Control Activities

Mo

nito

ring

an

d E

valu

atio

n

Take the opportunities

Within the scope of this chapter of the manual Risk Management can be demonstrated via

the following diagram

RM Figure 6 Risk Management Process

76 Learning

Learning needs to be enriched through systematic training tools and disseminated to the

target groups using the most effective method Depending on the target group such

methods as conferences seminars workshops trainings hands-on trainings internships

exchanging information via various communication channels sharing best practices failures

or mistakes would facilitate learning the risk management processes and establish a basis for

the risk management practices in corporate sense

58

Addressing risks largely depends on experiences Previous experiences and making everyone

aware of the successful and unsuccessful practices via a strong communication network

would facilitate more effective and faster addressing of risks In particular conveying the

positive and negative experiences about the emerging risks and the methods to handle

these to the stakeholders and learning what could go wrong can only be ensured if a

method that focuses on learning from mistakes is adopted and learning experiences are

shared Therefore it will be useful to use the peer review method within the administration In

this method units learn how the others at the same hierarchical levels manage risks and they

can adopt good practice examples in their own units

Sharing risk management experiences with external stakeholders especially organisations

experienced in this field could not only help the administrations develop new methods but

also ensure a more efficient use of risk management resources

59

RISK MANAGEMENT ANNEXES

ANNEX 1 Using the brainstorming method to identify assess and record risks

Step 1

Collect together in the same room all members of the Unit of Sub Unit or all staff who work on

a project or on a business process Identify an appropriate facilitator (see box RM 21) to

guide brainstorming workshop The brainstorming would be most effective if it is facilitated by

an independent person who has experience at facilitating brainstorming

(Note this can also be done by collecting all senior managers in an Administration to

brainstorm strategic risks)

Requirement for step 1 all attendees of the brainstorming should be fully familiar with the Sub

Unit Unit projectbusiness processAdministration respectively

RM Box 21 Role of the facilitator

Step 2

Once all brainstorming attendees are assembled as per step 1 firstly clarify what the

objectives of the Sub UnitUnit projectbusiness processAdministration respectively are

These may be included in the strategic plan or for sub units may not previously have been

identified Think widely ndash are there other objectives that are not included All attendees

should agree that these are the objectives before proceeding to Step 3

Step 3

All attendees at the brainstorming should brainstorm ndash what are the risks to the achievement

of each of the objectives identified in step 2 This can be done as one group or for larger

brainstorming sessions in pairs or sub-groups Risks identified by the brainstorming should be

recorded in the risk voting form in Annex 2 (columns 3 4 and 5) clarifying which objective(s)

might not be achieved if the risk happens

Step 4

Once all risks are identified all brainstorming participants should vote on what they think the

likelihood and impact of the risk are using the guidance for scoring in the risk management

chapter of this manual These votes should be recorded on the risk voting form In line with

the number of participants number of the related columns can be increased (Columns 678

and 101112) (For scoring impacts and probabilities see Annex 5 Risk Assessment Criteria

Table)

Encourage the workshop attendees to all participate in identifying risks

Watch out for duplication of similar risks (if 2 risks are very similar considering

amalgamating them)

Ensure that all attendees vote on impact and likelihood of the identified risks

Encourage attendees to challenge each otherrsquos scores defend their own or

change them if they think appropriate

Ensure that the risk scores are accurately entered in the spreadsheet and

prioritised

Action plan the response to risks starting with the highest priority

For each response ensure responsibility is allocated to a named individual

Ensure for each response that a review and reporting date is identified (exact

date)

60

Step 5

Once initial votes are recorded on the risk voting form where there are large variations

between the highest and lowest score for likelihood andor impact for a particular risk the

individual(s) who gave the highest score should first of all justify why they gave the high score

and try to convince the others why they should increase their score The individual(s) who

gave the lowest score should then justify why they gave the low score and try to convince

the others why they should decrease their score After these justifications have been given

an opportunity should be given to all who were convinced by any of the justifications to

change their score

Step 6

The risks identified should be listed in decreasing order of the multiple (Column 14) between

the average impact (Column 9) and average probability score (Column 13) from the

brainstorming The participants should be asked if the result is what they expected Does

what they considered to be their most significant risk have the highest score If not look at

the voting again and consider if it needs to be changed

Step 7

Once brainstorming participants are satisfied with the prioritisation of the risks complete the

other columns of the risk register (Annex 3) starting with the highest priority risk

Step 8

If the risk which is written in column 5 in the Risk Register arises from an event which will occur

at a particular date (eg elections) column 6 in the Risk Register namely time frame column

can be completed by writing how much time before the date risk is expected to materialize

(eg a month three months etc) Column can be left blank if timing is not important

Step 9

When identifying control activities consider whether the risk level is within the risk appetite for

that particular risk or not what control(s) would be most cost-effective and would mitigate

the risk best by reducing the impact andor the likelihood of the risk materialising Also

consider what the existing controls are whether these are currently effective and whether

they can be improved or it would be more cost-effective to introduce new additional

control(s) in addition to or instead of the existing control(s) Complete the related columns in

line with explanations in the table (Columns 1112 in the Risk Register)

Step 10

Form will have been fully completed when the other columns are completed taking into

consideration the instructions in Risk register Form

The following Box gives some suggestions for ground rules for brainstorming

RM Box 22 Suggested ground rules for brainstorming

There is no such thing as a bad idea

One person speaking at a time

Active participation

Keep to the timetable

The facilitator is in charge (if there is one)

Open discussion but no personal criticism

61

ANNEX 2 Risk Voting Form This form is used to calculate the risk score after risks are identified

62

ANNEX 3 Risk Register This is a form used to report the status after risks identified at administrationunitsub-unit level are recorded

RISK REGISTER

AdministrationUnitSub-unit

Date 20

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Se

ria

l n

o

Re

fere

nc

e N

o

Str

ate

gic

Ob

jec

tiv

e

Un

its

Ob

jec

tiv

e

Risk Identified

Tim

e fra

me

Pro

ba

bility

Imp

ac

t

Ris

k s

co

re(R

)

Ch

an

ge

(Dir

ec

tio

n o

f ri

sk)

CurrentNewAdditional

control activities

Sta

rtin

g d

ate

Risk

owner

Monitoring

and

Reporting

Risk

45

-100

9-4

4

Reason 1-8

Columns

1 Serial no shows the sequencing in the risk register

2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to This

code does not change as long as risk continues to exist The same code is not given to another risk

3 Strategic Objective This is the column in which code of strategic objective related to risk which is demonstrated in strategic plan is

written

4 Units objective If risk register is completed at unitsub-unit level objective of unit which is directly or indirectly related to strategic

objectives of the administration and can be affected by the risk is written in this column if risk register is completed at administration level

63

then this column is left blank

5 Risk Identified Description of the risk Reason Reasons which cause the risk to occur

6

Time frame If the risk arises from an event which will occur at a particular date (eg elections) this column can be completed by writing

how much time before the date risk is expected to materialize (eg a month three months etc) Column can be left blank if timing is not

important

7

Probability Probability value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be

useful to list related control activities actions taken and related regulations In this way probability that risk will materialize

notwithstanding the actions taken can be determined

8

Impact Impact value determined by using the Risk Voting Form (Annex 2) (between 1-10) While determining this score it may be useful

to list related control activities actions taken and related regulations In this way what the impact of the risk will be if it happens


9 Risk Score (R=IxP) risk score determined by multiplying probability and impact scores in the Risk Voting Form (Annex 2) (between 1-100 )

See below for an explanation of the colours to use

10

Change (Direction of risk) This is the column in which the change in the status of the risk is shown in light of the previous risk register It can

be shown according to the administrations preference in writing such as updownstable or by means of direction signs If there is no

previous risk register then it is stated as New

11

CurrentNewAdditional control activities Current control activities are written in this column It is assessed whether these activities are still

needed or not If not they are removed It is also assessed whether current control activities are appropriate or sufficient If calculated risk

score is above the desired level taking into consideration the current control activities then new or additional control activities which are

planned are written in this column

12 Starting date The exact date that newadditional control activities will start to be implemented

13

Risk owner is the person responsible for managing the risk and implementing the foreseen control activities It is the risk owner who

collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures that

evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement control

activities The risk owner also reports risks and updated risk registers to the next senior level

14 Monitoring and Reporting When to review and to whom to report risks are written in this column

Colours

High risk

Medium risk

Low risk

No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient information

64

Note In the event that a new risk is identified during the year the employee identifying this risk reports it to senior manager If manager decides

this is a risk which needs to be managed then this risk is registered in the risk register form and approved by the relevant manager

ANNEX 4 Consolidated Risk Report

This is the form which enables corporate risks of an administration to be submitted to senior manager as a report composed of a few pages

CONSOLIDATED REPORT

(Corporate Risks)

AdministrationUnitSub-unit Date 20

1 2 3 4 5 6 7 8

Se

ria

l N

o

Re

fere

nc

e N

o

Str

ate

gic

Ob

jec

tiv

e

Risk Identified

Status

Risk Owner Explanation

Previous risk

score and colour

Current risk score

and colour

45-100 45-100

9-44 9-44

1-8 1-8

Columns


2 Reference no shows the risks reference number Reference number is such a code that also shows the unit risk owner is affiliated to

This code does not change as long as risk continues to exist The same code is not given to another risk

65


written

4 Risk Identified Description of risk

5 Previous risk score and colour shows the status of risk in the previous Consolidated Risk Report

6 Current risk score and colour shows the status at the date of the report

7


collects risk-related information does monitoring keeps records of achievements and failures about control activities and ensures

that evidences which show that risk is managed are kept Risk owner should have necessary resources and authority to implement

control activities The risk owner also reports risks and updated risk registers to the next senior level

8 Explanation Information about the effectiveness of control activities and foresight for the future are given in the explanation section

Colours

High risk

Medium risk

Low risk

No sufficient information to assess the risk It is included in the risk register and a risk owner is identified for collecting sufficient

information

66

ANNEX 5 Risk Assessment Criteria Table

Va

lue

Ra

ng

e

Probability

Impact

Strategy Activities Financial Compliance with

Legislation

10

High

Risks which are almost

certain to occur within

5 years Taking into

consideration the

structure of the

administration they

generally arise form

policies and

procedures The wider

the activity area of the

administration the

more likely it is that the

risky event occurs

Risks which

can have a

major impact

on attaining

strategic

objectives

These are risks

which are

generally

faced in the

long term but

can cause

the

administration

to divert form

its objectives

in case of

occurrence

Risks which cause the

administrationunitsub-

unit not to provide the

service it has to provide

in an effective and

efficient way belong in

this category

Risks which will cause

heavy financial loss for

the


unit Ineffective and

inefficient use of public

resources in amounts

which are above the

acceptable level

should be accepted as

a high risk

Risks which will cause a

big obligation upon the


unit in case of

intentional or

unintentional non-

compliance with the

legislation Such risks

can be seen in areas

where the legislation is

too complicated and

unclear

9

8

7

6

Medium

Risks which are likely to

occur within 5 years

These are generally

such risks that the


unit or administrations

with similar structures

Risks which

can have a

certain level

of impact on

attaining

strategic

objectives

Risks with a certain

level of impact on the

competence of the


unit to provide the


in an effective and


certain level of

financial loss for the





Risks which will create

a certain level of

obligation upon the


unit in case of

intentional or

unintentional non-

5

67

4

have faced formerly efficient way belong in

this category

which are within the

acceptable level


a medium risk

compliance with the

legislation

3

Low

Risks with low

probability of

occurrence within 5

years These are

generally such risks that

the administration

unitdepartment faces

very rarely These are

risks with almost no

likelihood of

occurrence

Risks which

can have the

least impact

on attaining

strategic

objectives

Their impacts

are generally

little and

cover a

limited area

Risks with little impact

on the competence of

the


unit to provide the


in an effective and


this category


little financial loss for

the





which are below the

acceptable level


a low risk


little obligation upon

the


unit in case of

intentional or

unintentional non-

compliance with the

legislation

2

1

Unknown

In case that there is no

idea about the

likelihood of the risk

occurring within 5

years the risk is shown

in blue until it can be

clearly identified with

larger data

The impact of

a risk likely to

occur on

strategic

objectives of

the

administration

could not be

determined

The impact of a risk

likely to occur on the

activities could not be

determined

The financial impact of

a risk likely to occur

could not be

determined


likely to occur in case

of non-compliance

with the legislation

could not be

determined

Risk has recently emerged no data was obtained regarding its status and there is no sufficient data for analysing the new risk or it is a risk which

previously occurred but there is no sufficient data for the analysis Information should be gained as soon as possible so that an analysis can be

made and an opinion formed

68

ANNEX 6 Case Study Example of Inherent and Residual Risk

Case study example to illustrate the concepts of inherent and residual risk and also to

illustrate how a risk owner can obtain information from several different control owners to

monitor the extent to which the risk they are responsible for is successfully mitigated by the

existing controls

The scenario concerns a storage warehouse for gold bars a risk owner who was the Store

manager a risk that gold bars are stolen and 4 controls

a) An IT system control giving bars in and out and a balance held for each working day ndash

daily printouts sent by the IT manager to the risk owner

b) An independent company comes in once a month to perform a stocktake count of gold

bars in the warehouse which they reconcile with the relevant printout of stock from the IT

manager ndash any variances in stock held was investigated and explanations provided where

possible ndash the independent company provides a monthly report to the risk owner on results of

the work they have done detailing any unexplained variances (which could potentially be

incidences of theft)

c) Security guards ndash professionals guarding access to the warehouse 24 hours a day and 7

days a week ensuring that only authorised staff have access to the warehouse and that all

bags are put through a metal detector on leaving to ensure gold bars are not being

smuggled out (gold bars are too heavy to be easily hidden on the person) On recruitment a

criminal record check is made on the security guards to ensure that they do not have prior

convictions for theft Security guards report weekly to the risk owner on their work and

d) An alarm system ndash any incidences of it being set off are sent in a report by the security

guards to the risk owner Regular (weekly) checks on the alarm systemrsquos functioning are

carried out by the security guards with success of the check included in their reports to the

risk owner

The inherent risk in the absence of the above 4 controls would be considered high (a high

probability that bars would be stolen and a high impact as gold bars are expensive) This

would be above the risk appetite and consequently the above 4 controls would be

designed to mitigate the risk of the gold bars being stolen with the foreseen effect of the four

controls being that the residual risk would be reduced (Note all four control measures

combined would mitigate only the probability of the gold bars being stolen not the impact)

The risk owner would gather evidence as to their effectiveness of the four controls If they

were found to be effective he would consider whether the risk had been successfully

mitigated to within the risk appetite (likely answer Yes unless a further new control or a

strengthening of the existing controls was considered necessary if the risk appetite was very

low due to the high impactthe organisation is very risk averse)

If one or more of the 4 controls is found by the risk owner to be ineffective it is likely that the

risk would still be at a level above the risk appetite and so the risk owner would need to

escalate the issue to his line manager suggesting methods for further mitigating the risk

(either by introducing an additional control or by strengthening the control(s) that had been

found to be ineffective)

69

ANNEX 7 Case Study Example of completed Risk Voting Form Risk Register and Consolidated Risk Report

70

71

72

CONTROL ACTIVITIES

1 Introduction Control activities (also referred to as controls) are actions aimed at reducing

the impact andor the likelihood of a risk occurring and thus increase the probability

of attaining the goals and objectives of the organisation or part of the organisation

For an effective control the introduction of the control activities depends on the

completed risk assessment The management must plan organise and direct

sufficient control activities to obtain reasonable assurance that the tasks and goals

will be achieved Control activities cover both financial and non-financial controls

and they should be designed and implemented as a whole for all the activities of the

administration

This section of the manual within the framework of internal control standards

looks at how procedures should be developed as control activities to ensure that risks

to achieving administrative objectives are managed effectively

2 Control Activities Standards Administrations while identifying and implementing their control activities

take into account the following standards

CA Box 1 Internal Control Standards

Standard 7 Control strategies and methods

The administrations shall determine and implement control strategies and methods

which aim to achieve the objectives and are suitable for risk response

Standard 8 Determination and documentation of procedure

The administrations shall prepare and update written procedures which are required

for administration activities as well as financial decisions and transactions and

arrangements relevant to these areas and also give the relevant personnel access to

these documents

Standard 9 Segregation of duties

With a view to reducing fault flaw error irregularity and corruption risks the duties of

approval implementation recording and control of financial decisions and

transactions shall be allocated among personnel

Standard 10 Hierarchical controls

The administrators shall systematically control the compliance of the works and

transactions with the procedures

Standard 11 Continuity of activities

The administrations shall take necessary measures for continuity of the activities

Standard 12 Information system controls

The administrations shall develop control mechanisms in order to ensure the continuity

and security of information systems

Risk Management

Control Activities


Monitoring

Control Environment

73

3 Planning Process of Control Activities Control activities can be regarded as the ability of administrations to get

through the challenges they experience in carrying out their activities Control

activities should be designed within the framework of cost-effectiveness analysis in a

way to directly facilitate attainment of objectives Ideally when introducing control

activities the heads of organisations must take into account the expected benefit

from them as well as the costs of their introduction and implementation Control

activities should ideally be introduced in the processes and systems at the time of

setting up these processes and systems because the introduction of control activities

at a later stage is more expensive and less efficient

It is important for effectiveness of controls that control activities be

understandable applicable and consistent A good control strategy should take into

account how to implement the controls as well as identifying them At this juncture

administrative financial and physical capacity of an administration should be taken

into consideration

Another important point to pay attention to in planning control activities is the

evaluation of effectiveness of controls implemented Such issues as whether the aim

of implementing the control is commensurate with the targeted results and whether

the expected cost is in parallel with the actual cost should be evaluated

Furthermore regular review of control activities in the light of changing circumstances

is also an important factor in terms of effectiveness-evaluation

Administrations should take into consideration the following basic

requirements in identifying control activities

CA Box 2 Basic Requirements Planning of control activities

In order to be effective control activities must be

adequate (the right control in the right place at the right level and

commensurate to the risk involved)

cost-effective (the costs of implementing a control should not exceed its

benefits)

comprehensive understandable and directly related to the control objectives

documented clearly

evaluated as a whole so that they are consistent in their operation

carried on until effectiveness is evaluated

4 Classification of control activities The control activities are generally classified as follows Administrations should

implement the following basic requirements as minimum standard however they

can implement additional control activities depending on the nature of the risk

4 1 Preventive controls

These are the controls to be carried out to mitigate the likelihood and prevent

as much as possible the undesirable outcomes that may emerge when risks occur

For example ex-ante financial control operations applying the principle of

segregation of duties to prevent fraud or irregularities

74

CA Box 3 Basic requirements Preventive Controls

The security of physical and intangible rights (intellectual assets etc) and records

physical safeguarding of assets

recording financialmanagement information

access controls such as passwords identity cards guards and

segregation of duties in order to avoid conflicts of interest

42 Corrective Controls

These are the controls aiming at reducing the impact of the undesirable

outcomes that stem from the threats the risks pose For example placing provisions

regarding the reimbursement of unduly payments in the agreements setting the

period of guarantee in advance

CA Box 4 Basic requirements Corrective Controls

identifying methods for the purpose of recovery from loss or damage which

would effect the activities negatively

appropriate actions are taken for the correction or elimination of the identified

differences

43 Directive Controls

These are the controls applied to reach a certain end For example provision

of trainings on protection against possible threats using protective materials (masks

special clothes etc) preventive medical practices (giving messages for washing

hands in periods of epidemics publishing private leaflets)

CA Box 5 Basic requirements Directive Controls

an approved organisation chart that is constantly up-dated to reflect

organisational changes

manuals or written procedures brochures booklets posters and other similar

documents on implementation

established clear and documented definitions of the responsibilities and tasks for

resources activities program projects objectives and targets

assigning tasks and responsibilities by taking into account their relevant skills and

experiences

delegating authority based on the organisational structure and responsibilities to

do the jobs effectively and it should be documented

establishing effective means of communication throughout the organisation

and

establishing clear reporting methods

44 Detective Controls

These are the controls applied to identify the damages and losses

experienced once the risks are realised For example conformity controls carried out

after spending has been made to identify the responsibility controls performed to

detect negligence by experts or authorities

75

CA Box 6 Basic requirements Detective Controls

periodic countsphysical inventories

comparison of the countinventories with the records

methods for the identification and analysis of differences

5 Methods of control activities The main methods of controls are mentioned below Administrations may also

implement different ex-ante and ex-post control methods based on the requirements

of their organisational structure and field of activity

Ex-ante controls are the controls put into practice in the light of the

appropriate procedures before the activity takes place whereas Ex-post controls refer

to the controls performed by the management through the use of pre-identified

methods after the activities take place

CA Box 7 Tips for control activities

The following box gives some issues to be considered when control activities are

identified

While determining the control activities and allocating resources for them

it may be necessary to give priority also those risks with high probability and

low impact and rating low in the prioritization list which is formulated

according to the risk scores

Preparing emergency plans as well as control activities for those risks with a

very high probability and impact assumes great importance

Reducing both the realization probability and impact of internal risks is

possible with control activities

Reducing the realization probability of external risks on the other hand

may not be under the control of the administration However mitigating

the impacts of risks is possible with a proper risk management

While responding to risks over-controlling should be avoided Both over-

control and under-control can undermine the effectiveness of the controls

According to the content of the risk several control methods can be used

at once if deemed necessary

Have the costs and benefits of implementing the control activities been

analysed

Have the new control activities been piloted to see if they are having the

desired effects

Are the control activities effectively operating as planned Is the required

evidence on controls collected and analysed periodically

After a reasonable period of time are the new control activities and

existing controls that are being continued functioning as expected And

do you report this to the manager risk coordinator

76

CA Box 8 Factors to be determined when identifying control activities

51 Authorisation and approval

Managers should introduce appropriate rules and procedures for decision-

making authorisation and approval taking into account the following Decision-

making and approval shall be carried out only by authorised persons Authority

means that the operations are initiated only by persons acting within their powers

Observance of the order of authorisation requires employees to act in accordance

with directions and within the limits set by the manager of the organisation or the

legislation The procedures for authorisation should include specific conditions and

delegation of powers by managers to employees for performance of particular

activities The approval is endorsement (certification) of transactions data or

documents whereby processes actions proposals andor consequences thereof are

completed or validated

52 Segregation of duties

To minimise the risk of errors irregularities and violations and their non-

detection managers should introduce rules stipulating that different employees be

responsible for the implementation of two or more key stages of an operation

process or activity To ensure effective checks and to strike a balance in the

implementation of an operation the responsibilities shall be segregated in a manner

which precludes an employee from being responsible simultaneously for the approval

(decision-making) implementation accounting and control

In organisations with fewer staff this segregation is more difficult to implement

In such cases the manager may consider the possibility of combining two of the

specified activities and compensate the non-application of this control mechanism

by another eg rotation of employees rotation of duties or additional management

checks Thus the risk of a single person dealing with more than one key aspect of an

operation process or activity for an unjustifiably long period of time could be

reduced

53 Double signature system

The double signature system is a procedure to ensure the accuracy of the

data included in the document The method is applied in non-financial processes

such as provision of information to the top management (reports information notes

statistics etc) and appointment orders and before financial obligations such as

signing of contracts and making payments (payment order etc) This makes it

Which unitWho will conduct the activities

Deadlines of the activities

Necessary resources for the activities to be conducted

Critical achievement factors

How to document the activities

Monitoring processes for the activities

77

possible that especially in financial transactions the person responsible for the

accounting entries knows about pending obligations or payments and performs due

accounting procedures The double signature system gives assurance that the

procedures are carried out by authorised staff

54 Reconciliation of data

Procedures should also guarantee that data from different documents and

sources are matched for ascertainment of consistency For example accounting

entries relating to bank accounts are reconciled with corresponding bank

statements invoice data are matched with those in the warehouse receipt etc

55 Supervision procedures

Supervision procedures should be carried out on a daily basis by line

managers on assignment of work and its performance Assignment of work by the line

managers does not reduce their own responsibility for the performance of the work

Line managers should give staff the necessary directions and instructions in order to

ensure understanding and avoid errors and frauds in the discharge of their duties

Line managers should also apply these procedures to assure themselves that the tasks

assigned are carried out correctly

56 Ex-ante financial controls

Ex-ante financial control is a control performed to check the compliance of

the financial decisions and operations of administrations regarding their incomes

expenditures assets and liabilities with the budget of the administration Further

checks are carried out with the available appropriation amount expenditures

programme financing programme and the provisions of central government budget

law and other financial legislation It is also checked whether resources are used

effectively economically and efficiently The purpose of ex-ante control is for the

managers to obtain reasonable assurance of the compliance of such

decisionsactions with the legislation and the performance programme2

57 Procedures for accounting operations

Procedures should ensure that accounting for all financial transactions on a

given date is complete true accurate and timely Their purpose is to support the

taking of correct decisions from which financial consequences arise These

procedures should be developed in accordance with the relevant legislation and

public accounting standards

2 Please see regulation on procedures and principles on internal control and ex-ante financial control for

further details

78

58 Anti-corruption

There should be rules and procedures for warning examination detection

and reporting of administrative weakness discrepancies and violations which create

conditions for corruption frauds and irregularities

Anti-corruption procedures include

preventive controls

a system for checking detecting and reporting early indications of corruption

frauds and irregularities

whistleblowing procedures (for more information please refer to Information

and communication section) and

a set of procedures for reporting irregular activities to the external competent

authorities such as the Prosecutorrsquos Office

59 Access to assets and information

Managers must ensure that only authorised persons responsible for the

safeguarding andor use of assets and information have access to them The

restriction of the access to assets reduces the risk of their misuse or their wrongful

utilisation and protects the organisation from losses The degree of the restriction

depends on the vulnerability of the assets and information and the risks of loss or

misuse When determining the vulnerability of assets the manager shall consider their

value transportability and the possibility for them to be exchanged for cash

510 Documentation archiving and storing of information

Procedures for documentation archiving and storing of information shall be

introduced to support the performance of operations taking of correct managerial

decisions and control of the processes in an organisation Documentation involves

developing written evidence of decisions made events occurred actions and

transactions performed etc The documentation must be complete accurate and

timely

The documentation procedures include those for document circulation

describing the order for circulation and use of documents produced and received

The documentation procedures must allow tracing of every document action

process in the organisation stating precisely who performed what how and when

the purpose and type of actdocument issued as a result thereof

According to the terminology adopted by the European Commission this

comprises an audit trail Its establishment helps achieve

transparency

tracing of the processes in the organisation from their initiation till completion

and

tracing the segregation of functions by decision-making performance

accounting and control

The audit trail shall state what procedures and transactions exist who the

responsible persons are what documents are drawn up what systems for

management and control of data flows exist and what the form of presentation of

the results is

Archiving procedures must ensure chronological and systematic filing of

documents about past events decisions and actions concerning the organisation

There should be specific guidelines describing in detail the procedures for archive

establishment completion use and destruction

79

The procedures for storage of information shall ensure physical preservation of

the information media (paper andor electronic) as well as preservation of the

content without change so that the information provides a true and fair view of the

facts decisions and actions relating to the organisation

511 Business continuity (or emergency plans)

Adequate measures are in place to ensure continuity of service in case of

business-as-usual interruption Business Continuity Plans are in place to ensure that

the entity is able to continue operating to the extent possible whatever the nature of

a major disruption

512 Control activities related to Information Technology (IT)

IT systems entail specific types of control activities which should be introduced

in organisations by their managers These mechanisms for information systems control

consist of two major groups general control mechanisms and applications control

mechanisms (applications controls)

General control mechanisms are applicable to all operations and contribute

to their proper implementation The applications control mechanisms include both

procedures programmed in the software product itself and procedures that must be

carried out manually in order to exercise control over the processing of different

operations The general control mechanisms are needed for the functioning of the

applications control mechanisms Absence of sufficient general controls cannot be

offset by applications controls

Usually general control mechanisms are used in information analysis and

processing centres for installation and maintenance of software products for

definition of access to information

controls for information analysis and processing centres ndash they include the

organisation and planning of worksthe intervention of the respective

administratorsoperators procedures for saving and subsequent use of

information back-up and contingency plans

software controls ndash these refer to the acquisition installation and maintenance

of software products necessary for the maintenance of the entire system and

for processing of software applications

access definition controls ndash these ensure protection against unauthorised

access Access definition restricts users by allowing them to use and perform

operations only with particular software products thus ensuring segregation of

responsibilities

General software controls built during the development of the system entail

detailed application tests and allow checking of the appropriateness of the rationale

of the program and whether all errors will be detected After the system is built the

controls for access and maintenance of the system give assurance that nobody can

use or make changes in the applications without the appropriate authorisation and

that all the necessary changes are made in accordance with the established

procedure for authorisation and approval

The applications control mechanisms support internal control preventing entry

of wrong data in the system detecting and correcting errors based on automated

procedures for control over data form and content The prevention and detection of

these errors is programmed in the respective application The applications control

mechanisms analyse the data on-line (simultaneously with their entry in the system)

80

provide ongoing information in case of detected error and ensure immediate

correction

The use of both types of controls provides assurance that the information is

analysed and processed completely correctly and accurately

513 Assessing costs and benefits of control activities

After initial selection of control activities to reduce the impact of risks risk

owners should evaluate the costs and expected benefits of the control activity If the

costs of the control activity exceed the expected benefits the control activity should

not be selected

81

6 Practical Stages For Control Activities Practical steps for control activities are briefly indicated in the following table Since control activities are linked to r isks points on risk

management are provided in stages 1 2 and 3 whereas points on control activities are provided in stages 4 and 5 For further details on stages 1 2

and 3 please refer to the risk management chapter

CA Table 1 ndash Stages for control activities

Stage 1 Stage 2 Stage 3 Stage 4 Stage 5

Identify objectives

Identify risks to

achieving objectives

Select method of

responding to risks

Accepting

Controlling

Transferring

Avoiding

Taking the

opportunity

Select control

method(s)

Preventative

Detective

Corrective

Directive

Select type of control activities

authorisation and approval

segregation of duties

double signature system

reconciliation of data

supervision

ex-ante controls Checking

compliance with the law

accounting covering all financial

processes

anti-corruption

access to assets and information

documentation archiving and

information storage

business continuity and

information technology

Or

Refer to CA Annex 2 List of common

control activities

82

83

7 Steps to identify and implement control activities

Step 1 Administrations when assessing their risks review their systems and processes to determine

whether they have existing controls to mitigate their risks

(Administrations where risk management will be implemented in the framework of the principles

mentioned in this manual for the first time should list and evaluate all the existing control activities

Those control activities that donrsquot match the objectives and the risks of the administration should be

terminated)

Step 2 Administrations assess whether these existing controls are effectivesufficient in terms of

mitigating risks

Step 3 If there are no existing controls or the existing controls are not effective sufficient new

andor additional control activities are determined (To help you decide which control activities to

select you may refer to the list of control activities at Annex 2) In this steps it will be useful to

consider the following

It may be appropriate to select more than one control activity

Any new control activities you select must be evaluated for cost-effectiveness and

Appropriate control activities should be tested beforehand

Step 4 New control activities are not foreseen for those high risks that are managed

effectivelysufficiently with the existing controls and the existing control activities should continue

Step 5 Risk owners once the risk register has been approved have to put in place the new control

activities and also ensure that monitoring of both new controls and existing controls that are being

continued at the predetermined starting date

Step 6 Stakeholders are notified in writing about the control activities and whether they are

working effectively

Step 7 Risk owner while reporting the risks in the of the Consolidated Risk Report (Risk

Management Annex 4) will notify the manager risk coordinator how well the new control

activities and existing controls that are being continued are working This reporting involves writing

a summary of what has happened identifying the impact of the new control activities and existing

controls that are being continued and attaching any evidence to the report as an annex

84

Control Activities Annexes

Annex 1 ndash Examples of some common risks and controls

Common Risks Possible Control Activities

Risk management

Risks are not being managed effectively

and so the organisationrsquos objectives may

not be achieved

Risk workshops are organised to

determine risks allocate owners

determine controls and how their

operation is monitored - corrective

Cash management

Cash holdings could be stolen Cash is kept locked away and access

to it is strictly controlled - preventive

There is segregation of duties for staff

who have access to cash -

preventive

Cheques and other payment forms

are serially numbered ndash preventive

Asset management

Assets could be stolen Physical controls - for example using a

safe - preventive

separation of duties authorisation

levels passwords - preventive and

tagging of goods reconciliations

stock counts - detective

Document control

Documents received could be lost Keeping a register that shows where

all the received documents are filed -

preventive

Due to document control procedures not

being clear and specific decisions not

being taken on time

The document control procedure defines the

controls needed to

approve documents for adequacy

prior to issue

ensure that changes and the current

revision status of key documents

(strategic plan performance

programmes etc) are identified

ensure that previous versions of

applicable documents are available

at points of use

ensure that distribution of sensitive

and classified documents is

controlled and

identify documents that should be

archived - All preventive

Planning and budgeting

Budget resources may be spent

inappropriately

Effective planningbudgeting process ndash

preventive

85


Staff have received training in budget

preparation ndash preventive

Comparison of interim and final

accounts and activity reports with the

strategic plan performance

programme and the budget ndash

detective

Financial information may not be

accurate and complete

Financial information being stored or

reported on the computer -

preventive

Procurement

Error and fraud could occur in the

procurement process

Separation of duties between staff

making decisions staff selected for

the tender commission and staff

involved in payments - preventive

Applying ex-ante controls to the

award decision before the signing of

the contract ndash preventive

Random checks on transactions by

authorised staff ndash detective

Identifying purchasing thresholds -

preventive

Requirement to seek the ex-ante

approval of a senior manager or the

Minister for some high-value

procurements (Double signature

system) - preventive and

Regular rotation of staff who have

critical responsibilities in the

procurement process - preventive

Stores

Unauthorised removal of goods from

store

Physical stock checks to inventory

records ndash detective

Goods ordered but not delivered on time

or partially delivered

Including penal provisions in the

contract regarding any failure to

deliver goods on time ndash corrective

Comparison between invoices goods

delivery notes and the contract ndash

detective

Revenue management

Delays in submitting tax statements on

time and the failure to collect revenues

on a timely basis

Incentives for timely submission of tax

statements (advance warning

posters etc) - directive

Incentives for on-line submission of tax

statements - preventative

Penalties for late submission ndash

preventative

Contingency planning

Major lsquoincidentrsquo destroys important data A Business Contingency Plan exists

86


has been tested and kept up to date

- preventive

IT security

Unauthorised staff may obtain access to

computerised data

Personal identifiers and passwords ndash

preventative

Review of on-line access and

transaction logs ndash detective

Master files may be changed

inappropriately

Supervisor authorisation required on

forms indicating data to be changed

- preventive

Supervisor does not have change

access rights - preventive and

Supervisor verifies changes against a

printout of changes - detective

87

Annex 2 List of common control activities

Category Control Activity

Risk management

Appropriate risk

management policies

procedures techniques

and mechanisms exist for

each of the organisationrsquos

activities

Management has ensured that all relevant objectives

and associated risks for each significant activity have

been identified in conjunction with conducting the

risk assessment and analysis function

Management has identified the actions and control

activities needed to address the risks and directed

their implementation

Implementing control activities

The control activities

identified as necessary are

in place and being

applied

Management has ensured that

Control activities described in policy and procedures

manuals are actually applied and applied properly

Managers and employees understand the purpose of

internal control activities

Nominated staff review the functioning of established

control activities and remain alert for instances in

which excessive control activities should be

minimised

For existing control activities look out for

Guidance ndash it is likely that there will be official

guidance about how to carry out your work

Documentation ndash there may be standard document

control procedures to ensure that new documents

are registered and filed changes to documents are

recorded and documents no longer in use are

archived

Checking the work of others ndash this is a basic control

activity that can involve a supervisor or manager

checking the work of staff staff in one section

checking the work of staff in another section or

computer checks There may also be a requirement

for transactions to be checked by the SDU under the

ex ante control regulation

Security ndash protecting documents cash and assets

and

Contingency arrangements - ensuring the

continuation of essential services in the event of a

service failure

Performance monitoring

Senior management track

outturn in relation to its

operational and

performance plans

Top management are involved in developing annual

performance plans and targets and measuring and

reporting results against those plans and targets

Top management regularly review actual

performance against budgets forecasts and prior

period results

Top management take appropriate corrective action

88


when progress reports indicate that performance is

significantly out of line with plans

Operational managers

review actual

performance against

targets

Managers at all activity levels review performance

reports analyse trends and measure results against

targets

Managers review and compare financial budgetary

and operational performance to planned or

expected results

Appropriate control activities are employed such as

reconciliations of summary information to supporting

detail checking the accuracy of summarisations of

operations and checking the reliability of data

sources and data systems

Comparisons are made relating different sets of data

to one another so that analyses of the relationships

can be made and corrective actions can be taken if

necessary

Investigation of unexpected results or unusual trends

leads to identification of circumstances in which the

achievement of goals and objectives may be

threatened and corrective action is taken

Analysis and review of performance indicators and

results are used for both operational and financial

reporting control purposes

Quality of performance measures and indicators

The organisation monitors

the quality of

performance measures

and indicators

The organisation periodically reviews and validates

the propriety and integrity of performance measures

and indicators

Performance measurement assessment factors are

evaluated to ensure they are linked to mission goals

and objectives and are balanced and set

appropriate incentives for achieving goals while

complying with law regulations and ethical

standards

Actual performance data is continually compared

against planned goals and differences are analysed

to establish whether the right things are being

measured in the right way

Human resource management

The organisation

effectively manages its

workforce to achieve

results

A clear and coherent shared vision of organisationrsquos

mission goals values and strategies is explicitly

identified in the strategic plan annual performance

plan and other guiding documents and that view

has been clearly and consistently communicated to

all employees

The organisation has a coherent overall manpower

planning strategy as evidenced in its strategic plan

performance plan or separate manpower planning

document and that strategy encompasses

manpower planning policies programs and

practices to guide the organisation

The organisation has a specific and explicit workforce

89


planning strategy linked to the overall strategic plan

and that allows for identification of current and future

manpower planning needs

Senior leaders and managers support teamwork

reinforce the shared vision of the organisation and

encourage feedback from employees as evidenced

by actions taken to communicate this to all

employees and the existence of opportunities for

management to obtain feedback

The organisationrsquos performance management system

is given a high priority by top-level officials and it is

designed to guide the workforce to achieve the

organisationrsquos shared visionmission

Procedures are in place to ensure that staff with

appropriate competencies are recruited and

retained for the work of the organisation including a

formal recruiting and hiring plan with explicit links to

skill needs the organisation has identified

Employees are provided with information training

and tools to perform their duties and responsibilities

improve performance enhance their capabilities

and meet the demands of changing organisational

needs

Qualified and continuous training is provided to

ensure that internal control objectives are being met

Meaningful honest constructive performance

evaluation and feedback are provided to help

employees understand the connection between their

performance and the achievement of the

organisationrsquos goals

Information processing

The organisation uses a

variety of control activities

suited to information

processing systems to

ensure accuracy and

completeness

Edit checks are used in controlling data entry

Accounting for transactions is performed in numerical

sequences

File totals are compared with control accounts

Exceptions or violations indicated by other control

activities are examined and acted upon

Access to data files and programs is appropriately

controlled

Physical Control Over Vulnerable Assets

The organisation uses

physical controls to secure

and safeguard vulnerable

assets

Physical safeguarding policies and procedures have

been developed implemented and communicated

to all staff

The organisation has developed a disaster recovery

plan which is regularly tested updated and

communicated to staff

The organisation has developed a plan for the

identification and protection of any critical

infrastructure assets

Assets that are particularly vulnerable to loss theft

90


damage or unauthorised use such as cash

securities supplies inventories and equipment are

physically secured and access to them controlled

Assets such as cash securities supplies inventories

and equipment are periodically counted and

compared to control records and exceptions

examined

Cash and negotiable securities are maintained under

lock and key and access to them strictly controlled

Forms such as blank checks and purchase orders are

sequentially pre-numbered and physically secured

and access to them strictly controlled

Mechanical check signers and signature plates are

physically protected and access to them strictly

controlled

Equipment vulnerable to theft is securely fastened or

protected in some other manner

Identification plates and numbers are attached to

office furniture and fixtures equipment and other

portable assets

Inventories supplies and finished itemsgoods are

stored in physically secured areas and protected from

damage

Facilities are protected from fire by fire alarms and

sprinkler systems

Access to premises and facilities is controlled by

fences guards andor other physical controls

Access to facilities is restricted and controlled during

nonworking hours (alarms CCTV etc)

Separation of duties

Key high risk and sensitive

duties and responsibilities

are divided or segregated

among different people

to reduce the risk of error

waste or fraud

No one individual is allowed to control all key aspects

of a transaction or event

Responsibilities and duties involving transactions and

events are separated among different employees

with respect to authorisation approval processing

and recording making payments or collection of

income review and auditing and the custodial

functions and handling of related assets

Duties are assigned systematically to a number of

individuals to ensure that effective checks and

balances exist

Where feasible no one individual is allowed to work

alone with cash securities or other assets

The responsibility for opening mail which contains

cash is assigned to individuals who have no

responsibilities for or access to files or documents

pertaining to accounts receivable or cash accounts

Bank accounts are reconciled by staff who have no

responsibilities for cash receipts disbursements or

custody

91


Authorisation for transactions or events

Appropriate staff is

authorised for transactions

and other significant

events

Controls ensure that only valid transactions and other

events are initiated or entered into in accordance

with management decisions and directives

Controls exist to ensure that all transactions and other

significant events are authorised and executed only

by employees acting within the scope of their

authority

Authorisations are clearly communicated to

managers and employees and include the specific

conditions and terms under which authorisations are

to be made

The terms of authorisations are in accordance with

directives and within limitations established by law

regulation and management

Recording transactions and events

Transactions and other

significant events are

properly classified and

promptly recorded

Transactions and events are appropriately classified

and promptly recorded so that they maintain their

relevance value and usefulness to management in

controlling operations and making decisions

Proper classification and recording take place for

each transaction or event

Accountability for and access restrictions to resources and records

Access to resources and

records is limited and

accountability for their

custody is clearly

allocated

The risk of unauthorised use or loss is controlled by

restricting access to resources and records only to

authorised staff

Accountability for resources and records custody and

use is assigned to specific individuals

Access restrictions and accountability assignments for

custody are recorded and periodically reviewed

Periodic comparison of resources with the recorded

accountability is made to determine if the two agree

and differences are examined

How frequently actual resources are compared to

records and the degree of access restrictions are

functions of the vulnerability of the resource to the risk

of errors fraud waste misuse theft or unauthorised

alteration

Management considers such factors as asset value

portability and exchangeability when determining

the appropriate degree of access restrictions

As a part of assigning and maintaining accountability

for resources and records management inform and

communicate those responsibilities to specific

individuals within the organisation and ensure that

those people are aware of their duties for appropriate

custody and use of those resources

Documentation

Internal control Written documentation exists covering the

92


transactions and other


clearly documented

organisationrsquos internal control structure and for all

significant transactions and events

The documentation is readily available for

examination

The documentation for internal control includes

identification of the organisationrsquos activity-level

functions and related objectives and control activities

and appears in management directives

administrative policies manuals and other guidance

Documentation for internal control includes

documentation describing and covering

management information systems data collection

and handling and the specifics of general and

application control related to such systems

Documentation of transactions and other significant

events is complete and accurate and facilitates

tracing the transaction or event and related

information from authorisation and initiation through

its processing to after it is completed

Documentation whether in paper or electronic form

is useful to those involved in controlling evaluating or

analysing operations

All documentation and records are properly

managed maintained and periodically updated

General computer controls

The organisation

periodically performs a

comprehensive high-level

assessment of risks to its

information systems

Risk assessments are performed and documented

regularly and whenever systems facilities or other

conditions change

Risk assessments consider data sensitivity and

consistency

Effective computer

security controls are in

operation and are

monitored

The organisation has developed a plan that clearly

describes the organisation-wide security plan and

policies and procedures that support it

Senior management have established a structure to

implement and manage the IT security program

throughout the agency and security responsibilities

are clearly defined

The organisation monitors the security planrsquos

effectiveness and makes changes as needed

- Corrective actions are promptly and effectively

implemented and tested and they are continually

monitored

Effective computer

access controls are in

place and are monitored

Information resources are classified according to their

criticality and sensitivity

Resource classifications and related criteria have

been established and communicated to resource

owners

Resource owners have classified their information

resources based on approved criteria and with

regard to risk determinations and assessments and

have documented those classifications

93


Resource owners have identified authorised users

and their access to the information has been formally

authorised

The organisation monitors information systems access

investigates apparent violations and takes

appropriate remedial action

The organisation has established physical and logical

controls to prevent or detect unauthorised access

Application software

development and

change controls are in


Application software modifications are properly

authorised

All new or revised software is thoroughly tested and

approved

The organisation has established procedures to ensure

control of its software libraries including labelling

access restrictions and use of inventories and

separate libraries

All key activities are monitored

Effective system software

controls are in place and

are monitored

The organisation limits access to system software

based on job responsibilities and access authorisation

is documented

Access to and use of system software are controlled

and monitored

The organisation controls changes made to system

software

There is effective

separation of duties for IT

operations

Incompatible duties have been identified and policies

implemented to segregate those duties

Access controls have been established to enforce


Controls ensure the

continuity of IT services

The criticality and sensitivity of computerised

operations have been assessed and prioritised and

supporting resources have been identified

The organisation has taken steps to prevent and

minimise potential damage and interruption through

the use of data and program backup procedures

including offsite storage of backup data as well as

environmental controls staff training and hardware

maintenance and management

Management have developed and documented a

comprehensive IT service contingency plan

The organisation periodically tests the contingency

plan and adjusts it as appropriate

Computer application controls

Source documents are

controlled and require

authorisation

Access to blank source documents is restricted

Source documents are pre-numbered sequentially

Key source documents require authorising signatures

For batch application systems batch control sheets

are used providing information such as date control

number number of documents and control totals for

key fields

94


Senior management or independent review of data

occurs before it is entered into the application system

Data entry terminals have restricted access

Master files and exception reporting are used to

ensure that all data processed are authorised

Completeness controls All authorised transactions are entered into and

processed by the computer

Reconciliations are performed to verify data

completeness

Accuracy controls The organisationrsquos data entry design features

contribute to data accuracy

Data validation and editing are performed to identify

erroneous data

Erroneous data is captured reported investigated

and promptly corrected

Output reports are reviewed to help maintain data

accuracy and validity

Control Over Integrity of

Processing and Data Files

Procedures ensure that the current version of

programs and data files are used during processing

Programs include routines to verify that the proper

version of the computer file is used during processing

Programs include routines for checking internal file

header labels before processing

The application protects against concurrent file

updates

95

Annex 3 - Illustrations for cost benefit analysis

Example 1

You are considering hiring a junior clerk to carry out a 100 per cent check on all payments

your spending unit makes (checking each agrees to the supporting documents) to ensure the

correct amount is paid This is an ex-ante control as the check is made prior to the payment

You estimate that this task will occupy the junior clerk for 100 per cent of their working time

Cost of the junior clerk 2500 YTL a month (1200 salary plus 1300 contribution to overheads

eg heating the building)

Scenario A

Benefit your experience of such a checking control is that it will find on average errors of

overpayment of 3000 YTL a month

Decision ndash this control activity is cost effective and the junior clerk should be employed to

do this checking

Scenario B

Cost same as above



Decision ndash this control activity is not cost effective and the junior clerk should not be

employed on a full time basis to do this checking You can rely on other controls instead

Possibilities

Focus checking on only the highest value or riskiest payments ndash this will only employ the clerk

for 50 per cent of their time If you estimate that it will find on average errors of

overpayment of 1600 YTL a month (ie over 50 per cent of the clerkrsquos cost) this is a better

alternative control or

Donrsquot do any checking ndash rely on separation of duties control (different clerk raises payment

to the one that enacts the payment) to prevent fraudulent overpayments

Example 2

You do not currently employ any public relations expert

In the absence of any control on dealings with the press you assess the risk of reputational

damage as being high likelihood and high impact

Cost of the expert in public relations 4500 YTL a month (2500 salary plus 2000 contribution

to overheads eg heating the building)

Scenario 1

96

You have a low risk appetite in terms of reputational damage and consider that the benefit

of all dealings with the press going through the expert in public relations will successfully mitigate

the risk to within your risk appetite (by considerably reducing the likelihood of reputational damage

through ill-advised comments being given to the press) You consider that this risk mitigation is so

important to your administration that it justifies the employment of the expert in public relations

Decision you employ the expert in public relations

Scenario 2

You have a high risk appetite in terms of reputational damage and consider that the risk of

reputational damage through ill-advised comments being given to the press without employing the

expert in public relations is equal to or less than your risk appetite for this risk You thus consider that

the benefit of employing the expert is outweighed by the cost You therefore consider that it is not

cost-effective to employ the expert in public relations

Decision you do not employ the expert in public relations

Action as you are equal to or less than your risk appetite for the reputational risk you need

not select an alternative control activity but you should continue to review in the future as the

decision may be changed if your risk appetite reduces or your assessment of the likelihood andor

impact of the risk increases

97

INFORMATION AND COMMUNICATION

1 INTRODUCTION Information and communication as the fourth component of the five components of COSO

internal control model ensures the relation between control environment risk assessment and

control activities through sharing information and communication and has an important role in

increasing the functionality and operational competence of internal control system which is

regarded as a tool for attaining organisational objectives and aims as it regulates information flow

within the administration

Aim of this chapter of the manual is to give information within the framework of internal

control standards about structures and practices related to use of information and communication

mechanisms and to provide guidance for users about reporting registry and filing systems and

methods to be used in notifying faults irregularities and corruptions with a view to ensuring that

administrations carry out their activities in line with their objectives as well as accounting for their

activities

Communication refers to transformation and conveyance of information within the organisation

vertically and horizontally and externally via proper mechanisms to relevant people

administrations and bodies Administrations must aim to establish an effectively managed and well

coordinated communication system for the information that meets the information needs of

managers staff and the public

In the event that information and communication systems do not function as expected

managers and staff may came up against the risk of not being able make timely and right

decisions not being able to implement those decisions and ultimately not being able to achieve

the objectives In this regard information should be accessible useful timely accurate complete

and up-to-date

2 Information and Communication Standards Information and communication includes the information communication record system which will

ensure transfer of required information to the person personnel and the administrator who need

the information in determined format and in a time period which enable the concerned to fulfil

internal control and their other responsibilities

IC Box 1 Information and Communication Standards

Risk Management

Control Activities


Monitoring

Control Environment

Standard 13 Information and communication

The administrations shall have a suitable information and communication system with a view to ensuring that the

performance of the units and the personnel is monitored decision making processes operate soundly and

efficiency and satisfaction in providing service

Standard 14 Reporting

Goals objectives indicators and activities of the administration and the results of them shall be reported in

accordance with the principles of transparency and accountability

Standard 15 Record and filing system

The administrations shall have a comprehensive and up-to-date system where the works and transactions

including incoming and outgoing documents are recorded classified and filed

Standard 16 Notification of faults irregularities and corruptions

The administrations shall develop methods which will ensure that the faults irregularities and corruptions are

notified in a specific order

98

3 ROLES AND RESPONSIBILITIES IN INFORMATION AND COMMUNICATION

Minister

Ensures coordination and cooperation with other ministries and informs the public opinion and

the TGNA about the annual performance programme and activity report submitted to him by the

administration


The Head of Administration (Head of Administration) must publish an announcement via the

internal communication network or an official letter on what to do before the preparation of such

documents as strategic plan performance program activity report Risk Strategy and Policy Paper

which need to be prepared in way which will ensure attainment of pre-identified objectives in the

fields the administration is responsible for

Another duty of the Head of Administration is to sign the internal control assurance declaration

and inform the public opinion and the Minister

As the quality of the information exchange and communication between the Head of

Administration and the other actors has a direct effect on the accountability of the Head of

Administration the Head of Administration must guide the relevant units about the frequency and

methods of feedback he prefers

The Head of Administration must take notice whether the current information system meets the

needs during the set up and integration of new information systems If a new system is to be set up

it must be designed by taking integration with the other information systems into consideration

Internal Auditor

As prescribed by the Law no 5018 the internal auditors work to assess the internal control system

under the head of administration In this regard internal auditors report whether internal control

system functions properly or not to the Head of Administration Therefore to be able carry out their

duties internal auditors should be given unlimited access to every kind of information they need

Setting up of such a mechanism is up to the robust communication and flow of information

between the internal auditors and Head of Administrations

The Head of Administration is entitled to take preventive or corrective actions and develop new

control activities based on the report submitted by the internal auditor or request additional reports

Authorising Officer

Authorising Officers must ensure that tasks powers and responsibilities of staff are defined

clearly and in writing and communicated to all staff In this framework a chart of duties which

demonstrate the functional reporting network must be produced and communicated to the staff

A communication network that ensures quick and timely access by the staff and managers to the

activities and the results must be used In this regard the organisational chart of the administration

can also include a diagram which shows the tasks of the sub-units and the responsible and

authorised staff on the intranet and internet Authorising Officer must ensure that sub-units are

informed about the activities of each other

Authorising officers

must ensure that an electronic communication and archiving system is used effectively for

the accurate and reliable acquisition storage and communication of the information

needed regarding the objectives activities and indicators that are relevant to their

respective units from among those included in the strategic plan and performance

program of the administration

must provide for the regular announcement of the status of realisation regarding the

performance objectives and indicators related to their respective units and the grounds for

the data on the webpage of the unit and

must provide information for periodical reporting to the SDUs that will be carried out by

authorising officers (information about objectives and risks of the unit status of realisation

etc)

99

should transfer timely complete and accurate information and documents regarding

financial transaction processes to the Accounting Officer and set up mechanisms to store

records and statistics

Realisation Officer

Realisation officers who are responsible for issuing spending orders must periodically brief the

authorising officer of the spending process In this regard information on the spending order being

complete accurate understandable and reliable plays a significant role in realisation officers

fulfilling their tasks as requested from them

Accounting Officer

The Accounting Officer is responsible for performing accounting services and keeping accounting

records in a regular transparent and accessible way Accounting Officers must regularly report to

the authorising officer on the accounting records

Strategy Development Units

SDU managers must review the information included in the activity reports performance

programmes and strategic plans by holding periodic meetings with the authorising officers of other

units Personnel of SDUs must obtain the information that is needed in the field of financial

management and control through these persons

Necessary coordination for the formation of the team to carry out the studies on the

establishment and development of Information Management Systems within the administration is

provided by the SDU

In fulfilment of the coordination duties of SDUs which are defined by laws Principles and

Procedures of Internal Control and Ex-ante Financial Control Strategy Planning Guideline

Legislation and Manual on Performance Programs to be Prepared in Public Administrations and

secondary and tertiary regulations such as Budget Preparation Manual must be taken into

consideration

SDUs must have webpage where they have forums good practice examples frequently asked

questions to ensure communication with internal and external stakeholders in order to carry out

their tasks more effectively

Central Harmonisation Unit

While carrying out its tasks in the filed of information and communication

CHU sets up a common (web-based) network where information can be shared

They organise trainings panels and conferences for the actors that take part in the field of

internal control

CHU members are assigned to be responsible for particular administrations to enhance

information and communication with SDUs of administrations They communicate SDUs and

provide them with information and guidance via official letters call centres telephone

forums etc

Please refer to the CHU Handbook for further details on the roles and responsibilities of CHU

Besides practices and methods in the area of information and communication given this

manual public administrations must also take into consideration those regulations in the legislation

which are directly related to the area of information and communication These basic regulations

are contained in IC Annex I

4 INFORMATION The prerequisite for reliable and proper information is immediate recording and suitable

classification of all operations and transactions Internal control includes obtaining classifying

recording utilising and reporting both financial and non-financial information

41 Characteristics of Information

Characteristics that the information which is used in public administrations must have are given

below

100

Timely Information should be obtained and transferred in the right time by the right

personnel

Related Information should be related to every activity work or action

Available Information holdings should be available to those who require them the moment

they need it and also later Technology should be available to users in order to facilitate

obtaining storing transferring and using information

Comprehensible The description of information holdings must have the same meaning for

users at all levels of the administration In addition information that is shared with external

stakeholders must be clear and meaningful for the users

Usable Information must meet the needs of its users in relation to the purposes for which it

was received

Complete Both the content and form of information should be complete in order to

provide for efficient and effective use of information holdings

Accurate Information must be able to reflect the points regarding the aims objectives and

activities it is related to accurately and correctly

Up-to-date Information must be up dated and related to the needs A lack of up-to-date

information can impair decision making and program delivery Managers and personnel

should take necessary actions to keep information up-to-date

42 Information Management

Information management is a process where information is planned and obtained from any

kind of source internally or externally classified stored communicated to relevant bodies in a

timely manner for interpretation reviewed for updating and destroyed The stages of this process

are complementary to each other In any stage there may occur a need to take into consideration

the phases of the previous or next stage

101

IC Figure Information Management Process

421 Planning Information Need

Planning stage starts with identifying strategic aims and objectives and performance

objectives as well as identifying information needs to achieve these objectives This stage includes

the assessment on who needs what information when and why how they can acquire it at all level

from the operational to the strategic activity level in order for the administration to maintain its

operations effectively

In the planning stage the following factors must be taken into consideration

Internal and external information users must be defined and classified Information

needs of users must be determined Information holdings must be examined to see

whether the current information need of the users can be met using them

While novel databases and information systems are designed the risk for the information

to be disseminated to the public must be considered

The benefit and cost of information in terms of the users must be analysed

The information need for new legislative strategic and operational aims must be

defined along with the relevant information system requirements furthermore the

person and the time to do this work must be set out

Emerging information needs must be compared to the present information and

information systems within and outside the administration

For increasing the value or productivity or decreasing the cost of the systems in use

such methods as combining information systems using novel technologies and standard

practices can be referred to

Value of information is not only about how it is used and kept but also about how and when

it is going to be destroyed Many factors such as legislation information policies and needs may

Planning

information need

Organising

information

Creating and

collecting

information

Reviewing and

keeping

information

Utilising and sharing

information

INFORMATION

MANAGEMENT PROCESS

102

have an impact on how long to keep that information Information which is being kept should be

destroyed in accordance with the relevant legislation after necessary approvals have been

received

422 Creating and Collecting Information

While producing and collecting information first of all the value of the information for the

administration must be set out and it should be made sure that the people in need of information

do have access to it on time

Information collection and creation process should focus on the followings and information

collected or created must have the capacity to meet the needs of the administration To this end

The holdings must be periodically reviewed in order to determine if the information that is

created or collected continues to meet the identified needs and it must be followed up

whether users really use the information Great deal of information can still be

unnecessarily collected for a reason that was identified in previous periods If the

administration decides to stop collecting that information firstly it must set out whether

any individual or program would be affected

Quality and scope of information as well as its relation to the defined needs and whether

it meets the needs or not should be understood in regular reviews In addition implicit

information of the staff must be turned into explicit information and incorporated into the

information inventory The information produced as a result of the process studies must be

classified starting from the most frequently used to the least

Information must be compiled in information pools to be created This information must be

clear and understandable The information in the pool must be open to access upon

being classified in accordance with the information hierarchy such as strategic and

operational Management of the information pool must be carried out by a team who

are competent in the processes to be formed within the administration

Legislation or policies may demand that certain information be collected by an

administration Therefore information that is collected must meet legislative and

institution-specific policy requirements

Information collection must be coordinated To this end

all information collection activities must be accounted for including all regions and

organisational units and information collected must be accessible

the administration must ensure that information collection conforms to the applicable

standards

information must be periodically reviewed in order to ensure that the requirements of the

relevant legislation are respected This might be done during the annual update of

personal information and

before information is created or collected existing information holdings must be reviewed

to determine if the information needs can be satisfied by existing holdings or readily

accessible external information sources

The following are the leading sources of information

instructions approvals invoices transaction orders petitions

interactions between clients vendors or other the ministries and agencies

planning documents-budgets forecasts work plans blueprints (technical or

engineering designs)

drafts schemes of information architecture

reports policy briefing notes other documents supporting the activities and

justifications

meeting documents-agendas records of decision

commission documents job descriptions member lists

requests for information and the responses emails forms used to collect responses

templates related instructions responses in every format

103

client records applications evaluations emails phone calls

every kind of data in electronic medium and

information resources which could provide additional information

Collecting Information from PublicPrivate Sector

The response burden should be minimised to the lowest level possible in this process To this end

the administration should determine from whom it will receive information at what

frequency and in what detail as well as what burden this process will create upon

respondents and

there should be cooperation with other administrations in such issues as undertaking joint

collection or information sharing

The forms should meet all statutory and policy requirements To this end

all the forms in both paper and electronic media must be reviewed before they are put

into use to ensure that applicable requirements are met Furthermore the responsible

person must be assigned

423 Organising Information

The aim of organising information is to establish a link between the operations of the

administration and usage sharing retrieving archiving and destroying of information and facilitate

the process for administrations and the other stakeholders

The following steps must be taken for an efficient information organisation

it must be ensured that users both internal and external to the administration are satisfied

with their access to information Methods should be established to measure user satisfaction

(such as user surveys and questionnaires applied after completion of certain services as well

as periodically applied questionnaires)

the custodians of information holdings (eg Data Processing Departments Library Services

etc) must identify the information needs of users and improve their services to better meet

the needs of users for quick and easy access eg shortening response time using efficient

and effective technology for transmission designing a user-friendly system

information must be available for public dissemination and communicated to the public

where and when appropriate For instance establishing such structures as e-libraries to

facilitate public access

information available for use by the other administrations must be checked to see whether

they are subject to any legal or policy constraints

administrations must have an up-to-date publications catalogue which must be deposited

in the administrationrsquos library Published material must be catalogued according to

established standards and

all the documents published by the administration must be accessible on webpage of the

administration

Registering Filing and Archiving of Information

Registry and Filing

To ensure an effective management any kind of document including electronic ones internal

communications operations and transactions must be recorded classified filed and archived

there must be a comprehensive and up-to-date system for this

If meaningful and valuable information for the control of activities and decision making is

desired all the operations and transaction must be instantly recorded

In order to ensure the quality of information and reporting fulfilment of internal control activities

and responsibilities and effective and efficient monitoring activities all transactions need to be

completely and clearly documented

These documents should be easily accessible where needed

104

The documents of the internal control system should include structure and policies of the

administration types of activities related objectives and control procedures

The process of registry should be applied in a way that it will cover all the stages of a

transaction including the start and approval stages until their final classification This is also the case

for the regular updating of documents

Regardless of the media they are received in (such as paper fax e-mail or electronic)

documents should be recorded and kept within the framework of a registry plan which is suitable

at least to one official file

Registry procedures must be communicated to staff in writing

In this context Standard Filing Plan no 20057 issued on the Official Gazette no 25766 dated 24

March 2005 prepared under the coordination by the Prime Ministry General Directorate of State

Archives must be taken as the basis to establish a common method for all public administrations to

file all the documents including electronic ones and ensure fast and easy access to them where

necessary

Ensuring standardisation in the filing system would help achieve harmony within the institution

and if it can be disseminated among all organisations it would form a basis for an efficient and

effective communication system across the country

Standardisation of Filing services would

ensure that documents about same issues are codified using same numbers in all

organisations

facilitate easy and fast access to the right information and documents requested and

make sorting classifying keeping the documents and putting them into service easier as

standard file numbers will refer to the same issues in all organisations

ensure integrity and easiness in the establishment of a tidy fast effective and efficient

system of document and file and communication

provide infrastructure for the automation of documents and correspondences and

establishment of information networks among organisations and

facilitate internal and inter-organisational file and operation tracking The document or

information looked for would be easily found in a short period of time

The task of carrying out studies on the registry usage and archiving of electronic documents

has been assigned to the General directorate of State Archives upon Decision no 7 dated 9

September 2004 of the e-Transformation Executive board in accordance with the Prime Ministry

Circular number 200816 on Electronic Document Standards published in the Official Gazette

number 26938 and dated 16 July 2008 and TSE Standard number 13298 has been published This

Standard is a main source for electronic document management systems to be used by all public

organisations

Electronic document management systems to be established by the administrations will comply

with the TSE Standard no 13298 and furthermore inter-organisational sharing of electronic

documents produced will be carried out by the criteria on electronic document sharing services as

set out on the web address wwwdevletarsivlerigovtr

Archiving Services

Archiving services include identification of the materials the administrations and the staff have

that will become archive materials in the future their protection against any losses preservation

under proper conditions utilisation in accordance with national interests cropping and disposal if

not deemed necessary to maintain Principles and procedures on archiving services have been set

out in the Regulation on State Archiving Services published in the Official Gazette number 19816

and dated 16 May 1988 and amended by the Official Gazette number 25735 and dated 22

February 2005

As per this regulation administrations have to take necessary precautions to protect

information and documents against disasters theft fire etc set out the procedures for the

preservation of confidential documents take the measures to ensure that the documents remain

legible in the future inform the managers and the staff about the proper periods of preservation for

the documents

105

424 Using and Sharing Information

Using and sharing information is crucial in terms of accountability and transparency for those

who take part in the activities of the administration and other stakeholders

Information is an asset which renews itself turns into a new form and becomes more valuable

as it is communicated and shared Therefore regular communication and circulation of

information within an administration is a principle of information management Sharing

administrative information reflects a cycle in which the information is communicated to the

relevant persons administrative works are notified reactions of the personnel is received reactions

are assessed evaluated and communicated back to the relevant persons

The following must be considered while using and sharing information

Comply with privacy security and legal restrictions

Whenever possible use electronic media to share information resources (email repositories

websites and so on)

Ensure that information remains complete accurate up-to-date relevant and

understandable

Verify the accuracy and reliability of information (especially when conducting web-related

research)

Take advantage of administrative investments in information resources (magazine and

journal subscriptions databases online library services and so on) while respecting

copyright licensing and intellectual property rights

When retaining information that has been lsquocopiedrsquo indicate the source whether it is from

an information resource already saved in organisation repository from a publication or

from a website

Furthermore transferring information from those who leave their jobs to those starting a new job

is crucial to the continuity of the activity in an administration In this context the following should be

taken into consideration

106

IC Table 1 what to do when leaving and starting a job

When leaving a job When starting a new job

Discussing your responsibilities with your manager

when leaving the job and determining and

monitoring the internal policies for the administrative

closure of your business processes

Providing pertinent information about everything

you leave for your successor explaining why it will

be needed

Backing up all the information in the electronic

medium related to job and transferring it to

information pool

Transferring the documents under your responsibility

to the relevant successor

Creating a list of job-related website addresses a

summary of ongoing projects and related contact

information and an inventory of information

resources (including file numbers) that will help your

successor get used to his or her new job

Returning or extending the deadline of the material

that was borrowed from the library

Removing former employeersquos name from distribution

lists

See if any electronic and

paper information resources

of business value have been

transferred to your custody

Take note of any instructions

or messages you receive

regarding access to

electronic tools such as a

shared drive business system

or repositories

Familiarise yourself with your

information management

responsibilities and practices

Take part in training sessions

on information management

and recording

Add new employeersquos name

on the distribution list

425 Reviewing and Protecting Information

Organisations must periodically review such main processes of information management as

planning producing collecting defining accessing and using information and share the results

with managers

Therefore attention must be paid to the following

Store the information in a manner that preserves its form and status keeping its structure

context and content intact

Mark each information resource according to its proper security classification either on the

paper or electronic document

Protect classified and protected information by ensuring it isnt left in waste or recycle

containers and by storing it in locked desks or cabinets after work hours and during

extended periods of absence

Implement effective access control procedures ensuring that classified and protected

information is only made available on a need-to-know basis to those who are authorised to

access it

The level of protection must be consistent with the level of risk

Take the requests for access and usage from other users into consideration and assess their

compliance with the legislation

Periodically back up the information for protection purposes

43 Information Security

Information can be stored on paper it can be kept in the electronic format or transferred

verbally as well Regardless of its form information must be properly recorded and protected

Information security means safeguarding valuable assets in an administration against loss misuse or

damage

The aim of information security is to ensure the following

Safeguarding data integrity

Preventing unauthorised access

Respecting privacy and secrecy

107

Continuity of the system

431 Information Security Management System

Information security management system is a systematic approach adopted for the organisationrsquos

sensitive information that needs protection to be managed properly and the main objective of this

system is the safeguarding storing and making the sensitive and critical information available

where necessary

Setting Up an Information Security Management System

In order to establish an information security management system

Primarily the decision must be taken on whether the system will cover the entire

organisation or a part of it

Secondly a policy that sets out the objectives must be introduced

Finally a systematic risk assessment approach must be adopted and potential risks

must be identified mitigated as appropriate

Requirements of an Information Security Management System

The following are the requirements for an efficiently operating Information Security

Management System

Support and ownership by top management and managers of the administration must be

ensured

Information management should not be regarded as merely a technical issue and a job

only for the Data Processing Department The system must have the potential to reach its

objectives with active participation by all staff of the administration

Establishment of an information security management system must not be regarded as en

extra burden and waste of time

ElementsPrinciples of Security

The risks of compromise to information security for example hacking need to be defined and

controls to mitigate those risks should be introduced If these controls are absent or ineffective that

will considerably decrease the efficiency of the information security system

The main principles of security are confidentiality integrity availability authentication non-

repudiation responsibility and Access control For more detailed information see Turkish Standards

Institute TSE-17799 ldquoInformation Security Management Standardrdquo document Furthermore there are

other international models aiming to ensure the security of electronically produced information

such as COBIT e-SAC (Electronic System Audit and Control) and System Trust while you can also

explore the standards ISOIEC 27001 and ISOIEC 27002 (International Organisation for

Standardisation)

Also please refer to ldquoRegulation on the Principles and Procedures Regarding the Implementation

of the Law on Electronic Signaturerdquo based on the Law on Electronic Signature number 5070 and e-

Transformation Turkey 2005 Action Plan ( Action 5 Current systems at public institutions particularly

central institutions using critical information will be analysed and information security policies and

measures will be developed accordingly and (Action 33 The needs of disaster management of

public information system will be identified and recommendations will be developed )

For preserving and storing documents that are kept in written environment please refer to the

section lsquo423 on organisation of Information Registry Filing and Archiving System

432 Information Security Control Activities

In order to set the level of importance of an item of information the degree of the effect on

the administration that stems from the risk of harm made on the ldquoconfidentiality integrity and

availabilityrdquo of the item of information must be defined in the first place The harm that can be

made on these three security features of information systems may have different degrees of effect

For instance disclosure of top secret information can cause serious harm on an administration while

it may not be that harmful if that information becomes unavailable

108

The risks to information security identified must be analysed and ranked and the cost of the

control activities to be established and operated to mitigate those risks must be in proportion to the

value of the information protected and the risk identified after examining potential threats For

some ideas of suitable control activities see the Control Activities chapter

IC Figure 1 Process of Control Activities for Information Security

The image above is an example of security related control activities It demonstrates 4 different

attacks As can be told from the image attack [1] is immediately prevented at the stage of

prevention while attacks [2] [3] and [4] are not Of the attacks that manage to survive the

prevention process attack [2] is identified at the stage of detection and eliminated Attacks [3]

and [4] manage to pass the detection stage At the stage of response which is the final stage that

has been designed in accordance with the level of tolerance decided attack [3] is eliminated

while attack [4] which survives all stages damages the system passing through all security

processes

5 MANAGEMENT INFORMATION SYSTEMS (MIS) Management information systems are computer-assisted systems (consisting of

computer hardware and software) which should ideally provide timely strategic information

needed by managers in the form they demand it so they can make the right decisions on an

informed basis

The aim is the transmission of the right and complete information to the right people in the

proper format (form report table graphics etc) A labour force is needed to run update and

maintain the systems MIS give information on how the administration is performing in terms of

financial information information regarding the staff information of the movableimmovable

assets performance information information from the organisationrsquos document archive etc

against key performance indicators MIS may also give information on risk management

Information should be registered classified calculated summarised reported stored Back up

copies of the system should be kept in case the system crashes If these processes are not done

systematically managers may have incorrect information and thus make the wrong decisions While designing MIS first the civil servants must understand the importance of acquiring and

recording reliable and accurate information and be aware of their responsibilities in this regard

then business processes related to the production of information must be defined completely and

clearly and finally support from IT must be obtained

Some organisations have dispersed information systems however the existence of such structure

does not necessarily mean they have MIS In some cases information is not related and integrated

with all the actions and units of an administration Data recorded by different units in different

Response Identification Prevention

109

systems is stored independently of the other units Duplication of information in different units of the

administration is an inefficient use of resources Data being entered into a central computerised

system ensures that managers should have access to information which covers all the

administration

The resistance to information sharing in administrations is a significant problem It is not possible to

transmit the accurate and timely information which management needs in the administrations

where information is not shared which is an obstacle for MIS Hence a culture of information

sharing should be encouraged

51 Stages of Establishing MIS

In the development of management information systems SDUs undertake the task of

coordination and provide technical assistance to the spending units The following process can be

followed by the SDUs and the spending units in establishing MIS

511 Establishment of the MIS Working Group

A participative method should be adopted in the establishment of MIS in administrations and the

work programme should be produced for a working group to be formed with the participation of

representatives from all the spending units under the coordination of the SDU and tasks should be

distributed

512 Preparation of the MIS Working Plan

In the working plan

To begin with a comprehensive need analysis should be carried out to identify which type

of information the management may need

Upon the completion of the need analysis data provider units for the MIS should be

identified This will provide a significant infrastructure for the information map to be

produced

The properties the current information system of the administration and related problems

and solution recommendations should be disclosed what needs to be done to solve the

problems and what is aimed should be determined and structures should be set up in the

administrations to support production and sharing of information

Cost and benefit aspects of the system planned to be established should be considered

The potential risks relating to MIS should be identified and a risk management process

should be carried out The control activities to be applied for the risks with high significance

and likelihood should be determined

A good MIS must be flexible enough to keep up with the changes occurring inside and

outside the administration Besides success criteria of the system such as inclusion of early

warning mechanisms should be determined

In the medium term a corporate information map must be prepared that will cover the

entire organisation Preparation of a corporate information map would ensure quick access

to the information and expertise needed Information map must be produced primarily at

unit level and then at individual level considering their level of expertise and experience

While forming such a structure organisational charts or documents for distribution of tasks

within the units at a more special level can be made use of Production of the corporate

information map and its proper operation would ensure that the following question is

responded easily

ldquoWho knows whatrdquo

For instance quick identification of who (which department which employee etc) has

information about staff budget or archives and of the relation among this information will

be ensured

Establishment of MIS can be initiated by pilot implementations in the units Using pilot

implementations as a starting point and ascertaining how the system works will ensure

economy both in terms of time and cost and labour force Potential mistakes to be made in

110

the further stages of the process can be prevented by eliminating the shortcomings and

correcting the mistakes observed during the pilot implementations

513 MonitoringAssessment

Periodic reports must be produced and presented to the top management during the

establishment of MIS to show the progress in the development of the system Action must be

taken against the problems identified at this stage to ensure performance of the activities as

planned

Studies about the fulfilment of MIS services in administrations must be carried out upon the

approval and under the supervision of head of administration Furthermore the head of

administration must inform the related units on the working method adopted

An MIS needs to be dynamic to keep pace with changes in technology or in the demands

for information by management

514 Related Legislation

Law no 5436 which amends Law no 5018 prescribes the establishment of SDUs and assigns them

with the task of providing the services related to MIS

In the Regulation on the Working Principles and Procedures of SDUs providing the services

regarding MIS and carrying out studies for the establishment of the system are listed among the

tasks of the SDUs

6 COMMUNICATION Communication is the exchange of information among individuals andor organisations to support

service delivery decision making and sharing carrying out and coordinating activities It plays a

central role in the development of a robust internal control system and helps management to

make decisions by providing feedback on how all the components of internal control are working

An administration needs information at all levels to achieve its objectives and manage risks

In this context information flows can take place both horizontally and vertically as well as from

outside the organisation

Information must be properly communicated within an administration to the managers

andor staff in need of it on a timely basis in order for them to fulfil their responsibilities and ensure

coordination with other units External communication with the beneficiaries suppliers and

stakeholders such as other public administrations is also essential for effective internal control

Communication can be verbal written or electronic or a combination of the three Where

verbal communication is deemed sufficient documenting only the important verbally

communicated information would be useful so records of key information are kept and can be

subsequently referred to by those who are given access to it

IC Box 2 Communication Channels

Management should establish communication channels that

provide accurate information at the right time

meet individual demands

inform employees of their roles and responsibilities

support reporting

allow employees to make recommendations for improvement

give messages that top management can understand enabling them to

make decisions

inform employees of the importance of internal control and of decisions

taken

are both internal and external and

have the right target group

111

61 Internal and External Communication

Administrations should consider the following general issues regarding their internal and external

communication

The public should be provided with timely accurate clear objective and complete

information about policies programmes services and activities

The language used should be comprehensible and plain Turkish

Administrations should be visible accessible and accountable to the public for the services

they provide

Various means and methods should be utilised in communication and information from a

variety of sources should be engaged to meet different needs

Communication needs should be regularly identified

Administrations should receive opinions from internal and external stakeholders while setting

out objectives and aims and formulating processes and should establish mechanisms to

assess these

Public administrations should work cooperatively with stakeholders when necessary in order to

ensure efficient communication

Services should be provided in a fair quick and responsive manner

Administrations should have the capacity and equipment to follow up innovations in

technology in the field of communication and allocate necessary resources to do so In this

context activities carried out should be proportionate to resources allocated and results

expected

IC Table 2 Communication Principles and Procedures

Internal

Communication Principles Method

Top management and employees should

understand the internal communication

system and be well aware of their

responsibilities

Internal communication activities and

processes should be reviewed regularly and

revised where necessary New

communication methods should be adopted

to stay in line with the changing

administrative structure

It must be ensured that staff

communicate their considerations

recommendations and questions to top

management

Staff should be regularly informed about

the operation of the internal communication

system what to do and the responsibilities in

writing or electronically (including

information and communication system for

risks)

Necessary mechanisms (Intranet

internet announcement boards compliant

and suggestion boxes top manager briefings

etc) should be established to inform the

employees about the mission vision and the


Communication between managers and

employees should be clear and cooperative

in order to achieve the goals and mission of

the administration

Staff objectives should be made

consistent with those of the administration

A more effective communication should

be ensured between Senior management

and personnel

Regular meetings and an electronic

mechanism that enables the SDUs to

coordinate spending units and produce

statistical data via necessary analysis

Recommendations and ideas of

personnel should be heard and action taken

to address them when appropriate

To this effect in-house communication

seminars and training programs should be

organised

Vertical communication A reporting system should be established

112

Personnel should convey the necessary

timely complete and accurate information

to their managers in time for the managers to

make decisions and achieve objectives

Personnel should notified by their

managers when in which scope in what

way and from which unit the information is

demanded

Managers should inform the staff about

the policies goal and objectives of the

administration

within the administration which flows from

staff to managers (minutes of meetings unit

activity reports exchange of information on

a weekly or daily basis in person or

electronically a reporting system that

enables the managers to monitor daily

activities etc)

Regular meetings between management

and internal auditors timely submission of

internal audit reports to top management

Horizontal Communication

Refers to the effective sharing of

information among employees of the same

hierarchical level in order to carry out the

tasks and activities in the administrations

Personnel and units to share

information should be announced to staff

and the duty to share information should be

included in the job descriptions of the

relevant personnel and units

Managers should hold regular meetings

to exchange ideas on their respective fields

of competence and the problems and

suggestions regarding management

Establishment of a system to monitor

meetings and activities of people of the

same level

Creation of an e-mail group for the

people from the same hierarchical level

Strengthening data processing

infrastructure and ensuring active operation

of units

Ensuring that top management have

more effective communication with

employees

Internal communication seminars and

training programmes should be organised

EXTERNAL


The accessibility of the citizens to the

information and services of the

administrations should be enhanced

Services delivered by administrations within

the framework of ldquoe-staterdquo should be shared

with the other relevant administrations and

citizens (MERNIS UYAP etc)

The administrationrsquos website which provides

the necessary documents should be

established and some services should be

provided via this website 247

Documents and services provided online

should be updated regularly and the

administration should assign certain people

to manage the design and content of the

website

Furthermore English broadcast for the

access of foreign users to information will be

useful

Mechanisms should be set up to enable

citizens to express their complaints and

suggestions (forum frequently asked

questions activation of use of Information

Acquisition System and BIMER etc)

Administrations should inform the press

about issues deemed important for decision

The press should be invited to important

conferences and seminars

113

makers and the public

Services provided by the administration

should be advertised on TV or the internet

The head of administration should inform

the public annually about the performance

programme and activity report of the

administration and these should be

published on the administrationrsquos website

Active operation of the press and public

relations units should be ensured

62 Communication Methods

A communication system is made up of methods and records produced to determine

acquire change and transfer useful information Staff must be able to communicate with all the

units in the organisation including sharing risky information

With the advancements in technology numerous and various communication means are

now available in public administrations The most widely used means of communication are

detailed in IC Annex 2

621 Reporting

Reports are crucial tools for the establishment of an effective internal control system as they

facilitate the monitoring of control effectiveness

Managers should take reports submitted to them into consideration when making decisions

In this context accurate and succinct reports that have been prepared on time would help the

managers Furthermore communication and reporting is an important element of risk

management (see Risk Management Chapter)

Administrations should communicate financial and non-financial information and results

regarding their policies programs activities and projects to the relevant persons and bodies in

writing or verbally at particular times Within this framework vertical and horizontal reporting lines

within the administration should be determined in writing Furthermore each administration should

also take into consideration external reporting mechanisms

IC Figure 3 shows the mechanism of vertical reporting among the hierarchical stages

regarding the decisions and works at the strategic programming and operational levels and the

mechanism of horizontal reporting among the personnel of the same level Vertical reporting is the

reporting of personnel to managers Horizontal reporting on the other hand is the necessary flow

of information among the people and units that are on the same level

IC Figure 3 Reporting Lines

ObjectiveActivity

Other staff

Medium-

level managers

VERTICAL

REPORTING

Strategic

Operational

Top

Management

114

Examples of horizontal reporting within an administration

Staff attending a training program sharing with colleagues the report they prepare

about training results and

Minutes of Meeting shared with other units

Examples of vertical reporting within an administration

Consolidated Risk Report submitted to senior management

Minutes of Meeting copied to a senior manager for their information

Internal Audit Reports submitted to senior management and

Quarterly Reports Semi-Annual Reports submitted to senior management

Examples of reporting outside the administration

Internal Control System Evaluation Report prepared by the SDU and submitted to the

CHU and

Annual activity report for an administration prepared by the Head of Administration

published to the public and copied to the Turkish Court of Accounts and Ministry of

Finance

IC Box 3 Basic Principles for Effective Reporting

IC Annex 3 details the reports prescribed to be prepared as per the Public Financial

Management and Control Law No 5018 and the applicable regulations in the framework of the

principles of financial transparency and accountability

7 WHISTLEBLOWING OF FAILURES IRREGULARITIES AND FRAUD One of the most important elements of accountability and transparency is the existence of

a mechanism that ensures that staff and stakeholders are able to effectively express their concerns

Article 279 of Turkish Penal Code states that if a civil servant learns by means of the position

he holds that a crime which necessitates investigation and prosecution was committed and

neglects or delays notifying the competent authorities of this crime he will have committed a crime

It should be explicitly determined and announced to staff which reports will be

prepared by whom at what frequency and when they will be prepared and who

they will be submitted to and who will control them Reports must be in compliance

with tasks responsibilities and the principles of financial transparency and

accountability

The information included in the reports must be accurate up-to-date succinct

objective complete relevant and sufficient

Reports should use a common and clear language that everyone can understand

Reports must be produced at certain periods and on a consistent basis so that

comparisons can be made between years

Reports should attract the attention of readers be easy-to-read-and-understand

and include sufficient and appropriate visual material

All reports should have a conclusion and evaluation section

Desired format for the report should be determined in advance by

administrationunit requesting the report and notified to the relevant

administrationunit

HORIZONTAL

REPORTING

115

himself

71 Concepts of Failure Irregularity Fraud and Whistleblowing

Failure refers to an unintentional action against the legislation

Irregularity and fraud on the other hand refer to the behaviours of the administrationrsquos staff

or third parties on purpose against the present rules in order to achieve unfair or unlawful gain

Whistleblowing is the notification of illegal and unethical behaviours and actions to top

management third parties outside the management or authorised bodies or persons (who can be

inside or outside the administration) by the persons with information (employees or stakeholders)

Failure to blow the whistle can cause damage to the administration

In line with the above given information administrations must determine distinct methods for

evaluating irregularities fraud and failures they have been notified about

It should be borne in mind that person who makes the notification may be left alone

isolated his or her career may be undermined or he may not be taken seriously Therefore any kind

of biased or discriminative conduct against the personnel or third parties that blow the whistle

should be prevented

72 Scope of Notifications

There are three basic types of whistleblowing and complaints in public administrations

Those regarding the violation of ethical values

Those regarding faults irregularities and fraud

Complaints by civil servants regarding administrative actions and processes

implemented against them by managers or administrations

721 Whistleblowing and complaint in cases of violation of ethical values

Whistle blowing mechanisms are defined in the No 5176 Law on Establishment of Civil Servants

Ethical Board and Making Amendments on Some Laws and Legislation on Ethical Behaviour

Principles and Procedures for Civil Servants

Under this legislation cases of ethical behaviour violation by the director general and by those

who have a title at this level are notified to Ethical Board while cases of violation by the other

employees are notified to the relevant administrative manager to be directed to the

administrationrsquos disciplinary board Within this framework administrations carry out the process to

ensure compliance with the law

A flowchart showing the detailed process for whistleblowing and complaint in cases of violation

of ethical values is at Annex 4a

722 Whistleblowing and complaint regarding irregularities and fraud

Law no 4483 defines the procedures to be followed in cases of crimes committed by civil

servants by means which are in relation to their duties Accordingly cases of whistleblowing or

complaint about civil servants are filed processed and concluded under this Law

In cases when a complaint by a person is not processed he can appeal to administrative

court if he wishes The administration has to record all the cases of whistleblowing or complaint

processed or not

A flowchart showing the detailed process for whistleblowing and complaint in regarding

irregularities and fraud is at Annex 4b

723 Complaints by civil servants

Proceedings relating to complaints by civil servants regarding administrative actions and

processes implemented against them by their managers or administrations are carried out within

the framework of Article 21 of Law No 657 and Legislation on Complaint and Application Rights of

Civil Servants

116

73 The Responsibility for Detecting Faults Irregularities and Fraud

The responsibility for identifying and preventing failures irregularities and fraud rests with

management and all employees Under the ethical behaviour culture of the administration the

necessary actions should be taken to prevent failures irregularities and fraud under the supervision

of the responsible managers

74 Whistleblowing System

For employees to communicate their concerns and for these concerns to be taken seriously

administrations should have the related regulations that comply with their structures as well as

reporting mechanisms In these regulations the following should be included

the subject-matter of a whistleblowing

how to protect the confidentially of and provide security for a whistleblower who has good

faith

the stages of the whistleblowing procedure (first to manager then head of unit head of

internal audit head of human resources unit or head of financial services unit head of

administration)

how cases of whistleblowing are evaluated by the administration and what actions are

taken (examination inside the administration or official investigation etc)

information given with a view to informing the whistleblower about who the subject matter

concerns whether he can contact that person as well as about evaluation progress andor

results

Within this framework administrations should announce to the personnel all the ways of

whistleblowing and complaint

In cases of whistleblowing and complaint the identity of the whistleblower should be kept

confidential so that they are not exposed to discrimination

Administrations should receive cases of whistleblowing and complaint in the electronic

format via their web sites as well as in writing Besides administration should set up mechanisms to

facilitate it for the external stakeholders to whistleblow or complain and announce it on their

billboards and websites

Administration should not set up different mechanisms other than the preliminary

examination procedures that are determined in Law no 4483 for cases of whistleblowing and

complaint regarding corruptions and irregularities As a result of the preliminary examination the

situation whether investigation permit is given or not should be notified both to the Chief Public

Prosecutorrsquos Office and the whistleblower with a detailed justification and the letters regarding

these notifications should be kept in the whistleblowing files

For an effective whistleblowing system following basic requirements are taken into

consideration

117

IC Box 4 Basic requirements for Whistleblowing

IC Box 5 Issues to consider while evaluating whistleblowing notifications

Are the behaviours or actions in the administration unlawful

Are the behaviours or events taking place in the administration against the ethical

values (morals professional ethics etc)

When the whistleblowing is not in compliance with the procedure it must still be

definitely evaluated as long as it is based on concrete evidence

Seriousness and importance of the issues put forward should be taken into

consideration

There should be good will and public benefit

There should be a reasonable belief that the information and the allegations the

information includes are completely true and may uncover malpractice

Top management should announce the procedures for dealing with whistleblowing

and complaint from inside and outside the administration

Administrations should determine for central and local units who notifications will be

referred to

Methods must be developed for anonymous notifications from staff and third

persons (Telephone in a way that ensures evidenced delivery internet application

provided that forms given are completed anonymous letter suggestion boxes

etc)

Written spoken or electronic cases of whistleblowing should be recorded in a

separate folder by the authorised unit or person regardless of whether they are

based on enough evidence or not

Discriminative treatment towards whistleblower should be prevented

Periodical meetings should be held with staff in which their views should be heard

and their trust should be won in regard to reporting malpractices within the

administration

All the communication channels should be left open to ensure that personnel can

blow the whistle

In the event that the personnel that are proved right after examination and

evaluation process of the whistleblowing they should be rewarded by means of

secret methods to be determined by the administration

118

IC Figure 4 Whistleblowing Process

Whistle blower

Is it illegal

Is it unethical and immoral

Is it based on concrete evidence

Do I have good will

Do I draw benefit

from this

sec

ure

co

mm

un

ica

tion

ch

an

ne

ls (e-m

ail

ad

dre

sses te

leo

ph

on

e

nu

mb

ers

sec

ure

co

mm

un

ica

tion

ch

an

ne

ls (e-m

ail

ad

dre

sses te

leo

ph

on

e

nu

mb

ers

Unitperson to evaluate the case of

whistle blowing

Evaluation Criteria

Disciplinary Board Inspection BoardAudit

Unit

Chief Public Prosecuter

(investigation request is

from outside the

administration)

Authorising officer

119

IC Box 6 Current Legislation relating to whistleblowing and complaint

Law No 5651 on Publications on the Internet and Suppression of Crimes Committed by

means of Such Publication

Law No 4982 on the Right to Information

Law No 3628 on Declaration of properties bribes and combating fraud

Law No 3071 on Official Letters

Ethics Law Regulation and Prime Ministry Circular

Principles and Procedures on the Complaint and application rights of Civil Servants

Compliant regulation under Public Procurement Law No 4734

8 RELATIONS AMONG UNITS

81 Information and Communication between the CHU and SDUs

The extent to which the tasks the CHU carries out are effective and efficient depends on the level

of communication it achieves with SDUs

The CHU must develop organisational communication mechanisms to ensure transfer of information

to the SDUs This could either be done via a call centre to be established within the CHU or

particular CHU staff (client representatives) can be matched with particular SDUs This would

enable CHU staff to better know the unit they are responsible for and therefore make evaluations

and problem solving easier This would also improve the influence of the CHU on other units

Furthermore ensuring face-to-face communication between CHU and SDU staff and organising

periodic meetings andor conference calls to review the internal control system can be another

method of information transfer

The CHU must set out the critical arrangements that are relevant to the SDUs using participative

methods where the participation of SDUs must be ensured Furthermore the level of participation

by the SDUs will enhance the level of communication

82 Information and Communication between SDUs and Spending Units Ensuring coordination with spending units for the adoption of various elements such as preparation

of activity reports and performance programmes and implementation of internal control which are

important elements of Public Financial Management is the responsibility of SDUs An effective and

efficient organisational communication with spending units would also contribute to the smooth

progress of coordination process

SDU staff and spending units must be matched Each member of SDU must be in constant

communication with the spending unit they are responsible for and transfer the necessary

information to the spending units periodically Spending units must also assign the

departmentbranchunit staff to be in continuous communication with Strategy SDU Such

matching plays a crucial role in the transfer of consistent and accurate information both from the

SDUs to the spending units and from the spending units to the SDUs

Furthermore these information flows must also be reviewed in the meetings to be held regularly

(advised frequency minimum monthly maximum quarterly) by the spending unit officials and SDU

managers and the actions to be taken and required development must be discussed in these

meetings

In the event that it is necessary for the SDUs to make decisions which would affect the spending

units officials from spending units must be able to get involved in this process depending on the

level of the decision

120

INFORMATION AND COMMUNICATION ANNEXES

Annex 1 - Legislation on Information and Communication

Regulation on the Principles and Procedures to be applied in Official

Correspondences by the Prime Ministry

Regulation on the Prime Ministry State Archiving Services published in the

Official Gazette number 19816 dated 16 May 1988

Regulation on Public Servants Ethical Behaviour Principles and Principles and

Procedures for Application

Regulation on Declaration of Assets published in the Official Gazette no 20696

dated 15 November 1990

Regulation on the Complaints and Application by Public Servants Assets

published in the Official Gazette no 17926 dated 12 January 1983

Prime Ministry circular on Standard Folder Plan no 20057 dated 24 March

2005

(Manual to be prepared by Central Harmonisation Unit can be included

including the FMC Manual)

Prime Ministry circular dated 19 March 2007 on Civil Servants Ethical Board

Regulation on Complaints under the Scope of the Law no 4734 on Public

Procurement (The arrangements to be made by the CHU including the FMC

Manual can be covered in this part)

Law no 406 Telegraph and Telephone

Radio Law no 2813

Law no 3071 on Official Letters

Law no 4982 on the Right to Information

Law no 5070 Electronic Signature

Law no 5651 on Publications on the Internet and Suppression of Crimes

Committed by means of Such Publication

Law no 5369 on Provision of Universal Service and Amendments to Certain

Laws

Law No 5176 on Establishment of Civil Servants Ethical Board and Making


Law No 4483 on Trying cases against Civil Servants

Law No 3628 on Making Declaration of Property and Fight against Bribery and

Corruption

Law no 5809 on Electronic Communication

121

Annex 2 - Widely Used Methods of Communication

Means Objective Advantages Disadvantages

Meetings Informing

Receiving

opinion

Making joint

decisions

Relatively cheap

A method that

people are

accustomed to

Contribute to the

culture of

participation

Open to discussion

and dialogue

Opportunity to come

up with solutions to

problems in the

administration

Difficulty to measure the

success and value of the

method

Possibility that results may not be

useful

Possibility that a minor group

may dominate the meeting in

case of bad management

Reports

Informing

Receiving

opinion

Making

decisions

Evaluation

Informs the target

group about the

subject in a sound

manner

Facilitates decision-

making process of

the manager

Possibility to access

accurate up to date

relevant and

adequately detailed

information

Requirement for qualified staff

Its production is time consuming

Brochures

Periodicals

Informing

Promotion

Opportunity for

creative design

Comprehensible

Particular and wide

target groups

Opportunity to

establish long term

relation with target

group

Opportunity to make

regular up-dates

regarding the subject

Limited feedback

Difficulty to measure the impact

on target group

Questionnaire

Interview

(letter

e-mail

telephone

face to face)

Receiving

opinion

Evaluation

A method that

people are

accustomed to

Opportunity to reach

a wide group

Opportunity to select

particular target

groups

Scientific methods

can be used

Expensive time consuming

Requirement of in-detail

information to use the method

accurately

Possibility that responding rate

may be low

Possibility that the subject may

not be examined enough

122


Press releases

and

conferences

Informing

Receiving

opinion

Cheap

Easy to organise

Opportunity to

communicate to

many people

Difficulty to understand whether

the subject reached the target

group or not

Difficulty to measure the success

and value of the method

Difficulty to examine the subject

thoroughly

No feedback or limited

feedback

Brainstorming Exchanging

ideas

Making joint

decisions

Obtaining many

ideas regarding a

subject

Contribution to the

culture of

participation

Cheap flexible easy

to organise


useful



Workshop Informing

Receiving

opinion

Making joint

decisions

Opportunity to set up

new networks

Fun for participants

Chance of finding

solutions to problems

Cheap flexible easy

to organise

Chance of examining

the subject

thoroughly


particular target

groups

Easier participation

because of unofficial

atmosphere

Non-scientific

Possibility that results may not

useful


may dominate the meeting

Possible to receive wrong results

with a small and randomly

selected group

Conference Informing

Receiving

opinion

Making joint

decisions

Opportunity to

become creative

and flexible

Opportunity to work

together with

different groups


new networks


particular target

groups

Opportunity to

examine the subject

thoroughly

Opportunity to

discuss different




selected group

Raising different expectations

Possibility that result may not be

useful




123

opinions and ideas


Focus Group Receiving

grouprsquos

opinion with

the

leadership

of a

moderator

Faster and cheaper

compared to one-to-

one interview

Opportunity to

discuss different

opinions and ideas

Spoken discussion

accelerates the

process that outputs

are reflected in

writing

Possibility that useless information

may emerge in case of bad

moderation

Quality of participators affect

the quality of data

Conference

Call

Making joint

decisions

Finding

common

solutions to

problems

Opportunity to

discuss different

opinions and ideas

Opportunity to

examine the subject

thoroughly

Experienced

decision-makers and

persons with deep

information

accumulation

coming together


useful in case of bad

management





Websites and

intranet

e- mail

Informing

Receiving

opinion

Cheap

Easy to organise


many people

Effective information

sharing

Need for updating

Problem that unfavourable

people may get access

124

Annex 3 Reports Prepared under PFMC Law No 5018

Name of report Responsible unit Submitted to

Unit Activity Report

(Art 41 of Law no 5018)

Spending Units- Authorising

Officers Head of Administration

Local Administrations Activity

Report



Administration Activity Report



(General budget

administrations special budget

administrations and social

security institutions)

Ministry of Finance Court of

Accounts and Public Opinion


Report



(Local Administrations)

Ministry of Interior Court of

Accounts Public Opinion

General Activity Report


Ministry of Finance

(Directorate General for Budget

and Fiscal Control)

Court of Accounts and Public

Opinion

Local Administrations General

Activity Report


Ministry of Interior Court of Accounts Ministry of

Finance and Public opinion

Administration AR General AR

Local Administrations General AR


Court of Accounts (Expressing its

own opinions considering its

external audit results)

TGNA

Draft Law on Final Accounts


Ministry of Finance (DG Public

Accounts) TGNA Court of Accounts

External Audit Overall Assessment

Report


Court of Accounts TGNA

Corporate Financial Status and

Expectations Report

Public Administrations under the

scope of General Management Public Opinion

Central Government Budget

Realisations and Expectations

Report

Ministry of Finance


and Fiscal Control)

Public Opinion

Financial Statistics

(Art 52 53 54 of Law No 5018)


Accounts) Public Opinion

In the production and submission of the Activity Reports above Law no 5018 and the

principles and procedures set out in the Regulation on Activity Reports Prepared by Public

Administrations are taken into account

In preparation and declaration of the financial statistics of public administrations Law No 5018

and the principles and procedures set out in General Communiqueacute on Financial Statistics of

General Management are taken into consideration

125

Annex 4a Whistle-Blowing Process Related to Ethical Values

Application

Registry (Relevant unitperson)

If related to

EVALUATION

Written petition

electronic mail or oral

application that is

recorded

Registration in the

document registry

system (written

electronic)

a separate folder

system for notification

applications

NOTIFICATION

To the relevant person

(person who whistle-blowing

is about)

To the relevant

administration (conduction

of the work within the

framework of Law No 657)

To whistle-blower

NOTIFICATION

If it is decided that ethical

behavior principles have

been violated

To Prime Ministry

To Public Opinion (Published in official gazette

If it is not detected that

ethical behavior principles

have been violated

- To the Prime Ministry

- To whom it may concern

If related to Director

General and upper

level positions than

Director General

If related lower level

positions than Director

General

Ethical Board Head Office of the

Relevant

Administration

Disciplinary Board

126


Application


Head of the relevant unit

Written petition

(person or a

particular event

serious allegations

name family

name signature

domicile address)

Registration in the

document registry

system (written or

electronic - a

separate folder

system for

notification

applications)

Preparation of preliminary examination report and submission of it to the

body authorised to give the permit

NOTIFICATION

Directly Chief

Public Prosecutor

Other positions or

civil servants

Requesting investigation permit

from body authorised to give

the permit (Article 3 of Law No

4483

Making notification to body

authorised to give the

investigation permit (Article 3 of

Law No 4483

Body authorised to give the

permit starting the preliminary

examination (44835)

Permitting the

investigation about the

complaint whistleblowing

or subject matter of the

allegation

Not permitting the



or subject matter of

allegation

OBJECTION

(to the Court of Appeals

or regional administrative

court by the civil servant

about whom investigation

is conducted)

to the Chief Public

Prosecutorrsquos Office

to the civil servant

about whom the

investigation is

conducted

to the whistleblower

OBJECTION



court by the Chief Public

Prosecutorrsquos Office or

complainant)

127

MONITORING

1 Introduction

Monitoring is the assessment of the internal control system in terms of harmonisation with the

internal control standards to see whether it makes the expected contribution to the achievement

of goals and objectives of an administration It is the identification of the actions regarding the

aspects open to improvement Within this framework monitoring is an integrated process in which

capacity is assessed in interaction with the other components of internal control system

M Figure 1 COSO Monitoring Process

The main elements of monitoring are formation of a sound infrastructure for monitoring

designing and implementing monitoring procedures assessment and reporting of the results

Monitoring if designed and carried out properly provides the administration with the

reasonable assurance that the internal control system operates efficiently An efficient monitoring

helps

Timely identify and eliminate the problems in the system of internal control

Produce more accurate and reliable information to be used in decision making

Produce correct and timely financial statements

Confirm regularly that the internal control system is effective

Present evidence for the internal control assurance declarations

Risk Management

Control Activities


Monitoring

Control Activities

128

Monitoring internal control systems requires participation Question forms internal and

external audit reports and requests and complaints from individuals andor organisations and the

opinions of unit directors must be benefited from during monitoring

2 Monitoring Internal Control Standards Monitoring includes all sorts of monitoring activities performed with the aim of quality

assessment of internal control system

M Box 1 Internal Control Standards

Standard 17 Assessment of internal control

The administrations shall assess their internal control systems at least once a year

Standard 18 Internal audit

The administrations shall ensure a functionally independent internal audit activity

3 Roles And Responsibilities

31 Senior Manager

The main responsibility for monitoring internal control system rests with Senior Manager This is

also emphasized in Article 11 of Law No 5018 and it is stated that Senior Managers are responsible

for observing and monitoring the functioning of financial management and control system

The Senior Manager fulfils this responsibility through internal auditors and Strategy

Development Units (SDU)

Approving the internal control system annual assessment report prepared by his

administration the Senior Manager ensures the submission of it to Central Harmonisation Unit (CHU)

Furthermore the Senior Manager annually states based on evidences that internal control

system gives reasonable assurance for attainment of the objectives and aims of his administration

through internal control assurance statements (Annex 3A)

On the other hand the Senior Manager ensures the implementation of recommendations

put forward as a result of internal and external audits

32 Internal Audit

Internal audit has the functions of providing information making assessments and making

recommendations on the adequacy efficiency and functioning of internal control system Within

this framework the Senior Manager who has the responsibility for a sound functioning of internal

control system receives opinions and support from internal auditors


ICRSB assesses Internal Control System Evaluation Reports prepared by SDU as a result of

annual assessment of internal control system (Annex 2) and following to defining shortcomings of

the report if any submits it with the relevant opinions for the approval of Senior Manager

34 Authorising Officers

Authorising officers have responsibilities regarding internal control and continuous

monitoring Furthermore Authorising Officers provide necessary information for SDUs regarding the

annual assessment of internal control system fill in the internal control question form (Annex 1) and

annually sign the internal control assurance declaration (Annex 3B) to be submitted to Senior

Manager

In addition Authorising Officers have the responsibility for taking relevant actions regarding the

recommendations contained in internal and external audit reports

129

35 Strategy Development Units (SDU)

Have been assigned the function by Law No 5018 and the applicable legislation3 to carry

out studies to establish implement and continuously develop internal control systems and to report

the study results to the Senior Manager

Within this framework SDUs annually assess internal control system on behalf of Senior

Manager Then they report assessment findings gained by means of forming a working group and

using such tools as check lists questionnaires and question forms to the Senior Manager with the

relevant opinions from Internal Control and Risk Steering Board

SDUs sign the declaration on functioning of internal control system with a view to ensure

effective efficient and economical execution of administrationrsquos activities

Personnel of SDUs take active role in the assessment process of internal control systems and

guide the units in filling the reports regarding assessment (Annex 1)

36 Other Managers and Employees

Other managers and employees are responsible for the effective functioning of internal

control system within their own fields Within this framework while carrying out their own duties they

observe the functioning of internal control system and in case of a problem they inform Senior

Manager and contribute to the assessment process of internal control system by providing

information

37 External Audit

External audit is conducted by Court of Accounts Within this framework Court of Accounts

can assess internal control systems in public administrations and can make recommendations

38 Central Harmonisation Unit (CHU)

In accordance with the Article 9 of Principles and Procedures regarding Internal Control

and Ex-ante Financial Control and Article 55 of Public Financial Management and Control Law No

5018 this unit develops standards and methods regarding internal control processes and provides

guidance services in public administrations

Furthermore CHU annually assesses the functioning of internal control systems in public

administrations based on Internal Control Assessment Reports approved and submitted by senior

mangers and submits the assessment report it prepared to the Senior Manager and Minister of

Finance

CHU in necessary cases carries out on-site monitoring activities regarding the factors

contained in reports prepared by public administrations

Within the framework of roles and responsibilities explained above the following scheme

demonstrates the exchange of information and reporting lines envisaged to be realized within the

scope of monitoring activities in the administration

3 Legislation on Principles and Procedures regarding Internal Control and Ex-ante Financial Control and Working

Principles and Procedures of Strategy Development Units

130

M Figure 2 ndash Reporting and information exchange process foreseen under monitoring

CENTRAL HARMONISATION UNIT

SENIOR MANAGER

INTERNAL AUDIT INTERNAL CONTROL RISK STEERING BOARD EXTERNAL AUDIT

(Report) Court of Accounts (Report)

STRATEGY DEVELOPMENT UNIT

AUTHORISING OFFICERS

SUB-UNIT MANAGERS

SUB-UNIT PERSONNEL

1) Straight arrows demonstrate the hierarchy in the reporting process

2) Dotted lines demonstrate the exchange of information

4 Guidance by the CHU4

Article 55 of Public Financial Management and Control Law no 5018 and Article 9 of the

Principles and Procedures on Internal Control and Ex-ante Financial Control prescribe that

standards and methods concerning financial management and control are developed and

harmonised by the Ministry of Finance and guidance is provided to the public administrations

In this context within the scope of its monitoring function the CHU

Monitors whether internal control standards are complied with

Monitors the operation of the systems by receiving information and reports from the

administrations regarding internal control and ex-ante financial control arrangements and

practices

Carries out researches on the national and international good practices and

conducts studies for their implementation

CHU annually assesses the operation of internal control system within the public sector

based on the Internal Control System Evaluation Reports submitted upon the approval by the

4 This part consists of general information on the guidance provided by the CHU detailed information can be found

on the CHU Handbook

131

heads of public administrations and where necessary carries out on-the-spot monitoring on the

issues included in the reports of the administrations

5 Assessment and Reporting Role of SDUs

Assessing internal control periodically and identifying and applying necessary actions are

crucially important to ensure the efficiency of the system In this context each organisation needs

to assess its internal control system Assessment of internal control system means analysing on the

basis of the internal control components whether the system makes the expected contribution to

the achievement of the aims and objectives an administration identifying the aspects open to

improvement and taking corrective actions

Public Internal Control Standards suggests that the internal control systems in the public

administrations must be assessed at least annually using ongoing monitoring or separate

evaluations In the assessment of the internal control system participation of all units is required and

internal and external audit reports and requests and complaints from individuals andor

organisations and the opinions of unit directors must be considered and the assessment process

must be methodological

51 Assessment of Internal Control System by SDUs

Assessment of Internal Control System by SDUs is carried out fundamentally be means of

Internal Control System Question Form Other tools such as checklists and questionnaires can also

be benefited from during the evaluation process Furthermore the opinions of the managers

requests and complaints from organisation andor individuals are taken into consideration in the

evaluations Evaluations are carried out at least annually Quarterly or semi-annual evaluations can

be carried out as well

Coordination of the assessment conveyance of the questionnaires to the relevant units and

consolidation of the responses are tasks of Internal Control sub-units in the SDUs

The staff to be assigned from the SDU must be determined to support the process of filling

the questionnaires and the evaluation process must be planned In the plan a representative must

be appointed for each unit and where the number of staff is insufficient at least one person must

be assigned as responsible and this must be communicated to the relevant units This responsible

person must provide guidance to the units in filling the questionnaires

Spending units are obliged to respond to the questions on Risk Assessment Control Activities

and Information and Communication Responding to the questions in the Control Environment and

Monitoring parts is at the discretion of spending units

SDUs must complete the sections on control environment and monitoring in the internal

control question forms which they will fill in as spending units

The following steps should be followed while evaluating the internal control system

Primarily unit managers should organise an opening meeting for the representatives from

the SDUs In this meeting guidance should be provided for responding the questionnaires

and the deadline for completing the questionnaire should be announced

The time table for the questionnaire SDU representative and their contact details should be

communicated to the unit manager along with the questionnaire itself The units must be

given a reasonable amount of time to complete the questionnaire which should be not less

than one week

The questionnaire should be completed with the participation by sub-unit managers and

staff under the coordination of the unit manager

Completing the questionnaire spending units should bear in mind that this is a kind of self

assessment therefore by means of answers they give to the questions they essentially assess

their own units Within this framework while completing the questionnaire they should make

an in-dept assessment about functioning of internal control in their own units

132

Where necessary support should be received from the SDU representatives

When the questionnaire is received by the SDU representative each question should be

checked and any misunderstanding should be corrected during this process To this end

SDU representative is entitled to get in touch with the unit manager regarding responses to

the questionnaire

Internal audit unitsinternal auditors can be asked for support and recommendation when

there is a need for checking the accuracy of information in the questionnaire

Following the submittal of all questionnaires the SDUs should consolidate the questionnaires

and prepare the evaluation report resorting to the questionnaires primarily and also the

following sources of information

Action plans produced on the basis of internal and external audit reports

Information on budget and ex-ante financial control and

Other sources of information (opinions of the managers requests or complaints by

individuals andor administrations)

Given that evaluation report will be produced using the above mentioned information

sources (questionnaire internal and external audit reports budget ex-ante financial control

information etc) it should be kept in mind that this process would take time

While assessing the results of the questionnaire the points should be added up and converted to a

percentage for each section For example the total number of points that can be scored for the

Control Environment section is 44 If the Unitrsquos score was 22 out of 44 the percentage result is 50

The percentage scores should be recorded for each section and a percentage score for the

whole questionnaire (using the total possible points total of 116)

The percentage scores should be interpreted as follows separately for each category and also for

the overall percentage score

M Table 1 ndash Interpretation of the Results of the Internal Control Question Form

score Interpretation

0-25 Evidence of some awareness and understanding but still in the early

stages of internal control development Direct action needed by SDU

to provide guidance

25-50 Evidence of implementation that is planned and in progress Action

needed by SDU to provide further guidance

50-75 Evidence of implementation in some key areas Further guidance may

be required by the SDU

75-95 Evidence that implementation of internal control is embedded and a

good capability is established SDU may wish to identify the best areas

as examples of best practice and inform CHU

95-100 Evidence of mature internal control system with excellent capability

established CHU will wish to use as example of best practice

52 Reporting of Internal Control System Evaluation Results

The SDU prepares a report regarding the activities carried out for establishing and

developing internal control system and evaluation on functioning effectiveness and efficiency of

the system It will be appropriate to use lsquoInternal Control System Evaluation Reportrsquo template

contained in Annex 2 in making the assessment results into a report

In the preparation of the aforementioned report ldquoInternal Control System Questionnairerdquo is

an important basis The report should include alongside information on the operation of the

internal control system the steps taken for strengthening it Furthermore the areas where the no or

insufficient controls exist where they do not work properly where the controls are excessive or the

plans and tables produced to address the problems identified should also be covered in the report

The report produced is reviewed by the ICRSB if there is one in the administration If not it is

reviewed by a board consisting of authorising officers or their assistants assigned by them chaired

133

by an authorising officer or a Deputy of the Senior Manager After eliminating any shortcomings it is

submitted to the Senior Manager for approval by the board

The annual evaluation report approved by the Senior Manager must be sent to the CHU by

the SDU until the end of the following March

53 Monitoring of Internal Control System Evaluation Reports

The measures and actions to be taken and the arrangements to be made regarding the

aspects identified in the Internal Control System Evaluation Report as requiring development must

be set out within the framework of managerial responsibility In certain areas in order to eliminate

the gaps the unit managers will have to take actions Furthermore if there are horizontal problems

on which most of the units are identified to score low actions for improvement should be initiated

by the Senior Manager

The measures and actions to be taken and arrangements to be made must be

implemented in the context of an action plan in a designated period of time SDUs must monitor

the implementation results of the aforementioned measures actions and arrangements at least

semi-annually and inform the Senior Manager about the implementation results

134

54 Work to be carried out by SDUs concerning Internal Audit Reports

In accordance with Article 64 of Law No 5018 reports submitted by internal auditors to the Senior Manager shall be sent to concerned unit and SDU

following to the assessment by the Senior Manager for taking necessary action It will be convenient that SDUs assess the report sent by the Senior

Manager in light of the following questions

M Table 2 ndash Evaluation of the Internal Audit Reports by the SDUs

Question 1 Question 2 Question 3 Question 4 Question 5 Question 6

What

information is

available in the

report about the

effectiveness of

internal control

system For

example what

information

does internal

audit report

include on risk

management

Are there any

problems

according to

internal audit

report

What are the

problems in

question

What are the works

to be carried out by

spending units for

fixing these

problems

It is possible that

SDUs provide

spending units

with guidance

on actions to be

taken

What are the works to be carried

out by SDU for fixing these

problems

Taking these problems into

consideration SDU identifies

measures to be taken in Internal

Control System Evaluation

Report to be submitted to senior

management

Identifying the training need

within the framework of

shortcomings related to internal

control system SDU can

demand that new training

programs be developed or

available program be revised

Has SDU done what is

necessary for fixing these

problems

It should be found out

whether SDU has done

necessary works

(delivering

trainingsgiving

recommendations) for

fixing the problems

135

136

6 Internal and External Audits

In accordance with the Law No 5018 the audit of our financial management and control

system is divided into two categories internal audit and external audit Internal audit is carried out

by the internal auditors working in the administration within the scope of the general government

with the exception of regulatory and supervisory institutions External audit of the administrations

under the general government on the other hand is carried out by the Turkish Court of Accounts

61 Internal Audit

Articles 63-67 of Law No 5018 sets out the overall scope of the internal audit system and the

professional framework has been established with the secondary and tertiary legislation

Activities and transactions of all the units of public administrations including those abroad

and in the countryside have been undergoing internal audit in line with audit standards within the

scope of risk based audit plans and programmes using a systematic consistent and well-disciplined

approach

The most distinctive difference between the current inspection boards and the internal

audit designed by the aforementioned Law is that internal auditors have a limited authority which

merely enables them to notify the most senior person in the administration when they find out cases

requiring investigation during the course of or following the audit However inspectors have the

authority to initiate investigations and directly submit reports containing findings of the

investigations to legal authorities

611 Definition and Aim of Internal Audit

Internal audit is defined in the Article 63 of Law No 5018 as follows

M Box 2 ndash Article 63 of Law No 5018

ldquo Internal audit is an activity of providing independent and objective assurance

and consultancy performed in order to improve and add value to the activities of

the public administrations by evaluating whether the resources are managed in

conformity with the principles of economy effectiveness and efficiency and by

providing guidance Such activities are performed with a systematic regular and

disciplined approach and in accordance with generally accepted standards

aiming to evaluate and improve the efficiency of risk management and of

management and control processes on the management and control structures

and financial transactions of administrationsrdquo

In the above definition ldquoobjective assurancerdquo refers to providing sufficient assurance within

and outside the organisation that an efficient internal control system exists in the organisation its risk

management internal control system and business processes operates efficiently the information

produced accurate and complete the assets are safeguarded and the activities are carried out

in an efficient economic and productive manner in line with the legislation

Along side the objective assurance it ensures internal audit provides independent and

impartial consultancy to assist the administrations in developing their risk management control and

management processes Consultancy covers providing recommendations to evaluate and

improve the activities and business processes of the administration aimed at the achievement of its

objectives in a systematic and regular manner

Internal auditors get involved neither in the arrangement or implementation of internal

control systems nor in the selection of control actions

137

612 Monitoring within the scope of Internal Audit

Internal auditors submit their reports directly to the Senior Manager of public administration

Following the evaluation of the Senior Manager these reports shall be given to the concerned units

and SDU for taking necessary action Internal audit reports and the actions taken about them shall

be sent by the head of public administration latest in two months to the Internal Audit

Coordination Board

Audit results are monitored within the framework of Public Internal Control Reporting

Standards which has been published by Board The corrective actions and advice recommended

by the internal auditor following the internal audit activity shall be completed by the auditee within

the time period indicated in the relevant report Senior Manager shall follow up whether the

measures stated in the report have been taken or not Senior Manager can fulfil this duty through

internal audit units (through internal auditors in administrations where there is no unit) Internal audit

units (internal auditors in administrations where there is no unit) prepare a follow up system to

monitor the implementation of internal reports

Unit directors the necessary actions regarding the recommendations included in the audit

report about the audited activities In the event that no action could be taken head of internal

audit unit informs the Senior Manager

If the recommendation or corrective measure to be taken will take a certain period of time

this shall be stated in the response to the audit report and the relevant unit shall communicate the

developments to the internal audit unit in the form of six-months periods at least

Actions taken by the audited units upon the report or the justifications for not taking actions

are sent to the internal audit unit to be submitted to the internal auditor

62 External Audit

Another means that contributes into accountability is external audit In this context external

audit has an important role in fulfilment of the legislative bodyrsquos budget right and effective

efficient and economic use of public resources Turkish court of Accounts carries out the audit of

the financial activities and transactions of public administrations in the name of the legislative

body

621 Aim of External Audit

The purpose of the ex post external audit to be performed by the Court of Accounts is to

audit within the framework of the accountability of public administrations within the scope of

general government the financial activities decisions and transactions of management in terms of

their compliance with the laws institutional purposes targets and plans and to report their results to

the Turkish Grand National Assembly

622 Scope of External Audit

External audit is divided into two categories namely regularity audit and performance

audit

Regularity audit is carried out by means of the followings

Detecting whether revenues expenditures and goods of public administrations and related

accounts and proceedings are in compliance with the laws and the other legal regulations

Giving opinions about their accuracy and reliability after assessing financial reports and

statements of public administrations and all those documents produced in relation to these

reports and statements

Assessing financial management and internal control system

Performance audit on the other hand is an act of measuring activity results in light of the

objectives and indicators identified by administrations within the framework of

accountability

623 Functioning of External Audit

External audit makes use of the accounts and other relevant documents of the public

administration In the event the TCA needs reports by the internal auditors can also be requested

138

Reports produced upon the audits are consolidated by the administrations submitted to the Senior

Manager to be responded and finally external audit overall evaluation report produced

considering the external audit reports and the responses to them is submitted to the Turkish Grand

National Assembly It is possible to make external audit results into administration-based or topic-

based reports and submit them to the TGNA as individual reports

624 Coordination between External Audit and Internal Audit

Ensuring coordination and cooperation based upon communication common

understanding and trust between external audit and internal audit assumes importance in

increasing the efficiency of both external audit and internal audit Furthermore such coordination

and communication will ensure effective use of audit resources by preventing unnecessary

repetitions of audit

In accordance with Law No 5018 Court of Accounts can make use of internal audit reports

within the framework of such coordination and communication Moreover it is expressed in internal

audit standards that head of internal audit unit shall share available information with the other

internal and external auditors and conduct his activities in coordination with these people

7 Internal Control Assurance Declarations The new financial management and control understanding brings forward the concepts of

financial transparency and accountability Briefing the public and judicial organ on activities of a

public administration which are carried out in order to attain the objectives and aims and their

results is one of the most important requirements of managerial accountability

This way it is ensured that ones carrying out public services feel more responsible and work

outcome-oriented and beneficiaries of the public services are informed on how they use the taxes

they pay and on the performance of public administrations and it is encouraged that public audit

is strengthened as well as legislative audit To this effect in the new financial management and

control system it is provisioned that authorising officers5 prepare unit activity report Ministry of

Internal Affairs prepare Assessment Report regarding the activities of local administrations Ministry

of Finance prepare Overall Activity Report and it is ensured that the Court of Accounts inform

Turkish Grand National Assembly with its own assessments

In order to deliver the concepts of financial transparency and accountability the actors of

the system Senior Managers and authorising officers allocated with appropriations from the

budget have been commissioned to prepare internal control assurance declarations and attach

these declarations to the activity reports of the administrations and those of the units6

Within this framework those who need to give internal control assurance declaration and

the type of declaration they will give are demonstrated in the following scheme

M Table 3 Types of Internal Control Assurance Declarations

THOSE WHO WILL GIVE INTERNAL

CONTROL ASSURANCE DECLARATION

TYPE OF INTERNAL CONTROL ASSURANCE

DECLARATION

SENIOR MANAGER INTERNAL CONTROL ASSURANCE DECLARATION

(SENIOR MANAGER) (ANNEX-3A)

AUTHORISING OFFICERS INTERNAL CONTROL ASSURANCE DECLARATION

(AUTHORISING OFFICER) (ANNEX-3B)

HEAD OF SDU DECLARATION OF THE HEAD OF SDU (ANNEX-3C)

5 Unit activity report and internal control assurance decalaration are prepared by those authorising officers to whom an

appropriation is allocated to in the budget 6 Art 8 of Principles and Procedures regarding Internal Control and Ex-ante financial Control Art 19 of By-law on the

Preparation of the Activity Reports of Public Administrations Annex234

139

On the other hand every authority signing the internal control assurance declaration should

be sure that the assurance he gave is supported by evaluation reports issued by the SDU internal

and external audit reports other external assessments and similar sound evidences Furthermore

while filling internal control assurance declaration of his administration the Senior Manager should

assess the Assurance Declarations of authorising officers and Head of SDU and should state in the

Internal Control Assurance Declaration that the reasonable assurance these declarations gave to

him formed an important basis for his own declaration

71 How to complete Internal Control Assurance Declarations

Guidance on the internal control assurance declarations to be completed by the Senior

Manager (Annex 3A) Authorising Officer (Annex 3B) and the Head of SDU (Annex 3C) is as follows

711 Guidance on Internal Control Assurance Declarations for Senior Manager

and Authorising Officer

Internal Control Assurance Declaration (ICAD) is comprised of four main parts namely

Responsibility Basis of Internal Control System and Assurance Declaration Risk Management and

Assessment of Internal Control System (Annex 3A and Annex 3B)

In completing the two Annexes 3A and 3B Senior Managers and Authorising Officers should

observe the standard templates and complete the relevant boxes Each box has a cross reference

to where more information can be found in the main body of this chapter

7111 Responsibility

The Senior Manager is responsible for establishing operating and monitoring an effective

financial management and control system which will contribute to the realization of the objectives

and aims of his administration Within this framework he is obliged to take necessary measures in

order to ensure that regulations regarding internal control system are adopted by employees and

that internal control standards are observed Authorising officer is responsible for compliance of

spending orders with the budget principles laws legislations by-laws and regulations as well as for

economical and efficient usage of subsidies and functioning of the internal control within the

framework of his duties and authorities

As the paragraph of ICAD regarding responsibilities is regulated within this framework name

of the relevant administration should be written only in the part written as [administration] other

than this no change should be made on the text

7112 Basis of Internal Control System and Assurance Declaration

Aim of the internal control system is to ensure the followings in order to give a reasonable

assurance on realization of the strategic objectives of administration

Effective efficient and economical management of public revenues expenditures

assets and obligations

Public administrations carrying out their activities in line with the law and the other

applicable regulations

Prevention of corruption and irregularity in every kind of financial decision and

operation

Gaining regular timely and reliable information and reports to make decisions and

to monitor and

Prevention of abuse and waste of assets and protection against losses

However internal control system will not give absolute assurance to administration for

realization of aims mentioned above even in the case that it is designed and operated very well

Because some factors outside the influence and control of administration can affect the capacity

of administration to attain its objectives Therefore we need to admit that internal control system

gives reasonable not absolute assurance to management for realization of objectives

The cost of internal control should not exceed the obtained benefit The management has

to take into consideration the control costs and its benefits while making decisions on regulation of

140

responses to risks and control activities Authorising officer in the same manner has to take into

consideration these factors while identifying and assessing the risks related to his unit

On the other hand while identifying weaknesses in internal control system correcting the

faults and contributing to the development of the system Senior Managerauthorising officer

receives support from internal and external assessments made within the framework of

management information systems evaluation reports issued by the SDU internal and external audit

reports and internal and external assessments Therefore it will be appropriate that such support

provided within this line be explained in ICAD by Senior Managerauthorising officer

7113 Management Information Systems

Managers need financial and non-financial information in order to detect whether the

administration has attained its objectives and aims or not and whether accountability function has

been fulfilled or not for an effective economical and efficient usage of resources Therefore best

fulfilment of such requirements and timely and accurate decisions are possible if there is proper

accurate timely and accessible information

Therefore management information system in the administration should be designed in a

way to produce the necessary information and reports needed by the management and to give

the opportunity to make analysis

Senior mangerauthorising officer should briefly touch upon in ICAD the management

information system that is available in administrationunit and explain what kind of contributions this

system make to functioning of internal control system

7114 Internal Audit

Responsibility for establishing an adequate and effective internal control system rests with

Senior Manager By giving information to the management on effectiveness adequacy and

functioning of internal control system making assessments and recommendations internal audit

takes an important part in helping senior management this responsibility

Within this framework during the audits carried out by internal auditors followings are

realized

It is detected whether internal control system functions in a sound manner and

Success of internal control system in compliance to the legislation and relevant

regulations in the accuracy of accounts and operations and in the reliability of

financial system tables in providing an effective economical and efficient

execution of activities programs and projects of the administration is determined

Senior Manager on the other hand assesses the factors which are envisaged to be

corrected and improved in internal audit reports and takes necessary measures

First of all Senior Manager should state in ICAD whether his administration has an internal

audit unit or not Internal audit unit if any should give a brief summary of what measures they take

regarding the adequacy effectiveness and functioning of internal control system in line with the

recommendations and assessments of internal auditors in this part of the declaration

The Senior Manager can make explanations in ICAD on how action plans that have been

prepared by the audited units regarding the measures to be taken by the administration as a result

of internal audits are monitored and also he can touch upon the support provided by internal

audit unit if provided regarding the monitoring activity in question

Authorising officer on the hand can make explanations in ICAD on action plans prepared

on the measures needed to be taken by his unit as a result of internal audit and their

implementation

7115 External Audit

Senior Managerauthorising officer should include in Internal Control Assurance Declaration

a summary of the relevant findings and assessments if the Court of Accounts has conducted an

external audit as well as of the operations carried out by the administration in response to these

findings and assessments

141

If an operation in relation to external audit reports of the previous years has been carried

out within the year the summary of such operation should be contained in this part of the

declaration

7116 Strategic Development Unit (SDU)

SDU carries out studies in such fields as establishing internal control system implementing

and developing the standards and submits the study results to Senior Manager

Although standard and method setting duty in financial management and internal control

processes is assigned to the Ministry of Finance every kind of method process and standards

regarding special operations which are considered to be necessary are prepared and submitted

for the approval of Senior Manager by the SDU provided that they are not opposed to Law No

5018 and the standards set by Ministry of Finance Authorising Officers bases his activities on the

relevant regulation along with the legislation

Furthermore SDU prepares an annual Internal Control Evaluation Report on functioning of

internal control system and submits them to senior manger Therefore the Senior Manager should

mention in ICAD these regulations and Internal Control Evaluation Reports regarding financial

management and control system prepared by SDU and enforced following to his approval

Within this framework authorising officer should touch upon in ICAD the guidance

provided by SDU for a sound functioning of internal control system in the unit

7117 Risk Management

Administrations introduce their missions and visions as well as their objectives aims and basic

policies in their strategic plans Besides preparing their strategic plans administrations analyse their

institutional strengths weaknesses threats and opportunities

With the help of such techniques as SWOT and PESTLE analyses administrations have the

chance to identify define and assess the risks they can come across in carrying out their activities

Generally risk is an uncertain event that may occur and its unfavourable outcomes and impacts

Risk is generally considered to be the threats which prevent the realization of aims and objectives

however well managed risks paves the way to benefit from probable opportunities

The two most important components of administrative risks are probability and impact

Therefore while addressing risks both the probability to occur and the impact it may create if

occurs are handled The most important feature of the risk concept is that it is inevitable Therefore

administration should prefer managing risks instead of overlooking them and referring to crisis

management in case it occurs It should be emphasized that as time and resources to manage risks

are limited and it is impossible to eliminate risks necessary control activities are conducted to keep

risks at a tolerable level

Risk perception risk awareness and risk appetite can be different according to the

organisational structure human resources and activities of an administration Therefore Senior

Manager should include in ICAD the following elements relating them to the activities and

functioning of administration (Authorising Officers should take into consideration only the parts

included in their own ICADs)

7118 Risk perception of administration

Leadership that Senior Manager has in risk management process

How the risk awareness is raised among the staff and how the staff is encouraged for

practicing risk management

Administrative risk appetite and how it is perceived by the staff

Whether there is a common agreed risk perception among the staff

should be summarized

7119 Capacity to cope with risks

For and effective risk management

How a training is provided and awareness is raised among the staff

142

How the staff is guided in addressing relevant risks in relation to their duties and

responsibilities how and when they will consult with senior management in the field

of risk management

How risk management is internalized within the framework of overall activities of

administrationunit should be explained

71110 Risk identification and assessment

What affects the activities of an administration is not merely financial risks In relation to the

activities of an administrationunit such risks as follows can also be encountered

Risks with outer sources such as political economical social cultural technological

environmental legal and ethical risks

Risks with inner sources such as assets infrastructure labour force and organisational

structure

Assessing the risks with outer sources can be handled within the strategic risks of an administration

Spending units should give more attention to the operational and functional risks related to their

own fields of activity Various risk categories in relation to the activities of administration and how

such risks are assessed should be briefly explained in ICAD (for example whether risk have such

definitions as risks to be eliminated to be transferred to be managed to be tolerated or not)

71111 Addressing controlling monitoring and reporting risks

Responses to be given to identified risks and the method to address risks should be briefly

explained It should be emphasized whether risk register report on risk status consolidated risk

report and similar methodologies are functional in the administration or not

Identifying control environment by defining the followings and reporting after an effective

monitoring will strengthen the effectiveness of internal control

Impact

Probability

Responses to be given measures to be taken

Ownership and

Type and frequency of reporting

Taking into consideration that ICAD is a declaration made within the framework of

accountability that internal control system of administration gives a reasonable assurance

supported with evidence a summary should be made within the above mentioned explanations

regarding risk perception and risk management

71112 Assessment of Internal Control System

While preparing ICAD an assessment related to the effectiveness of internal control system

in the activity period should be included It is quite useful to touch upon especially the specific high

risk areas and positive and negative developments regarding internal system in these areas As

such areas in question can vary according to the organisational structures and activities it is

appropriate to make the assessment according to the following headings

Human resources differences regarding the key personnel of administrationunit

differences regarding the qualities that activities necessitate wage policy working

conditions developments regarding underemployment over-employment

Physical infrastructure and assets developments which can influence the

fundamental activities of administrationunit in physical infrastructure and all the

assets of administrationunit

Information and communication infrastructure information infrastructure software

and hardware park that administrationunit uses important developments regarding

information systems new or updated information systems

Data security assessment of the effectiveness of controls regarding the security of

strategic information of administrationunit which has confidentiality

143

New structures and changing fields of activity how structures that emerged in

administrationunit as a result of changes occurred in the foundation law of

administration or new duty and activity division among administrations reflect in the


Problems encountered in main fields of activity or examples of good practice Senior

Managerauthorising officer should include in assurance declaration the problems

which are experienced because of inner and outer factors and rooted in the

weaknesses of internal control system Besides measures to be taken in order to

overcome such problems should be summarized in the declaration Likewise threats

eliminated with the help of an effective internal control system should be touched

upon within the scope of lsquogood practicesrsquo

Developments regarding weaknesses stated in previous years Senior

Managerauthorising officer should include in this part the measures taken and

improvements experienced regarding the weaknesses and problems contained in

the assurance declarations of previous years and

Other developments Senior Managerauthorising officer should include in this part

important developments if any which are not within the scope of the above

mentioned headings

Senior Managerauthorising officer may not feel comfortable touching upon the

weaknesses and problems listed above in ICAD However it is clear that no assurance declaration

which does not mention any thread problem and weakness will be convincing and meet the

requirements of transparency and accountability principles What is important is to emphasize that

controls are developed and internal control system is strengthened for the identified problems and

weaknesses

Proceedings which are not found to be appropriate following to ex-ante financial control

authorising officer should include in this part the proceedings performed which are found to be

inappropriate by financial services if any Supporting opinion report and evidence of authorising

officer despite the negative opinion should be summarized to contribute to accountability 7 If

there is not such a proceeding as mentioned above then the expression ldquothere is not such a

proceeding I performed that is not found to be appropriate by SDUrdquo should be available in the

assurance declaration

On the other hand Senior Manager should state while filling Internal Control Assurance

Declaration that he evaluated the Assurance Declarations of Authorising Officers and the head of

SDU and that reasonable assurance provided by these declarations formed an important basis for

his own declaration

In case that Senior Manager received support from support and consultation boardsBoards

established officially and unofficially (ad hoc) such support should be explained in ICAD It is

possible that these boardsBoards prepare reports regarding the assessment of internal control

system emphasizing risk strategy and risk management to be submitted to Senior Manager In the

case that a similar supportconsultation unit to those which are called Consultation Board Audit

Board Risk Board or Steering Board and show differences among countriesadministrations in terms

of composition and working style is established the support received from such a Board should be

summarized which will strengthen the assurance that declaration provides

712 Guidance for Internal Control Assurance Declaration of Head of SDU

7 Regulation on Principles and Procedures regarding Internal Control and Ex-Ante Financial Control ndash Article 28

Financial services unit keeps a record of transactions carried out by the authorising officers despite the fact that ex-ante

financial control declared them inappropriate and these records are submitted to the Senior Manager monthly The said

records are also provided to auditors during internal and external audit

144

The Declaration by the Head of SDU (DHSDU) is a very important element which lays the

groundwork for the assurance that the Senior Manager needs to provide regarding the internal

control system in their administration(ANNEX 3C)

In completing Annex 3C Head of SDUs should observe the standard templates and

complete the relevant boxes Each box has a cross reference to where more information can be

found in the main body of this chapter

Head of SDU is responsible to ensure that the internal control system is implemented

monitored and their opinions and recommendations are reported to the Senior Manager to take

the necessary actions in time in order to ensure that the activities in the administration are carried

out in accordance with the financial management and control legislation and other legislation

and public resources are utilised in an efficient effective and economic manner

As the Field of Competence part of the DHSDU is based on this framework this part should

not be changed either except for writing the name of the administration in the brackets

(administration)

Furthermore if the declaration is supported by the explanations under the following

headings it will be the basis for the reasonable assurance that the Senior Manager has to provide

to the public opinion


The Head of SDU financial and non-financial information is needed to identify whether the

aims and objectives of the administration are reached resources are used effectively effectively

and economically accountability purposes are met Meeting these requirements and ensuring

timely and right decision making by the administrationrsquos management is only possible with the

existence of proper accurate timely up-to-date and accessible information

Therefore the management information system within the administration must be designed

in a manner to produce the information and reports needed buy the management and provide

them with the chance to make analysis

The Head of SDU in the declaration should included the explanations that the activities in

the administration have been carried out in compliance with the legislation and in line with the

budgets prepared according to the strategic plan and annual performance programmes and

provide supportive evidence They should explain the contribution made by the management

information systems utilised in the administration to the legality of the activities

7122 Development of Internal Control System

SDUs are responsible for the establishment internal control systems in the administrations and

carry out studies regarding the implementation and development of the standards Head of SDU

should mention the studies carried out to ensure that the internal control system of the

administration is harmonised with the Public Internal Control standards and briefly describe the

process for the design of job descriptions formation of business processes and preparation and

implementation of action plans in this part of the declaration

7123 Monitoring and Review

Head of SDU should include the supportive evidence regarding the ex-ante financial control

activities carried out in line with the legislation and approval form the Senior Manager and the

monitoring of the due process control In addition it should be suggested that the transactions

carried out by the authorising officers despite the negative opinion upon ex-ante financial control

are recorded and submitted to the Senior Manager on a monthly basis for information purposes

On the other hand it should be stated that financial decisions and transactions to be

subject to the ex-ante financial control by the SDU are grouped according to their type cost and

subject considering the risky areas and reviewed at least once a year

Among the duties of SDU are establishing performance and quality criteria in issues within

the duty field of administration collecting analysing and interpreting the data and information on

management of administration improvement of the services and performance in issues within the

145

duty field of the administration analysing the external factors which will affect services conducting

capacity research within the institution analysing the effectiveness of the services and level of

satisfaction by these services and doing a general research in that sense

In this context the Head of SDU should include the studies carried out to increase the quality

of the services provided by the administration and studies for analysing the external factors which

will affect services the capacity research within the institution to analyse the effectiveness of the

services and the conclusions of these evaluations in the declaration

In this part of the declaration Head of SDU should provide explanations about the

arrangements prepared by their unit and put into effect upon the approval form the Senior

Manager

Finally the studies regarding the establishment of the internal control system in the

administration implementation and development of the standards and the process where the

financial management and control system of the organisation is reviewed on an annual basis and

reported to the Senior Manager should be described

7124 Briefing and Advising

Providing necessary information and consultancy to the Senior Manager and Authorising

Officers regarding the implementation of financial laws and other related legislation are also

among the duties of SDUs

In this part of the DHSDU it should be underlined that coordination has been ensured while working

with the spending units regarding the establishment of internal control system and the

implementation and development of the standards A brief explanation that information and

consultancy to the Senior Manager and Authorising Officers has been provided regarding the

implementation of financial laws and other related legislation should be included

7125 Financial Information

The Heads of SDU should themselves be convinced that the information included in the

section IIIA-Financial Information of the Activity Report is reliable complete and accurate

depending on the supportive evidence

146

MONITORING ANNEXES

Annex 1 Internal Control System Question Form

INTERNAL CONTROL SYSTEM QUESTION FORM

This questionnaire is designed for the public administrations to see whether the internal

control system complies with the internal control standards Furthermore it will provide the

opportunity to identify to what extent the internal control system facilitates the achievement of risks

considering the changing conditions resources and risks It is of crucial importance that those

responding to this questionnaire give factual answers to the questions as the questionnaire will be

used to identify the level of advancement of the internal control system in the administration

Heads of units are responsible for making an in-dept assessment about the functioning of

internal control in their respective units and completing the internal control questionnaire Within

this framework the questionnaires completed by heads of units under the guidance by SDUs are

sent back to SDUs to be consolidated and formed into an overall evaluation report for the entire

administration SDUs submit the report produced using these questionnaires to the CHU following

the approval by the Senior Manager

Completing the questionnaire

This questionnaire is made up of five parts each of which is based on the components of Internal

Control

Control Environment

Risk Assessment

Control Activities

Information and Communication and

Monitoring

Each part includes questions regarding functioning of internal control system in the context

of the aforementioned components It should be paid attention that responses to the questionnaire

should be consistent with the administration action plans produced to achieve compliance with

the Public Internal Control Standards

Spending units are obliged to respond to the questions about Risk Assessment control

Activities and Information and Communication Responding to the questions about Control

Environment and Monitoring is at spending unitrsquos discretion

The response part is made up of three options YES NO and IN DEVELOPMENT There is also a

forth column titled EXPLANATION YES means that the issues included in the question are properly

understood and implemented within the administrationunit NO means that the issues included in

the question are not understood or implemented within the unit overall administration IN

DEVELOPMENT means that the issues included in the question are partially understood or

implemented in unitsome divisions of administration In explanations part evidence and

recommendations should be written if any Guidance is given following the questions with a view

to helping better understand the questions

The questionnaire will be evaluated by means of scores assigned to answers to each

question The answer ldquoYesrdquo will correspond to score ldquo2rdquo while the answer ldquoIn Developmentrdquo to

score ldquo1rdquo and the answer ldquoNordquo to score ldquo0rdquo For each chapter of the questionnaire there will be a

total score calculated Besides there will be a total score for the whole questionnaire

If answer ldquoNordquo is given in response to a question steps should be taken to improve the

relevant areas by Head of UnitSenior Manager

If answer ldquoIn Developmentrdquo is given in response to a question head of unitSenior Manager

should assess what can be done to achieve progress in the relevant area

147

If answer ldquoYesrdquo is given in response to a question then it means that there is no factor in that

area which needs improvement

Taking into consideration that this questionnaire is a kind of self-assessment and internal

control system is a new practice for administrations please give realistic and reliable answers

In the event that you have some hesitations in completing the questionnaire please refer to

the SDU

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

1 Are the public internal control standards

well known in your administration It will

be convenient to deliver trainings and

hold meetings with a view to raising

awareness in this subject

CONTROL ENVIRONMENT

CONTROL ENVIRONMENT Control environment provides a general framework that is the

basis for the other components of the internal control system and it is concept used to

describe the setting out of the goals and objectives of the administration their

communication to the staff and creation of a due organisational structure and culture

Great influence on the control environment have personal and professional integrity ethic

values of the employees and the management supportive attitude towards internal

control written procedures and the practices for human resources management

organisational structure management philosophy and the operating style

2 Are there mechanisms in your

administration that ensure familiarization

of all employees with the code of

ethics

For example are trainings provided or

meetings organised to adapt the public

code of ethics to your administration

and to adopt them are leaflets

produced in this regard

3 Are there any codes of conductethics

available in addition to public codes of

ethics produced for your

administration

4 Has any standard been developed in

your administration in terms of duration

and method for services directly

delivered to citizens

8 If the response is ldquoYesrdquo evidence (details of the activities carried out etc) must be provided in the ldquoExplanationsrdquo column

9 If the response is ldquoIn Developmentrdquo necessary information (details of the activities carried out etc) must be provided in

the ldquoExplanationsrdquo column

148

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

5 Is it ensured that authorised bodies and

staff have access to outputs related to

all the works and transactions

6 Are there mechanisms available in your

administration for staff and the other

people who are delivered service by

the administration to submit their

recommendations assessments and

questions (questionnaires face-to-face

meetings group meetings electronic

applications etc)

It is recommended that questionnaires

to be developed be based upon the

principle of confidentiality

7 Is your administrationrsquos mission written

down and announced Mission can be

announced to the staff via bulletin

boards intranet or e-mail

Production of a strategic plan indicates

that the mission has been set out

8 Are there any directives circulars or

approvals in your administration

regarding job descriptions of units sub-

units and staff

Job descriptions for the units and sub-

units as well as for staff must be written

down and announced in order to

ensure that your administrationrsquos mission

is being carried out

If the response is ldquoNordquo when this is going

to be done must be stated

9 Does organisational chart of your

administration demonstrate key areas of

authority and responsibility reporting

lines which are appropriate to

accountability and coordination and

integration points

If the response is ldquoYesrdquo roles and

responsibilities regarding each objective

must be set our clearly

Organisational chart for units must be

produced

149

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

10 Have procedures regarding sensitive

tasks been set out in your

administration

It is recommended that procedures in

question be defined in writing and

announced to staff and that rotation

policy regarding sensitive duties be set

out

For detailed information on sensitive

duties refer to Control Environment

Chapter of the Manual

11 Do mechanisms available in your

administration to enable managers from

each level to monitor the results of tasks

assigned

If the response is ldquoYesrdquo these

mechanisms (reports work plans

regular meetings automation programs

etc) must be stated

12 Have competence skill and knowledge

each task entails been identified in your

administration

Answering this question it must be

assessed whether factors mentioned

above are taken into consideration or

not while recruiting staff

13 Have promotion procedures been

defined in writing in your administration

Factors mentioned above must be

defined taking into consideration staff

performance and these factors must

be announced to staff

14 In your administration is there a unit

responsible for trainings which identifies

training needs for each task identified

and ensures that training activities to

satisfy the needs are planned and

carried out each year

15 Do managers of your administration

share results of assessments they make

on staff competence and performance

with the staff

It is recommended that that the Senior

Managers share the results of the

150

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

assessments with the staff

16 Is action taken to increase the

performance of the staff whose

performance is deemed unsatisfactory

upon the performance assessment For

example is any action such as

providing private training for that

person discussing the areas where their


assigning them under the supervision of

more experienced staff taken

17 Are there rewarding mechanisms in your

administration geared towards those

staff who give a high performance and

are these mechanisms applied

It is recommended that rewarding

mechanisms be developed for staff who

give a high performance (picking

employee of the month abroad

assignments etc) and that these criteria

be announced to all the staff

18 Have procedures regarding human

resources (staff employment

replacement promotion training

performance appraisal personal rights

etc) been documented

If so examples must be provided

Procedures mentioned above must also


19 Are the bodies of signature and

approval set out in the flowcharts

If the response is ldquoNordquo it is

recommended that these business flow

processes are defined bodies of

signature and approval are identified

and communicated

20 In your administration have delegations

been defined in writing

Delegations must include the

information on its scope quantity

duration and whether the authority

delegated can be delegated to

another person

Furthermore striking a balance

151

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

between authority and responsibility

should be paid attention in delegation

of power

21 Have minimum requirements

(knowledge skill and experience) been

identified in your administration for staff

to be delegated authority

Please explain how you define these

knowledge skills and experience and

how you ensure that the person to

whom the authority is delegated have

them

22 Does the employee who receives the

authority report information to the

delegator on a certain basis about the

utilisation of the authority

Reporting period must be proportionate

to the duration of the delegation

TOTAL POINTS - CONTROL ENVIRONMENT

RISK ASSESSMENT

RISK ASSESSMENT RISK ASSESSMENT is the process where the risks that might prevent the

achievement of the administrationrsquos objectives are defined analysed and necessary

actions are taken In this section the risk perception and risk handling capacity of the

administration must be self-assessed using the following questions

1 Have methodologies and responsibilities

as well as reporting procedures for

monitoring and assessing the

performance given in achievement of

objectives been identified in strategic

plans

If answer is ldquoYesrdquo how monitoring and

assessment processes work in practice

must be explained briefly

2 Have strategic plan and performance

programs been taken into consideration

in budget preparations

The activities and projects carried out to

reach the aims and objectives set out in

the strategic plan the indicators to be

followed and the resource needs for

these activates and projects must be

shown in the performance programmes

There these strategic plans and

152

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

performance programmes must be

taken into consideration during the

budget preparations fort he

administrations

3 Do activates carried out in your

administrationunit comply with the aims

and objectives set out in the strategic

plans and performance programmes

Administrations must focus on the aims


plans and performance programmes for

effective efficient and economic use of

resources

4 While setting out the objectives of your

administration and units has it been

ensured that they are SMART

5 Have your units set out within their area

of competency specific objectives in

accordance with the objectives of the

administration

Responses to this question by the units

that are unable to set out specific

objectives (such as support services)

must be considered during the

evaluation

Furthermore specific objectives that

have been set out must be announced

to staff

6 Does your administration have a risk

strategy and policy document which is

approved b Senior Manager and

accessible to all the staff

Administrationrsquos risk strategy must be

reviewed at least once every year and

updated when deemed necessary

7 Are contributions from employees

received in risk management process

Employees feeling a sense of ownership

for risk management (identifying

handling responding to reviewing and

monitoring risks) and regarding risk

management as a part of their works

will produce a strong corporate reflex

against risks

153

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

If answer to this question is ldquoYesrdquo please

explain how you ensure this

contribution

8 Is risk management which covers

identifying assessing responding to and

reviewing risks for your objectives and

aims implemented in your

administration

While identifying the risks on the

achievement of aims and objectives a

methodology and a certain process

must be adopted and it must definitely

be documented (risk register risk

progress report consolidated risk report

and so on)

Measures to mitigate risks taken by the

administrations must be applied within

the framework of action plans

9 Are annual Internal Control Evaluation

Reports prepared in your administration

about how effectively risk management

process works in your administration

These reports must cover information

about what has been done throughout

the year to mitigate risks

TOTAL POINTS - RISK ASSESSMENT

CONTROL ACTIVITIES

CONTROL ACTIVITIES Control activates are the policies and procedures produced to

ensure that the administrationrsquos aims and objectives are achieved and the risks identified

are managed

1 In your administration are efficient

control strategies and methods set out

and practised for each activity and risk

Defined controls must comply with the

risks different control methods must be

applied for different types of risks

Control strategies and methods must be

set out and applied in the form of

periodical reviews control by sampling

comparison approval reporting

coordination confirmation analysis

authorisation supervision review

154

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

monitoring periodical check and

security of assets etc

The controls within the administration

must also cover ex-ante process and

ex-post controls where necessary

2 Is cost-effectiveness analysis made in

your administration in identifying control

activities

The expected benefit and the cost of

the set out control activity must

compared controls with costs

exceeding the benefits must be

identified and less costly alternative

controls must be selected

3 Are there written procedures regarding

your administrationrsquos activities financial

decisions and transactions

There must be written procedures

regarding your administrationrsquos

activities financial decisions and

transactions These procedures and

relevant documents must cover the

initiation implementation and

conclusion phases of the activity

financial decision or transaction

Procedures and relevant documents

must be up-to-date comprehensive in


understandable by and accessible to

the relevant staff


carry out necessary controls for

effective and continuous

implementation of procedures

Activities and transactions of the

administration must be carried out in

accordance with the regulations

developed in this area Managers must

systematically check whether these

regulations are complied with or not (in

this regard such control processes as

initials assent control lists and physical

counts can be defined) Within this

framework managers should monitor

whether works carried out by staff are in

155

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

compliance with the regulations or not

Manager instructions must be produced

about how to remedy faults and

irregularities detected

5 Is the principle lsquosegregation of dutiesrsquo

practised in your administration

The tasks of approving implementing

recording and controlling each activity

or financial decision must be carried out

by different people and that the

principle of segregation duties is

complied with must be supported by

written documents

Where segregation of duties is not

possible due to insufficient number staff

the managers must be aware of the risks

and take necessary precautions In such

cases other control procedures must be

established to manager the risk

6 Are necessary measures taken against

the factors that affect the continuity of

operation in your administration

Necessary measures must be taken

against the factors that affect the

continuity of operation such as

insufficient number of staff temporary or

permanent leaves adoption of new

information systems changes to the

methods or the legislation and

emergencies

If the response is ldquoYesrdquo efficient written

procedures trainings guidance and

planning can be provided as evidence

7 Is the system of deputation applied

efficiently in your administration

Where necessary deputies must be

assigned in accordance with the

relevant procedures The person

assigned as a deputy must have the

necessary qualifications Detailed

internal arrangements must be carried

out regarding the deputation

procedures included in the personnel

laws and the qualification required from

the deputies must be defined in detail

156

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

8 Do the staff leaving their positions report

to their successors about status of works

and transactions they have

conducted

Managers must ensure that the staff

leaving their positions prepare a report

on the status of the task and the

operations along with the necessary

documents and submit it to their

recently assigned successors The report

must include the list of the important

tasks being carried out the risks to be

considered as priority list of periodic

tasks and so on

9 Are there defined authorisations for

data and information input and access

to the information system in the

administration

Information system must only be

accessible to authorised staff To this

end regularly updated information

security softwarersquos must be used for

Access to the computer programmes

Arrangements regarding the

designated level of security must be

complied with while working on

documents

10 Are there sufficient back-up

mechanisms and tested disaster

recovery plansaction plans for the

information system

TOTAL POINTS - CONTROL ACTIVITIES


INFORMATION AND COMMUNICATION Information and communication includes a proper

system of information communication and registry that ensures necessary information is

communicated to the person employee or manager who needs it in a certain format and

in a timely manner that the objectives are reached and that enables the relevant people

fulfil their internal control responsibilities

1 In your administration is there an

efficient written electronic or verbal

internal communication system that

covers both horizontal and vertical

communication

The response to this question should

157

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

include the meansmethods (in person

via telephone e-mail in writing etc) the

staff use to communicate with each

other or their managers and the

consideration on whether these are

appropriate andor efficient

In order for the employees receive the

information they need to carry out their

uninterruptedly it must be ensured that

they are in touch with managers from all

levels including top management

2 Is there an external communication

system to ensure efficient

communication with external

stakeholders

This system monitors communication and

checks whether the questions can be

answered or not

3 Do the present internal and external

communication systems ensure that the

staff or external stakeholders can

communicate their expectations

recommendations and complaints

For example whether the Law no 4982

on right to Information is efficiently

executed within the administration

requests and complaints are responded

in time should be considered

4 Is it ensured that all the information and

documents regarding the activities of

your administration are accurate

complete reliable useful and

understandable

Information systems must ensure timely

Access to the accurate complete

reliable and understandable

information required while carrying out

the operations

The response to this question must

include a statement whether

mechanisms (decision support systems

archive and document management

systems etc) for ensuring the

aforementioned principles exist

158

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

5 Do the present information systems

ensure that the objectives set by the

administration are monitored and

activities regarding these objectives are

efficiently supervised and assessed

Management Information

System must be designed in a way that

it produces the information and reports

that the managers need during decision

making processes and provide them

with the chance to make analysis

6 Are there reporting mechanisms with

rules and standards set out in line with

the monitoring of objectives supervision

of activities and accountability

purposes

The performance programmes

published financial progress reports that

include the expectations and objectives

and the content of the activity reports

must be in line with the requirements of

the relevant legislation

7 Is there a documentation and archiving

system that complies with certain

standards for the record classification

protection of and access to the

operations and transactions of the

administration

While responding to this question

Standard 15 of Public Internal Control

Standards and the legislation on

archiving and documentation must be

considered

8 Are there available tools to report from

inside and outside the administration

faults irregularities and possible or

ongoing problems

Employees and outer stakeholders must

be informed enough about these tools

There must be a whistle-blowing process

and a procedure for protecting

personnel and they must be informed

about these

Managers must take necessary actions

to prevent discrimination and ill

159

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

treatment against whistle-blowers

TOTAL POINTS- INFORMATION AND COMMUNICATION

MONITORING

MONITORING Internal control system is a dynamic process where the administration has

to continuously adapt to the risks and changes it faces Therefore the internal control

system needs to be monitored in order to ensure that it adapts to the changing objectives

environment resources and risks as necessary The basis for an effective and efficient

monitoring is the design and implementation of monitoring procedures that are relevant to

the administrationrsquos objectives and that assess the important controls regarding

meaningful risks

When monitoring is designed and implemented properly it provides correct and

convincing information on the efficiency of the internal control system identifies internal

control failures on time and notifies the people responsible for taking action and the top

management where necessary This will ensure that the problems faced are corrected

before they harm the objectives of the administration Monitoring is carried out by the

management and internal and external audit

1 Is the internal control system monitored

and assesses at least once a year

Please explain at what intervals the

internal control system in your

administration is assessed and the

methods used

Internal control system must be assessed

via ongoing evaluations or separate

evaluations It is recommended that

these two methods are applied at the

same time(Separate evaluation of the

internal control system can be carried

out by setting up working groups or via

questionnaires)

2 Are processes and methods set out in

your administration to identify and

disclose the shortcomings of internal

control and improper control methods

and to take the necessary actions

If the response is ldquoYesrdquo please briefly

mention the process and method

adopted in your administration It is

recommended that the processes and

methods are put into practice upon the

approval by the Senior Manager Please

give brief information on the responsible

staff notified in the event of an

incomplete or improper control method

160

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

the time limit set for taking action and

how these procedures are monitored

Management fulfils this responsibility via

SDUs and internal auditors

3 Are trainings plenary sessions and

meetings held which will create the

atmosphere in which managers will be

provided with feedback about whether

internal control functions effectively or

not

4 Are the units of the administration

involved in the evaluation of internal

control

If answer is ldquoYesrdquo please explain how

participation is ensured It must be

ensured that units take active part in the

process and the task of evaluating

internal control system must not be

perceived as the responsibility of only

the Senior Manager internal auditor

and SDU

5 Is there internal audit unitinternal

auditor in your administration

6 Is there efficient cooperation among

internal audit unit management and

staff

What has been done to increase the

level of awareness of the manager and

the staff on internal audit activities

What has been done to see the

relations with the internal audit unit and

the expectations Please explain briefly

7 While evaluating internal control are

the opinions of the managers requests

and complaints by

peopleorganisations and the reports

produced upon internal and external

audit taken into consideration

The method to adopt for the collection

assessment and reporting of the

information required for the evaluation

of internal control must be set out

Please refer to the staff responsible for

161

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1

assessing the internal and external audit

findings and recommendations for the

evaluation of internal control the time

limits for these assessments and the

management level to which this

information is communicated

Compare the internal and external

audit reports with the results of the

internal control system evaluation by

the SDU for consistency In the event

that any inconsistency is identified the

reasons for this must be questioned

8 Are recommendations from internal

audit and SDU about how to improve

internal control taken into consideration

by management

9 Are action plan(s) where internal control

evaluation results and

recommendations made upon internal

and external audit produced and

implemented Are they followed-up

If the timing is appropriate action plans

can be combined Please give brief

information on the staff responsible for

following-up the action plans and the

method used Furthermore please

provide information on the method

used fort he follow-up of internal audit

reports if there is any With which level

of management are the results of the

follow-up shared and how often Please

explain

TOTAL POINTS ndash MONITORING

GRAND TOTAL

162

Annex 2 Internal Control System Evaluation Report

helliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphelliphellip(NAME OF ADMINISTRATION)

INTERNAL CONTROL SYSTEM EVALUATION REPORT

I INTRODUCTION

11 Mission

12 Aims and Objectives


II INTERNAL CONTROL QUESTIONNAIRE RESULTS

II1 Consolidated Summary on strengths and aspects open to improvement regarding the entire

organisation relevant to each COSO component

- Control Environment

- Risk Management

- Control Activities

- Information and Communication and

- Monitoring

III OTHER INFORMATION

III1 Internal Audit Reports

III2 External Audit Reports

III3 Other Information Sources

III31 Budget Information

III32 Data on Ex-ante Financial Control

III33 Requests by Individuals andor Administrations

III34 Other Information

IV CHANGE SINCE THE LAST REPORT

IV1 For each COSO component has the position got better or worse and why

V CONCLUSION

V1 Strengths

V2 Aspects Open to Improvement

V3 Recommendations for action

163

Annex 3a Internal Control Assurance Declarations Senior Manager

I RESPONSIBILITY

As the Senior Manager I am responsible for ensuring the establishment delivery and

oversight of an efficient financial management and control system that will contribute to the

achievement of the policies goals and objectives of [the administration] In this regard I declare

that I have taken the necessary measures to make sure that the arrangements of internal control

are adopted by the staff and that the internal control standards are practised

II PILLARS OF INTERNAL CONTROL SYSTEM AND ASSURANCE DECLARATION

I declare that my administrationrsquos budget has been prepared and implemented in line with

the development plan annual programmes strategic plan performance objectives and service

requirements resources allocated from the budget for the achievement of aims and objectives are

utilised in compliance with the planned targets and in accordance with good financial

management principles

In this context I announce that the internal control system provides sufficient and

reasonable assurance that my administrationrsquos revenues expenditures assets and liabilities are

managed effectively economically and efficiently my administration operates in line with the laws

and other regulations irregularities and fraud are prevented in each financial decision and

transaction regular timely and reliable reports and information are acquired for decision making

and monitoring assets are safeguarded against abuse waste and losses

This assurance is based on my knowledge and considerations as the Senior Manager

management information systems internal and external evaluations carried out within the context

of quality assurance development programme studies of the SDU internal and external audit

reports (if available)

In the following part the Senior Manager must explain the support by the management

information systems internal and external evaluations within the framework of the quality assurance

development programme internal and external audit and SDU

Management Information Systems

Please read section no 6113 before completing this part

Internal Audit


External Audit


SDU


164

III RISK MANAGEMENT10

As the Senior Manager I have a key role and responsibility in the development of a risk

strategy in my administration production of a common corporate risk perception adopted by all

employees Recognising that risk management is the most important element of the internal control

system creation of the necessary organisational capacity and embedding risk management into

the general activities is valued

In the following part the authorising officer should address the risk perception of the

administration and its capacity to deal with risk

Risk perception of the administration should summarise

Please read section no 6117 and 6118 before completing this part

Capacity to handle risk


My administration faces a wide range of risks during the course of its activities These risks are

considered in accordance with the principle that the cost of the internal controls to be developed

with control purposes do not exceed the benefit received from the controls A systematic

approach has been adopted in levels of management for the identification assessment

addressing monitoring and reporting of the relevant risks

In the following part the Senior Manager should set out the issues related to the

identification assessment addressing control environment monitoring and reporting of the

administrationrsquos risks

Identification and assessment of the risks


Addressing control environment monitoring and reporting of the risks


IV APPRAISAL OF THE INTERNAL CONTROL SYSTEM

As the Senior Manager during the preparation of the foregoing declaration I also

considered the assurance declarations by the Authorising Officers and Head of SDU The

10 This part must be completed when risk management process starts to function in the administration

165

information and evaluations I have received from these declarations pose an important basis

regarding the assurance I have to provide on the internal control system in my administration

Furthermore [advisory audit risk steering] boardscommittees have been set up within

[the administration] to provide support and guidance for the evaluation of the internal control

system in terms of particularly risk strategy and management Reports prepared by these boards

have made a great contribution to the evaluation on the internal control system

Regarding the main activities of my administration the most distinctive developments that

took place within this reporting term and how these developments have been handled are

summarised below

Please read section no 61112 before completing these parts

Human Resources

Physical infrastructure and assets

IT and communication infrastructure

Data security

New structures and changing fields of activity

Problems faced in the main fields of activity or examples of best practice

Developments regarding weaknesses stated in previous years

166

Other developments

(Date)

Signature

Name

Title

167

Annex 3B Internal Control Assurance Declaration Authorising Officer INTERNAL CONTROL ASSURANCE DECLARATION11

I RESPONSIBILITY

As the authorising officer within my field of competence I am responsible to ensure that my

expenditure orders are in line with the fundamentals and principles of the budget the laws rules

and regulations and other legislation the appropriations are utilised in an efficient effective and

economic manner and that the internal control operates properly


I declare that the operations and transactions carried out by my spending unit comply with

the aims and objectives of the administration high financial management principles control

arrangements and the legislation resources allocated with the administration budget to the

spending unit has been utilised in line with the planned objectives and the internal control system

within my unit provides the sufficient and reasonable assurance

This declaration of assurance is based on my own information and evaluations as the

authorising officer and on the management information systems internal and external evaluations

carried out within the context of the quality assurance development programmes studies by the

SDU internal and external audit reports

In the following part the support provided by the management information systems the

internal and external evaluations carried out within the context of the quality assurance

development programmes studies by the SDU should be elaborated by the authorising officer



Internal Audit


External Audit


SDU


11 Please read section no 611 before completing this part

168


Within the framework of the overall risk perception strategy and awareness of the

administration the capacity to handle risk has been determined for the activities specific to my unit

and the necessary importance has been attached to embedding risk management in its activities

In the following part the authorising officer should address the capacity to handle risk



My spending unit faces various risks during the course of its activities These risks are

considered in line with the principle where the cost of internal controls to be developed do not

exceed the benefit planned to be gained from them A systematic approach has been adopted in

the spending unit for the identification addressing assessment monitoring and reporting of the risks

faced

In the following part the authorising officer should set out the issues related to the







IV EVALUATION OF THE INTERNAL CONTROL SYSTEM

The following is the summary of the most significant developments experienced in the

activities of my unit within the period covered by the foregoing report and how these

developments have been addressed by the internal control system


Human Resources


Data security


169




Other developments

As the authorising officer I hereby declare that we have also carried out some transactions

overriding the opinion of the SDU Information and justifications for these transactions are as follows

There is no such a work I carried out that is not found to be appropriate by SDU

(In this part transactions if any carried out by the authorising officers despite the

negative opinion provided upon the ex-ante financial control If there is no such a

work as mentioned above then expression ldquothere is no such a work I carried out that

is not found to be appropriate by SDUrdquo should be included)

(Date)

Signature

Name

Title

170

Annex 3b Internal Control Assurance Declaration Head Of SDU INTERNAL CONTROL ASSURANCE DECLARATION

As the Head of SDU I declare that the internal control system has been implemented

monitored and my opinions and recommendations have been reported to the Senior Manager to

take the necessary actions in time in order to ensure that the activities in [the administration] are

carried out in accordance with the financial management and control legislation and other

legislation public resources are utilised in an efficient effective and economic manner


In the following part the studies should be explained regarding the management

information systems development of internal control system monitoring and review and briefing

and advising by the Head of SDU



Development of Internal Control System


Monitoring and Review


Briefing and Advising


Financial Information


I confirm that the information included in the section IIIA-Financial Information of

the Activity Report (year) is reliable complete and accurate

(Date)

Signature

171

Annex 4 Example Of A Complete Declaration INTERNAL CONTROL ASSURANCE DECLARATION

(SENIOR MANAGER)

Name-Surname

Title

I RESPONSIBILITY



achievement of the policies goals and objectives of the Ministry of Space Exploration In this

regard I declare that I have taken the necessary measures to make sure that the arrangements of

internal control are adopted by the staff and that the internal control standards are practised

II AIMS AND PILLARS OF INTERNAL CONTROL SYSTEM

















Management information systems has been established in all General Directorates in order

to provide information for managers that enables effective decisions to be made and for

information on changing risks to be monitored in our Ministry However not all of our legacy IT

systems have been fully assessed for security risks As part of the measures being taken to

strengthen data security governance we will ensure that the IT systems supporting our most time

critical business processes are reviewed to establish a known risk position by December 2010 We

will carry out a review of our remaining systems during 2011

Internal and External Evaluations Carried Out Within The Context Of Quality Assurance Development

Programme

Presidency of Strategy Development has carried out one internal evaluation of the effectiveness of

internal control within the context of the quality assurance and development programme The

main findings of this evaluation are

That compliance with internal control standards was good in terms of effective control

activities in order to minimise risk

Internal Control and Risk Steering Board has been set up within the Ministry to contribute to

the evaluation of the internal control system

Unit managers needed to develop their skills regarding ongoing monitoring of internal

control systems

Based on the evaluation findings the Ministry has produced an action plan which is planned to

put into practice as of June 2010

There were no external evaluations carried out within the context of the quality assurance

and development programme but the CHU has declared that this is scheduled for 2013

172

Internal Audit

Our Ministryrsquos Internal Audit Unit continues to operate within the framework of a three-year audit

plan Internal Audit operated to requirements defined in the Public Internal Audit Standards Their

audit programme was focused around the Ministryrsquos key risks of internal control together with

recommendations for improvement The Director of Internal Audit Unit provided me with an annual

Internal Control Evaluation Report which contained an independent opinion on the adequacy

and effectiveness of internal control The conclusion of the Director of Internal Audit Unit was that

the following aspects of internal control should be improved

Awareness of the Deputy Undersecretaries and General Directors on internal control

responsibilities and risk management

Improvement of the present arrangements regarding promotion assignment and

appointment system to make it transparent and competence based

Improvement of communication between the central and provincial organisations of our

ministry

Review of management information systems to update old systems

Improvement of allowances and supplementary payments for personnel going to the

space

It has been decided that a working group consisting of managers from the SDU General

Directorate of Personnel and other relevant units to put these recommendations into an action

plan

External Audit

The TCA has approved the annual accounts of the Ministry

SDU

An evaluation on the internal control system has been carried out with the full participation

from the SDU Spending Unit managers and the staff and a report has been produced and

submitted to the CHU on 30th March 2010 The main findings of the review are listed above under

the heading ldquoInternal and External Evaluations Carried Out Within the Context of Quality Assurance

Development Programmerdquo in this document SDU staff also underwent training in risk management

during this year

III RISK MANAGEMENT






The SDU took the lead in embedding risk management in the organisation by reviewing and

updating the key corporate external and internal risks facing the Ministry each month The SDU also

began an exercise to identify long term risks that may have posed a significant threat to the Ministry

in the future These risks were recorded on a long term risk register and the intention is that they will

be reviewed every six months Should the threat increase then these risks will either be escalated to

my part for appropriate action to be taken

The Internal Control and Risk Steering Board also endorsed an action plan to further embed

good risk management practice within the Ministryrsquos processes and systems and to support

Innovation through well managed risk taking Work to establish this position will continue and focus

on those areas identified as still most in need of improvement This will include giving further

consideration to risk appetite where the focus will be on practical examples of how it can be

applied in practice thus making it easier to communicate its awareness among staff

Guidance was available to all staff on risk management through the risk management

intranet site In addition to a risk management policy specific guidance was available on

undertaking risk self assessment which includes guidance on applying risk management as an

integral part of the Ministryrsquos business planning process Risk management workshops were

available to all staff and practical guidance on its application had been incorporated into a wide

173

range of training courses These courses covered all ranges of staff and were tailored to be

appropriate to their authority and duties

My administration faces a wide range of risks while carrying out its activities These risks are

assessed in accordance with the principle that the const of the internal controls to be developed




The risk management framework for our Ministry operated through the initial identification of

risks as part of the business planning process which threatened achievement of the Ministryrsquos

objectives These risks were then evaluated in terms of impact and probability This process

established the level of residual risk against which the Ministry was exposed and which was

monitored over time as part of performance management Ownership for each risk was assigned

to a named individual Reasonable assurance that risk mitigation activities were appropriate was

obtained through regular management reviews and internal audits of the key activities undertaken

in the Ministry

In order to further embed best practice in risk handling and to ensure a consistent

interpretation of the acceptable extent of residual risk our Ministry will review its risk appetite and

communicate it more effectively across the organisation






Furthermore Internal Control and Risk Steering Board has been set up within the Ministry of

Space Research to provide support and guidance for the evaluation of the internal control system

in terms of particularly risk strategy and management Reports prepared by this Board have made

a great contribution to the evaluation on the internal control system



summarised below

In our investment programmes the underspend reported last year in the spacecraft

development programme has been managed There is now less than 2 slippage in that

programme Underspends have arisen this year in other areas for example

The satellite programme TL 121 m Internal Audit Unit has reviewed the Investment Budget

management and an action plan is being developed to address the audit findings

Astronauts training programme TL 113m due to slower than expected take-up Processes

will be streamlined to reduce barriers and it is expected the budget will be fully used in the

next year

Renovation of launching stations programme TL 16m arising mainly from slippage in

international cooperation projects affecting the expected refurbishment programme

together with some incorrect historical data for tracking capital allocation New systems will

prevent the reoccurrence of this problem

Whilst recognising the above summarised issues good progress has been made in resolving them

and there are plans in place to further enhance internal control system and improve practice As

Senior Manager I provide reasonable assurance that the above issues do not represent a material

threat to operational effectiveness and that the our Ministry complies with the public internal

control standards on risk management internal control and governance

(Date)

Signature

Name

Title

174

GLOSSARY

CONCEPT DEFINITION

Explicit information is the information which can be created expressed obtained and

transferred in accordance with a specific system Aim is the concept which refers to the objectives contained in the strategic

plan that administration aims to attain Information Financial and non-financial data related to internal and external events

and activities which is created obtained and communicated in a

particular form and at a particular time to ensure that people carry out

their duties Information security refers to safeguarding valuable assets in an administration against loss

misuse or damage Information map is demonstration of information kept in units or their systems which can be

shared and expertise and experience of personnel and demonstration of

them on an organisational scheme or map in accordance with

organisational structure Information pool is the accessible area where information obtained in hard form or soft

form is stored and kept ready for re-use Information

architecture Organisation of information with a view to make it accessible

manageable and useful form infrastructure level to end-user level Information stock Financial and non-financial information available in administration at a

particular time Information

technology is a system that controls all activities including communication and

computers which are used for the purposes of collecting storing and

processing of information its transmission from one point to another

through communication systems and computers and to the service of

users Information technology is a concept that is used to refer to all

information services which can be connected through communication

and computer systems Information

management

is a process where information is planned and obtained from any kind of

source internally or externally classified stored communicated to

relevant bodies in a timely manner for interpretation reviewed for

updating and disposed External audit Within the framework of accountability responsibility of public

administrations within the scope of general management it is the activity

of examining the compliance of financial activities decisions and

procedures of the administration with laws administrative objectives aims

and plans and reporting the results to TGNA by Turkish Court Accounts Audit trail It requires the maintenance of records giving the full documentation and

justification at all stages of the life of a transaction together with the ability

to trace transactions from summarized totals down to the individual

details and to trace all reporting stages Inherent risk refers to those risks whose probability and impact cannot be changed

unless particular precautions are taken by administration When risks are

identified for the first time they are at inherent risk level Ethics Ethics is a body of moral principles values and standards which forms the

basis for the behaviours of a person and guides them on how to do works Cost-Benefit Analysis It is the identification and comparison of the costs and benefits regarding

the implementation of a planned work or activity In cases when benefits

outweigh costs the work or activity is considered to be cost-effective SWOT Analysis

is a method in which the administration systematically examine itself and

the conditions having an impact the administration In this framework

strengths and weaknesses of the administration as well as the threats and

opportunities that may occur outside the administration are identified This

is an analysis which forms the basis for strategic planning process Segregation of duties covers the duty of approval implementation recording and control of

175

each activity or financial decision and transaction shall be assigned to

different people Objective These are the specific and measurable sub-aims geared towards

attaining the aims contained in the strategic plan

Performance objectives are out-come oriented objectives administrations

plan to attain in a program period with a view to attaining the aims and

objectives contained in the strategic plan Internal audit is an independent and objective activity of giving assurance and

providing counselling with a view to providing guidance and assessing

whether resources are managed in compliance with principles of

effectiveness and efficiency in order to improve and add value to the

activities of the public administration Internal control is the body of financial and the other controls covering the organisation

method process and internal audit in an administration carried out with a

view to ensuring that activities are conducted effectively efficiently and

economically in line with the administrationrsquos aims its identified policies

and legislation assets and resources are protected accounting records

are kept accurately and completely and financial information and

managerial information is produced in a reliable and timely manner Internal control

assurance declaration is the declaration annually signed by senior managers authorising officers

and heads of strategy development units within the framework of

accountability and transparency to state that processes and transactions

are conducted in line with the principles of good financial management

control regulations and the legislation Internal Control and

Risk Steering Board The Board makes assessments concerning development of process and

methods related to internal control system such as determination of

policies about monitoring internal control practices and introduction of

risk in the administration Whistleblowing is the notification of illegal and unethical behaviours and actions to

internal and external authorities that have the power and authority to

solve the problem by persons with information (employees or

stakeholders) therefore administrations or third persons inside or outside

the administration are not affected Business continuity The plans that aim at ensuring continuity for the activities of the

administration or ensure continuity without any interruption after any

extra-ordinary situations Ex-post controls Are the controls applied by management to administrationrsquos activities

after they have been carried out using pre-identified methods Monitoring Monitoring is the activity of assessing within the framework of compliance

with internal control standards whether internal control system provides

the expected contribution to attaining objectives and aims of the

administration and determining the activities to be carried out in fields

that are open to improvement Residual risk refers to risks remaining after management has taken precautions to

reduce their probability and impact Control activities are actions aimed at reducing the impact andor the likelihood of a risk

occurring and thus increase the probability of attaining the goals and

objectives of the organisation or part of the organisation Financial

Management and

Control

is the development implementation monitoring and improvement of

suitable organisations methods and processes within the of managerial

responsibility to ensure effectiveness efficiency and economy in

obtaining and using resources as well as compliance with the identified

aims and objectives and the legislation Central Harmonisation

Unit is affiliated to the Ministry of Finance The unit develops and harmonises

methods and standards concerning financial and internal control

processes and provided related guidance for public administrations Mission mission is the cause of existence of an administration and its place within

176

the state structure In other words mission is the answer to such questions

as what the public administration does and how and for whom it does

what it does Focus group These are such meetings that are held among a target group composed

of 6-8 people to receive their thoughts and reactions in a detailed and

elaborate manner They are managed by a moderated within the

framework of a flow plan Probability refers to the likelihood that an event may occur Organisational

structure is general system covering all the activities and procedures undertaken to

attain the aims and objectives of the administration Ex-ante financial

control Ex-ante financial control is a control performed to check the compliance

of the financial decisions and operations of administrations regarding their

incomes expenditures assets and liabilities with the budget of the

administration Further checks are carried out with the available

appropriation amount expenditures programme financing programme

and the provisions of central government budget law and other financial

legislation It is also checked whether resources are used effectively

economically and efficiently Implicit information is the information in peoplersquos minds which is not regulated in accordance

with a particular system therefore not easy to transfer and circulate and

the registered information which is not accessible to employees Stakeholders are the people groups and administrations which are relevant to the

administrationrsquos products and services and can directly or indirectly

positively or negatively affect or be affected by the administration Risk can generally be defined as uncertainty of events that may occur in

future or undesirable outcomes and impacts of an event For

administrations risk can be defined as negative or positive effects of

internal and external factors that may occur in future on attaining the

objectives and aims of administrations In risk terminology positive aspects

of risk and wins it may bring along are referred to as opportunity and

negative aspects and losses it may cause are referred to as threat Risk assessment is analysing those factors which can have an impact on attaining the

objectives of administration Transferring risk is the response to the risks by taking some of them away from the

responsibility of the administration and transferring it to others Handling risks is the identification of responses to risks identified and assessed (within the

framework of risk appetite) by public administrations and reducing the

expected threats and benefiting from the opportunities that may emerge

within this context Impact of risk refers to outcomes or effects that risk posing event can produce once it

occurs Risk appetite is the amount of risk an administration is ready to accept (toleratebe

exposed to) at any time before deciding on the need to take any

relevant precautions in line with its strategic objectives mission and vision

In terms of threats it refers to exposure level which can be tolerated and

justified and in terms of opportunities it refers to how a person is ready to

actively take the risk to gain benefits of the opportunity Tolerating risks is a passive method of response given to risks which public administrations

are comfortable to undertake Avoiding risks is a response to risks by removing the activities in which risks are probable

to occur thus eliminating the risks that are probable to occur together

with the activities Controlling risks is a method of response to risks by means of control activities carried out

to keep tolerable risks at a certain level in public administrations

Preventive Controls These are controls carried out to prevent threats that

risk may pose and undesirable outcomes risk may produce once it occurs

Corrective Controls These are controls aiming at reducing the impact of

undesirable outcomes that arise from threats risk poses once it occurs

177

Directive Controls These are controls carried out to prevent the occurrence of

risk or avoid the impact it may produce once it occurs

Detective Controls These are controls applied to identify damages and

losses experienced once the risk is realised Risk profile documented and prioritised overall assessment of the range of specific

risks faced by the administration Risk management is a management tool and all the mechanisms related to identify and

assess risks that may have an impact on attaining aims and objectives of

administration identify responses to risks regularly review and update risks

and responses and monitor the whole process Corporate risk

management is a process which covers the entire administration and

ensures that risk management processes are considered and handled as

a whole Risk strategy the overall organisational approach to risk management as defined by

the Accounting Officer andor the Board This should be documented

and easily available throughout the organisation

Risk Strategy and

Policy Document

(RSPD)

corporate approach to risk management identified by Head of

Administration and senior level policies are called risk strategy and the

document in which this approach and policies are set down in writing is

called Risk Strategy and Policy Document (RSPB) Risk identification is the process of identifying ascertaining categorising and updating risks

that prevent or limit the achievement of administrationrsquos strategic

objectives using previously defined methods

Strategy Development

Unit refers to presidencies of strategy development units departments of

strategy development and directorates where strategy development and

financial services are undertaken They carry out studies to establish

implement and continuously develop internal control systems and report

the study results to the Head of Administration Irregularity Faults errors and negligence stemming from violation of regulations and

provisions related to financial management Delegation of authority is delegation of the responsibility and authority for making decisions to

another authority in writing in the way envisaged in the legislation Fraud Is misuse or insufficient use of documents and declarations for monetary

purposes or non-monetary private purposes as well as hiding information

or deliberate acts performed to abuse the benefit legally obtained and

negligence and illegal use of public power Management

Information system supporting systems which provide proper data for managers and

decision-makers for taking decisions and implementing them with a view

to more effectively attaining the previously identified objectives of the

administration by operating and communicating the information used in

administration

Managerial refers to management being accountable for the decisions they have

made regarding duties assigned as well as for effective use of public

resources to the Parliament Government and public opinion Governance Governance is the way in which organisations are directed and

controlled It defines the distribution of rights and responsibilities among

the different stakeholders and participants in the organisation determines

the rules and procedures for making decisions on corporate affairs

including the process through which the organisationrsquos objectives are set

and provides the means of attaining those objectives and monitoring

performance

Conference call A system of telecommunications technology that enables a number of

people in different locations to hold a discussion using the telephone

2

TABLE OF CONTENTS

LIST OF ABBREVIATIONS 6

INTRODUCTION 7

TABLE OF ROLES AND RESPONSIBILITIES 10

CONTROL ENVIRONMENT 15 1 INTRODUCTION 15

2 Internal Control Standards 15

3 LEGISLATION 16

31 Legal Basis 16

4 ETHICAL VALUES AND INTEGRITY 19

41 What is Ethics 19

42 Current Legislation on Ethics 19

43 Main Ethical Behaviours that are Expected from Civil Servants 21

44 Ethical Behaviours That are Expected from Public Managers 21

45 Ethics Training 21

5 MISSION ORGANISATIONAL STRUCTURE AND DUTIES 21

51 Mission 22

52 Organisational Structure 22

53 Job Descriptions 23

6 COMPETENCE AND PERFORMANCE OF PERSONNEL 26

61 Transition to Human Resources Management from Personnel Management 27

62 Activity Areas in Human Resources Management 27

7 DELEGATION of AUTHORITY 28

71 Determination of Delegation of Authority 29

72 Delegation of Authority and Work Flow Process 29

73 Delegation of Authority and Responsibility 29

74 Factors of Delegation of Authority 29

75 Delegation of Authority and Communication 30

8 INTERNAL CONTROL AND RISK STEERING BOARD 30

81 Roles and Members of the Board 30

82 The Boardrsquos Scope of Duty 31

RISK MANAGEMENT 33 1 Introduction 33

2 Risk Management standards 33

3 Benefits of Risk Management for Administrations 33

4 Critical Achievement Factors for an Effective Risk Management 34

5 Risk Strategy and Policy Paper 34

6 TASKS AUTHORITIES AND RESPONSIBILITIES 35

61 Head of Administration 36


63 Administrative Risk Coordinator 37

64 Unit Risk Coordinator 38

65 Sub-Unit Risk Coordinator 38

66 Employees 38

67 Internal Auditor 39

68 Strategy Development Unit 39

69 Central Harmonisation Unit 39

7 RISK MANAGEMENT PROCESS 39

71 Identifying Risks 41

3





76 Learning 57








































Minister 98


4

Internal Auditor 98






4 INFORMATION 99






6 COMMUNICATION 110

















126




















5










GLOSSARY 174

6















Commission














7

INTRODUCTION














control












8



































European Union


















be used is given

9









component































10


RISK MANAGEMENT

INFORMATION AND


MINISTER














administration




















between the head of







feedback he prefers







control system






RISK STEERING BOARD















and risk management









approval of Head of

Administration

11

RISK MANAGEMENT

INFORMATION AND








AUTHORISING OFFICER








end







each other






unit



control system










Administration










risk management






activities






authorising officer



control system




12

RISK MANAGEMENT

INFORMATION AND










means








UNIT


management in the























ACCOUNTING OFFICER












records


UNIT








reporting




and advice ensuring















13

RISK MANAGEMENT

INFORMATION AND



INTERNAL AUDIT








way or not







between


internal audit







recommendations

EXTERNAL AUDIT





administrations









conducts and give

recommendations

14

15

CONTROL ENVIRONMENT

1 INTRODUCTION





















personnel



Risk Management

Control Environment

Control Activities


Monitoring








16


















3 LEGISLATION

31 Legal Basis








17





implemented










CONTROL

ENVIRONMENT

STANDARD

RELATED LEGISLATION

1 Ethical Values

and Integrity





2 Mission

organisational

structure and Tasks

Law No 3046




3 Competence

and Performance

of Personnel





18

CONTROL

ENVIRONMENT

STANDARD

RELATED LEGISLATION













Purposes





4 Delegation of

Authority

Law No 3046


Law No 5393

Organisational Laws


19


41 What is Ethics








Law No 5176
































20


Granting

decleration

of property

Relations with

the previous

civil servants

Accountability

requirement for

managers

Informing

transparency

and

participation

Binding

explanations

and unreal

declerations

Being

economic

Utilisation

of public

properties

and

resources

Prohibiton

of giving

presents and

drawing

benefits

Not abusing

duties and

authorities to

draw benefits

Avoiding

conflict of

interest

Notification

of authorised

bodies

Courtesy

and

respect

Esteem

and trust

Integrity and

Impartiality

Commit

ment to

aims and

mission

Compliance

with service

standards

Service

awareness

for public

Public service

awareness in

fullfilment of

duties

ETHICAL

BEHAVIOR

PRINCIPLES

21






outside


behaviours










service








administration












45 Ethics Training







servants




22





51 Mission

















be stated










reviewed















23














the administration





53 Job Descriptions







process










administration







MAKING JOB ANALYSIS

24




How is the job done



Why is the job done


(Equipment)








direction







Unitamp Sub Unit






Authorities




personnel

25











is sensitive or not
















Managing payments






ANNOUNCING JOB

DESCRIPTIONS TO THE

PERSONNEL


26


Commission

Contracting process




Job description

Recruitment process

Assessment




documents
















27























Job descriptions

Job requirements


Staff analysis



Procedure etc)

Recruitment process









Humans First

28








Appraisal system


Training Activities






development





the personnel





























29
















this report







delegator















follows










30





monitoring function


















units





















31






listed as follows




administration







administrations



senior manager









Deputy Head of

Administration



Development

Unit

Authorising

Officer


Authorising

Officer Authorising

Officer

32

33

RISK MANAGEMENT









external factors







standards




corporate terms






Monitoring

Control Activities

Risk Management

Control Environment








34






decision making



























staff















35



guidance






opportunities
























management




Risk appetite






Communication Plan

36




highest level












the stakeholders










37
















for approval








ARC









with the standards


















administration

38












to the ARC





effectively












administration







66 Employees













crash

39

67 Internal Auditor



























40



shown in figure RM3





Idetification of

risks

Assessment of

risks

Monitoring and

reviewing risks

Responding to

risks

Risk

Managament

strategy

Risk Managament

Process

Idetification of

risks

Assessment of

risks

Monitoring and

reviewing risks

Responding to

risks

Risk

Managament

strategy

Risk Managament

Process

41








































42










form)









see Box RM7)






identifying risk




















43



Politic

Economic

Social

Technologic

Legal

Environmental

Example




expected levels



the administration













2009


44


objectives









activities




complicated





ask










key points

45

72 Risk Assessment












assessment process

















2)







risk



46
































47


risk




Register)















48






the audience is


presentation



Likelihood 7



Risk Score 7x3 = 21

RRRiiissskkk 222








Risk Score 5x9 = 45

RRRiiissskkk 333





Risk Score 2x3 = 6


Imp

act

10 10 20 30 40 50 60 70 80 90 100 9 9 18 27 36 45 54 63 72 81 90 8 8 16 24 32 40 48 56 64 72 80

7 7 14 21 28 35 42 49 56 63 70 6 6 12 18 24 30 36 42 48 54 60 5 5 10 15 20 25 30 35 40 45 50

4 4 8 12 16 20 24 28 32 36 40 3 3 6 9 12 15 18 21 24 27 30

2 2 4 6 8 10 12 14 16 18 20 1 1 2 3 4 5 6 7 8 9 10

1 2 3 4 5 6 7 8 9 10

Likelihood

Prioritisation








49






















administration


50







changing






Figure RM5







is accepted



desirable




Preventive Controls

Corrective Controls

Directive Controls

Detective Controls

Emergency Plans


Tolerating

Treating

Transferring

Avoiding

51
































Tolerate

Control

Transfer

Avoid


52





must be considered






be considered

53








RRRiiissskkk 111



RRRiiissskkk 222












RRRiiissskkk 333


relevant expertise

RRRiiissskkk 444





activities



54

74 Reviewing Risks





































risks




listed in box RM19

55



















period

















56


























57



Programme Budget


Identify

Measure (impact x

probability)

Prioritise

Tolerate

Control

Transfer

Avoid

Operational Level

Unit Level


Risk Assessment


Risk Register

Control Activities

Mo

nito

ring

an

d E

valu

atio

n





76 Learning







58













59



Step 1










Step 2






Step 3






Step 4






Table)



amalgamating them)





prioritised




date)

60

Step 5








change their score

Step 6






Step 7



Step 8





Step 9








Step 10











61


62


RISK REGISTER


Date 20

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Se

ria

l n

o

Re

fere

nc

e N

o

Str

ate

gic

Ob

jec

tiv

e

Un

its

Ob

jec

tiv

e

Risk Identified

Tim

e fra

me

Pro

ba

bility

Imp

ac

t

Ris

k s

co

re(R

)

Ch

an

ge

(Dir

ec

tio

n o

f ri

sk)


control activities

Sta

rtin

g d

ate

Risk

owner

Monitoring

and

Reporting

Risk

45

-100

9-4

4

Reason 1-8

Columns





written



63



6



important

7




8






10




11






13






Colours

High risk

Medium risk

Low risk


64





CONSOLIDATED REPORT

(Corporate Risks)


1 2 3 4 5 6 7 8

Se

ria

l N

o

Re

fere

nc

e N

o

Str

ate

gic

Ob

jec

tiv

e

Risk Identified

Status


Previous risk

score and colour

Current risk score

and colour

45-100 45-100

9-44 9-44

1-8 1-8

Columns




65


written




7






Colours

High risk

Medium risk

Low risk


information

66


Va

lue

Ra

ng

e

Probability

Impact


Legislation

10

High



5 years Taking into

consideration the

structure of the

administration they


policies and



administration the


risky event occurs

Risks which

can have a

major impact

on attaining

strategic

objectives

These are risks

which are

generally

faced in the

long term but

can cause

the

administration

to divert form

its objectives

in case of

occurrence





in an effective and


this category



the





which are above the

acceptable level


a high risk




unit in case of

intentional or

unintentional non-

compliance with the




too complicated and

unclear

9

8

7

6

Medium



These are generally

such risks that the




Risks which

can have a

certain level

of impact on

attaining

strategic

objectives



competence of the


unit to provide the


in an effective and


certain level of







a certain level of

obligation upon the


unit in case of

intentional or

unintentional non-

5

67

4


this category


acceptable level


a medium risk

compliance with the

legislation

3

Low

Risks with low

probability of

occurrence within 5

years These are


the administration




likelihood of

occurrence

Risks which

can have the

least impact

on attaining

strategic

objectives

Their impacts

are generally

little and

cover a

limited area



the


unit to provide the


in an effective and


this category



the





which are below the

acceptable level


a low risk



the


unit in case of

intentional or

unintentional non-

compliance with the

legislation

2

1

Unknown


idea about the


occurring within 5




larger data

The impact of

a risk likely to

occur on

strategic

objectives of

the

administration

could not be

determined




determined



could not be

determined



of non-compliance


could not be

determined




68





existing controls




















risk owner

















69


70

71

72

CONTROL ACTIVITIES









administration














these documents













Risk Management

Control Activities


Monitoring

Control Environment

73














into consideration














benefits)


documented clearly











74
















differences














experiences




and







75














identified

















analysed


desired effects






76




























reduced













77



































further details

78

58 Anti-corruption





preventive controls





















timely








transparency


and






the results is





79









a major disruption


























responsibilities













80


correction







not be selected

81






Identify objectives

Identify risks to


Select method of

responding to risks

Accepting

Controlling

Transferring

Avoiding

Taking the

opportunity

Select control

method(s)

Preventative

Detective

Corrective

Directive






supervision




processes

anti-corruption



information storage



Or


control activities

82

83







terminated)


mitigating risks














working effectively






84




Risk management



not be achieved





Cash management





preventive



Asset management


safe - preventive





Document control



preventive



being taken on time


controls needed to


prior to issue







at points of use



controlled and





inappropriately


preventive

85








detective





preventive

Procurement


procurement process











preventive









Stores


store










detective

Revenue management



on a timely basis







preventative



86



- preventive

IT security


computerised data


preventative




inappropriately



- preventive





87



Risk management

Appropriate risk

management policies




activities











in place and being

applied









minimised








archived









and



service failure




operational and

performance plans






period results


88





review actual

performance against

targets



targets



expected results









necessary










the quality of


and indicators



and indicators






standards






The organisation



results






all employees








89
























needs













ensure accuracy and

completeness



sequences





controlled





assets



to all staff








90








examined








controlled





portable assets



damage


sprinkler systems











waste or fraud











balances exist









custody

91






events







authority




to be made








promptly recorded











custody is clearly

allocated



authorised staff












alteration










Documentation


92




clearly documented




examination






















The organisation




information systems



conditions change


consistency

Effective computer


operation and are

monitored







are clearly defined





monitored

Effective computer







owners





93




authorised







development and




authorised


approved




separate libraries




are monitored



is documented


and monitored


software

There is effective


operations





Controls ensure the


















authorisation







key fields

94










completeness




erroneous data














updates

95


Example 1







Scenario A




do this checking

Scenario B

Cost same as above





Possibilities







Example 2






Scenario 1

96







Scenario 2











97













activities










and up-to-date






Risk Management

Control Activities


Monitoring

Control Environment














98


Minister



administration
















Internal Auditor









Authorising Officer




















etc)

99




Realisation Officer





Accounting Officer











provided by the SDU





consideration








internal control




forums etc











below

100


personnel









was received














101

























Planning

information need

Organising

information

Creating and

collecting

information

Reviewing and

keeping

information


information

INFORMATION

MANAGEMENT PROCESS

102



received






























standards














justifications





103








respondents and





























administration


Registry and Filing










104














necessary






organisations
















organisations





Archiving Services







February 2005





the documents

105













websites and so on)


understandable


research)






from a website




106









be needed



information pool











lists







regarding access to



or repositories






and recording






with managers











access it









damage





107






where necessary










Management System


ensured
















Standardisation)
















108













processes




informed basis

















109




administration













distributed


In the working plan





produced



















responded easily




be ensured




110







planned











tasks of the SDUs





















support reporting



make decisions


taken



111



communication





they provide






assess these







expected


Internal





responsibilities










management






risks)










the administration





and personnel










organised


112








demanded



administration







activities etc)




















same level





of units



employees



EXTERNAL

















website



useful










113


















621 Reporting


















ObjectiveActivity

Other staff

Medium-

level managers

VERTICAL

REPORTING

Strategic

Operational

Top

Management

114












CHU and



Finance














accountability











administrationunit

HORIZONTAL

REPORTING

115

himself














should be prevented
























processed or not







Civil Servants

116












faith



administration)





results
















consideration

117









consideration







referred to




etc)







administration


blow the whistle




118


Whistle blower

Is it illegal



Do I have good will

Do I draw benefit

from this

sec

ure

co

mm

un

ica

tion

ch

an

ne

ls (e-m

ail

ad

dre

sses te

leo

ph

on

e

nu

mb

ers

sec

ure

co

mm

un

ica

tion

ch

an

ne

ls (e-m

ail

ad

dre

sses te

leo

ph

on

e

nu

mb

ers


whistle blowing

Evaluation Criteria


Unit



from outside the

administration)

Authorising officer

119







































meetings




120














2005








Radio Law no 2813







Laws





Corruption


121



Meetings Informing

Receiving

opinion

Making joint

decisions

Relatively cheap

A method that

people are

accustomed to

Contribute to the

culture of

participation

Open to discussion

and dialogue

Opportunity to come


problems in the

administration



method


useful




Reports

Informing

Receiving

opinion

Making

decisions

Evaluation

Informs the target

group about the

subject in a sound

manner


making process of

the manager


accurate up to date

relevant and

adequately detailed

information



Brochures

Periodicals

Informing

Promotion

Opportunity for

creative design

Comprehensible

Particular and wide

target groups

Opportunity to

establish long term


group

Opportunity to make

regular up-dates


Limited feedback


on target group

Questionnaire

Interview

(letter

e-mail

telephone

face to face)

Receiving

opinion

Evaluation

A method that

people are

accustomed to


a wide group


particular target

groups

Scientific methods

can be used




accurately


may be low



122


Press releases

and

conferences

Informing

Receiving

opinion

Cheap

Easy to organise

Opportunity to

communicate to

many people



group or not




thoroughly


feedback


ideas

Making joint

decisions

Obtaining many

ideas regarding a

subject

Contribution to the

culture of

participation

Cheap flexible easy

to organise


useful



Workshop Informing

Receiving

opinion

Making joint

decisions


new networks


Chance of finding


Cheap flexible easy

to organise

Chance of examining

the subject

thoroughly


particular target

groups



atmosphere

Non-scientific


useful





selected group


Receiving

opinion

Making joint

decisions

Opportunity to

become creative

and flexible

Opportunity to work

together with

different groups


new networks


particular target

groups

Opportunity to

examine the subject

thoroughly

Opportunity to

discuss different




selected group



useful




123

opinions and ideas



grouprsquos

opinion with

the

leadership

of a

moderator

Faster and cheaper

compared to one-to-

one interview

Opportunity to

discuss different

opinions and ideas

Spoken discussion

accelerates the


are reflected in

writing



moderation


the quality of data

Conference

Call

Making joint

decisions

Finding

common

solutions to

problems

Opportunity to

discuss different

opinions and ideas

Opportunity to

examine the subject

thoroughly

Experienced

decision-makers and

persons with deep

information

accumulation

coming together



management





Websites and

intranet

e- mail

Informing

Receiving

opinion

Cheap

Easy to organise


many people


sharing

Need for updating



124








Report






(General budget







Report








Ministry of Finance


and Fiscal Control)


Opinion


Activity Report










TGNA






Report




Expectations Report





Report

Ministry of Finance


and Fiscal Control)

Public Opinion


(Art 52 53 54 of Law No 5018)









125


Application


If related to

EVALUATION

Written petition


application that is

recorded

Registration in the

document registry

system (written

electronic)

a separate folder


applications

NOTIFICATION



is about)

To the relevant




To whistle-blower

NOTIFICATION



been violated

To Prime Ministry




have been violated




General and upper


Director General



General


Relevant

Administration

Disciplinary Board

126


Application



Written petition

(person or a

particular event

serious allegations

name family

name signature

domicile address)

Registration in the

document registry

system (written or

electronic - a

separate folder

system for

notification

applications)



NOTIFICATION

Directly Chief

Public Prosecutor

Other positions or

civil servants




4483




Law No 4483



examination (44835)

Permitting the




allegation

Not permitting the




allegation

OBJECTION





is conducted)

to the Chief Public



about whom the

investigation is

conducted


OBJECTION





complainant)

127

MONITORING

1 Introduction











helps






Risk Management

Control Activities


Monitoring

Control Activities

128












31 Senior Manager













32 Internal Audit














Manager



129


















information

37 External Audit











Finance








130



SENIOR MANAGER





SUB-UNIT MANAGERS

SUB-UNIT PERSONNEL












practices






on the CHU Handbook

131










































than one week







132





the questionnaire
























to provide guidance






















133
















134







What

information is

available in the

report about the

effectiveness of

internal control

system For

example what

information

does internal

audit report

include on risk

management

Are there any

problems

according to

internal audit

report

What are the

problems in

question

What are the works


spending units for

fixing these

problems

It is possible that

SDUs provide

spending units

with guidance

on actions to be

taken



problems






management










problems



necessary works

(delivering

trainingsgiving


fixing the problems

135

136







61 Internal Audit






approach































137






Coordination Board

















62 External Audit





body









audit










accountability




138






































DECLARATION









139



















7111 Responsibility




















operation


to monitor and









140





















7114 Internal Audit






realized


















implementation

7115 External Audit





141



declaration















































142



of risk management









structure












Impact

Probability


Ownership and























143


















mentioned headings






weaknesses











his own declaration














144














(administration)





































145










Manager


















146

MONITORING ANNEXES

















Control

Control Environment

Risk Assessment

Control Activities


Monitoring
























147






the SDU

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1






CONTROL ENVIRONMENT












ethics









administration








148

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1











applications etc)













units and staff













integration points





produced

149

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



administration





out







assigned




etc) must be stated



administration




















with the staff



150

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




































and communicated







another person


151

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



of power









them








RISK ASSESSMENT










plans














152

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




administrations









resources







administration





evaluation



to staff
















against risks

153

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



contribution





administration







and so on)












CONTROL ACTIVITIES



are managed













154

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1








activities






















the relevant staff
















155

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1













written documents

















emergencies
















156

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




conducted










tasks and so on




administration









documents




information system












communication


157

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1















stakeholders



answered or not















understandable





the operations







158

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1
















purposes












administration





considered




ongoing problems






about these



159

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



MONITORING







meaningful risks












methods used








questionnaires)















160

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1










not



control








and SDU





staff









and complaints by









161

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1
















by management
















explain


GRAND TOTAL

162




I INTRODUCTION

11 Mission







- Risk Management



- Monitoring











V CONCLUSION

V1 Strengths



163


I RESPONSIBILITY



























Internal Audit


External Audit


SDU


164





























165









summarised below


Human Resources



Data security




166

Other developments

(Date)

Signature

Name

Title

167


I RESPONSIBILITY




















Internal Audit


External Audit


SDU



168












faced













Human Resources


Data security


169




Other developments








(Date)

Signature

Name

Title

170























(Date)

Signature

171


(SENIOR MANAGER)

Name-Surname

Title

I RESPONSIBILITY































Programme









control systems





172

Internal Audit













ministry



space



plan

External Audit


SDU






during this year

III RISK MANAGEMENT























173















in the Ministry















summarised below








next year










(Date)

Signature

Name

Title

174

GLOSSARY

CONCEPT DEFINITION






















management






















175








































Management and

Control









176














































177














Risk Strategy and

Policy Document

(RSPD)






















administration









performance



3





76 Learning 57








































Minister 98


4

Internal Auditor 98






4 INFORMATION 99






6 COMMUNICATION 110

















126




















5










GLOSSARY 174

6















Commission














7

INTRODUCTION














control












8



































European Union


















be used is given

9









component































10


RISK MANAGEMENT

INFORMATION AND


MINISTER














administration




















between the head of







feedback he prefers







control system






RISK STEERING BOARD















and risk management









approval of Head of

Administration

11

RISK MANAGEMENT

INFORMATION AND








AUTHORISING OFFICER








end







each other






unit



control system










Administration










risk management






activities






authorising officer



control system




12

RISK MANAGEMENT

INFORMATION AND










means








UNIT


management in the























ACCOUNTING OFFICER












records


UNIT








reporting




and advice ensuring















13

RISK MANAGEMENT

INFORMATION AND



INTERNAL AUDIT








way or not







between


internal audit







recommendations

EXTERNAL AUDIT





administrations









conducts and give

recommendations

14

15

CONTROL ENVIRONMENT

1 INTRODUCTION





















personnel



Risk Management

Control Environment

Control Activities


Monitoring








16


















3 LEGISLATION

31 Legal Basis








17





implemented










CONTROL

ENVIRONMENT

STANDARD

RELATED LEGISLATION

1 Ethical Values

and Integrity





2 Mission

organisational

structure and Tasks

Law No 3046




3 Competence

and Performance

of Personnel





18

CONTROL

ENVIRONMENT

STANDARD

RELATED LEGISLATION













Purposes





4 Delegation of

Authority

Law No 3046


Law No 5393

Organisational Laws


19


41 What is Ethics








Law No 5176
































20


Granting

decleration

of property

Relations with

the previous

civil servants

Accountability

requirement for

managers

Informing

transparency

and

participation

Binding

explanations

and unreal

declerations

Being

economic

Utilisation

of public

properties

and

resources

Prohibiton

of giving

presents and

drawing

benefits

Not abusing

duties and

authorities to

draw benefits

Avoiding

conflict of

interest

Notification

of authorised

bodies

Courtesy

and

respect

Esteem

and trust

Integrity and

Impartiality

Commit

ment to

aims and

mission

Compliance

with service

standards

Service

awareness

for public

Public service

awareness in

fullfilment of

duties

ETHICAL

BEHAVIOR

PRINCIPLES

21






outside


behaviours










service








administration












45 Ethics Training







servants




22





51 Mission

















be stated










reviewed















23














the administration





53 Job Descriptions







process










administration







MAKING JOB ANALYSIS

24




How is the job done



Why is the job done


(Equipment)








direction







Unitamp Sub Unit






Authorities




personnel

25











is sensitive or not
















Managing payments






ANNOUNCING JOB

DESCRIPTIONS TO THE

PERSONNEL


26


Commission

Contracting process




Job description

Recruitment process

Assessment




documents
















27























Job descriptions

Job requirements


Staff analysis



Procedure etc)

Recruitment process









Humans First

28








Appraisal system


Training Activities






development





the personnel





























29
















this report







delegator















follows










30





monitoring function


















units





















31






listed as follows




administration







administrations



senior manager









Deputy Head of

Administration



Development

Unit

Authorising

Officer


Authorising

Officer Authorising

Officer

32

33

RISK MANAGEMENT









external factors







standards




corporate terms






Monitoring

Control Activities

Risk Management

Control Environment








34






decision making



























staff















35



guidance






opportunities
























management




Risk appetite






Communication Plan

36




highest level












the stakeholders










37
















for approval








ARC









with the standards


















administration

38












to the ARC





effectively












administration







66 Employees













crash

39

67 Internal Auditor



























40



shown in figure RM3





Idetification of

risks

Assessment of

risks

Monitoring and

reviewing risks

Responding to

risks

Risk

Managament

strategy

Risk Managament

Process

Idetification of

risks

Assessment of

risks

Monitoring and

reviewing risks

Responding to

risks

Risk

Managament

strategy

Risk Managament

Process

41








































42










form)









see Box RM7)






identifying risk




















43



Politic

Economic

Social

Technologic

Legal

Environmental

Example




expected levels



the administration













2009


44


objectives









activities




complicated





ask










key points

45

72 Risk Assessment












assessment process

















2)







risk



46
































47


risk




Register)















48






the audience is


presentation



Likelihood 7



Risk Score 7x3 = 21

RRRiiissskkk 222








Risk Score 5x9 = 45

RRRiiissskkk 333





Risk Score 2x3 = 6


Imp

act

10 10 20 30 40 50 60 70 80 90 100 9 9 18 27 36 45 54 63 72 81 90 8 8 16 24 32 40 48 56 64 72 80

7 7 14 21 28 35 42 49 56 63 70 6 6 12 18 24 30 36 42 48 54 60 5 5 10 15 20 25 30 35 40 45 50

4 4 8 12 16 20 24 28 32 36 40 3 3 6 9 12 15 18 21 24 27 30

2 2 4 6 8 10 12 14 16 18 20 1 1 2 3 4 5 6 7 8 9 10

1 2 3 4 5 6 7 8 9 10

Likelihood

Prioritisation








49






















administration


50







changing






Figure RM5







is accepted



desirable




Preventive Controls

Corrective Controls

Directive Controls

Detective Controls

Emergency Plans


Tolerating

Treating

Transferring

Avoiding

51
































Tolerate

Control

Transfer

Avoid


52





must be considered






be considered

53








RRRiiissskkk 111



RRRiiissskkk 222












RRRiiissskkk 333


relevant expertise

RRRiiissskkk 444





activities



54

74 Reviewing Risks





































risks




listed in box RM19

55



















period

















56


























57



Programme Budget


Identify

Measure (impact x

probability)

Prioritise

Tolerate

Control

Transfer

Avoid

Operational Level

Unit Level


Risk Assessment


Risk Register

Control Activities

Mo

nito

ring

an

d E

valu

atio

n





76 Learning







58













59



Step 1










Step 2






Step 3






Step 4






Table)



amalgamating them)





prioritised




date)

60

Step 5








change their score

Step 6






Step 7



Step 8





Step 9








Step 10











61


62


RISK REGISTER


Date 20

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Se

ria

l n

o

Re

fere

nc

e N

o

Str

ate

gic

Ob

jec

tiv

e

Un

its

Ob

jec

tiv

e

Risk Identified

Tim

e fra

me

Pro

ba

bility

Imp

ac

t

Ris

k s

co

re(R

)

Ch

an

ge

(Dir

ec

tio

n o

f ri

sk)


control activities

Sta

rtin

g d

ate

Risk

owner

Monitoring

and

Reporting

Risk

45

-100

9-4

4

Reason 1-8

Columns





written



63



6



important

7




8






10




11






13






Colours

High risk

Medium risk

Low risk


64





CONSOLIDATED REPORT

(Corporate Risks)


1 2 3 4 5 6 7 8

Se

ria

l N

o

Re

fere

nc

e N

o

Str

ate

gic

Ob

jec

tiv

e

Risk Identified

Status


Previous risk

score and colour

Current risk score

and colour

45-100 45-100

9-44 9-44

1-8 1-8

Columns




65


written




7






Colours

High risk

Medium risk

Low risk


information

66


Va

lue

Ra

ng

e

Probability

Impact


Legislation

10

High



5 years Taking into

consideration the

structure of the

administration they


policies and



administration the


risky event occurs

Risks which

can have a

major impact

on attaining

strategic

objectives

These are risks

which are

generally

faced in the

long term but

can cause

the

administration

to divert form

its objectives

in case of

occurrence





in an effective and


this category



the





which are above the

acceptable level


a high risk




unit in case of

intentional or

unintentional non-

compliance with the




too complicated and

unclear

9

8

7

6

Medium



These are generally

such risks that the




Risks which

can have a

certain level

of impact on

attaining

strategic

objectives



competence of the


unit to provide the


in an effective and


certain level of







a certain level of

obligation upon the


unit in case of

intentional or

unintentional non-

5

67

4


this category


acceptable level


a medium risk

compliance with the

legislation

3

Low

Risks with low

probability of

occurrence within 5

years These are


the administration




likelihood of

occurrence

Risks which

can have the

least impact

on attaining

strategic

objectives

Their impacts

are generally

little and

cover a

limited area



the


unit to provide the


in an effective and


this category



the





which are below the

acceptable level


a low risk



the


unit in case of

intentional or

unintentional non-

compliance with the

legislation

2

1

Unknown


idea about the


occurring within 5




larger data

The impact of

a risk likely to

occur on

strategic

objectives of

the

administration

could not be

determined




determined



could not be

determined



of non-compliance


could not be

determined




68





existing controls




















risk owner

















69


70

71

72

CONTROL ACTIVITIES









administration














these documents













Risk Management

Control Activities


Monitoring

Control Environment

73














into consideration














benefits)


documented clearly











74
















differences














experiences




and







75














identified

















analysed


desired effects






76




























reduced













77



































further details

78

58 Anti-corruption





preventive controls





















timely








transparency


and






the results is





79









a major disruption


























responsibilities













80


correction







not be selected

81






Identify objectives

Identify risks to


Select method of

responding to risks

Accepting

Controlling

Transferring

Avoiding

Taking the

opportunity

Select control

method(s)

Preventative

Detective

Corrective

Directive






supervision




processes

anti-corruption



information storage



Or


control activities

82

83







terminated)


mitigating risks














working effectively






84




Risk management



not be achieved





Cash management





preventive



Asset management


safe - preventive





Document control



preventive



being taken on time


controls needed to


prior to issue







at points of use



controlled and





inappropriately


preventive

85








detective





preventive

Procurement


procurement process











preventive









Stores


store










detective

Revenue management



on a timely basis







preventative



86



- preventive

IT security


computerised data


preventative




inappropriately



- preventive





87



Risk management

Appropriate risk

management policies




activities











in place and being

applied









minimised








archived









and



service failure




operational and

performance plans






period results


88





review actual

performance against

targets



targets



expected results









necessary










the quality of


and indicators



and indicators






standards






The organisation



results






all employees








89
























needs













ensure accuracy and

completeness



sequences





controlled





assets



to all staff








90








examined








controlled





portable assets



damage


sprinkler systems











waste or fraud











balances exist









custody

91






events







authority




to be made








promptly recorded











custody is clearly

allocated



authorised staff












alteration










Documentation


92




clearly documented




examination






















The organisation




information systems



conditions change


consistency

Effective computer


operation and are

monitored







are clearly defined





monitored

Effective computer







owners





93




authorised







development and




authorised


approved




separate libraries




are monitored



is documented


and monitored


software

There is effective


operations





Controls ensure the


















authorisation







key fields

94










completeness




erroneous data














updates

95


Example 1







Scenario A




do this checking

Scenario B

Cost same as above





Possibilities







Example 2






Scenario 1

96







Scenario 2











97













activities










and up-to-date






Risk Management

Control Activities


Monitoring

Control Environment














98


Minister



administration
















Internal Auditor









Authorising Officer




















etc)

99




Realisation Officer





Accounting Officer











provided by the SDU





consideration








internal control




forums etc











below

100


personnel









was received














101

























Planning

information need

Organising

information

Creating and

collecting

information

Reviewing and

keeping

information


information

INFORMATION

MANAGEMENT PROCESS

102



received






























standards














justifications





103








respondents and





























administration


Registry and Filing










104














necessary






organisations
















organisations





Archiving Services







February 2005





the documents

105













websites and so on)


understandable


research)






from a website




106









be needed



information pool











lists







regarding access to



or repositories






and recording






with managers











access it









damage





107






where necessary










Management System


ensured
















Standardisation)
















108













processes




informed basis

















109




administration













distributed


In the working plan





produced



















responded easily




be ensured




110







planned











tasks of the SDUs





















support reporting



make decisions


taken



111



communication





they provide






assess these







expected


Internal





responsibilities










management






risks)










the administration





and personnel










organised


112








demanded



administration







activities etc)




















same level





of units



employees



EXTERNAL

















website



useful










113


















621 Reporting


















ObjectiveActivity

Other staff

Medium-

level managers

VERTICAL

REPORTING

Strategic

Operational

Top

Management

114












CHU and



Finance














accountability











administrationunit

HORIZONTAL

REPORTING

115

himself














should be prevented
























processed or not







Civil Servants

116












faith



administration)





results
















consideration

117









consideration







referred to




etc)







administration


blow the whistle




118


Whistle blower

Is it illegal



Do I have good will

Do I draw benefit

from this

sec

ure

co

mm

un

ica

tion

ch

an

ne

ls (e-m

ail

ad

dre

sses te

leo

ph

on

e

nu

mb

ers

sec

ure

co

mm

un

ica

tion

ch

an

ne

ls (e-m

ail

ad

dre

sses te

leo

ph

on

e

nu

mb

ers


whistle blowing

Evaluation Criteria


Unit



from outside the

administration)

Authorising officer

119







































meetings




120














2005








Radio Law no 2813







Laws





Corruption


121



Meetings Informing

Receiving

opinion

Making joint

decisions

Relatively cheap

A method that

people are

accustomed to

Contribute to the

culture of

participation

Open to discussion

and dialogue

Opportunity to come


problems in the

administration



method


useful




Reports

Informing

Receiving

opinion

Making

decisions

Evaluation

Informs the target

group about the

subject in a sound

manner


making process of

the manager


accurate up to date

relevant and

adequately detailed

information



Brochures

Periodicals

Informing

Promotion

Opportunity for

creative design

Comprehensible

Particular and wide

target groups

Opportunity to

establish long term


group

Opportunity to make

regular up-dates


Limited feedback


on target group

Questionnaire

Interview

(letter

e-mail

telephone

face to face)

Receiving

opinion

Evaluation

A method that

people are

accustomed to


a wide group


particular target

groups

Scientific methods

can be used




accurately


may be low



122


Press releases

and

conferences

Informing

Receiving

opinion

Cheap

Easy to organise

Opportunity to

communicate to

many people



group or not




thoroughly


feedback


ideas

Making joint

decisions

Obtaining many

ideas regarding a

subject

Contribution to the

culture of

participation

Cheap flexible easy

to organise


useful



Workshop Informing

Receiving

opinion

Making joint

decisions


new networks


Chance of finding


Cheap flexible easy

to organise

Chance of examining

the subject

thoroughly


particular target

groups



atmosphere

Non-scientific


useful





selected group


Receiving

opinion

Making joint

decisions

Opportunity to

become creative

and flexible

Opportunity to work

together with

different groups


new networks


particular target

groups

Opportunity to

examine the subject

thoroughly

Opportunity to

discuss different




selected group



useful




123

opinions and ideas



grouprsquos

opinion with

the

leadership

of a

moderator

Faster and cheaper

compared to one-to-

one interview

Opportunity to

discuss different

opinions and ideas

Spoken discussion

accelerates the


are reflected in

writing



moderation


the quality of data

Conference

Call

Making joint

decisions

Finding

common

solutions to

problems

Opportunity to

discuss different

opinions and ideas

Opportunity to

examine the subject

thoroughly

Experienced

decision-makers and

persons with deep

information

accumulation

coming together



management





Websites and

intranet

e- mail

Informing

Receiving

opinion

Cheap

Easy to organise


many people


sharing

Need for updating



124








Report






(General budget







Report








Ministry of Finance


and Fiscal Control)


Opinion


Activity Report










TGNA






Report




Expectations Report





Report

Ministry of Finance


and Fiscal Control)

Public Opinion


(Art 52 53 54 of Law No 5018)









125


Application


If related to

EVALUATION

Written petition


application that is

recorded

Registration in the

document registry

system (written

electronic)

a separate folder


applications

NOTIFICATION



is about)

To the relevant




To whistle-blower

NOTIFICATION



been violated

To Prime Ministry




have been violated




General and upper


Director General



General


Relevant

Administration

Disciplinary Board

126


Application



Written petition

(person or a

particular event

serious allegations

name family

name signature

domicile address)

Registration in the

document registry

system (written or

electronic - a

separate folder

system for

notification

applications)



NOTIFICATION

Directly Chief

Public Prosecutor

Other positions or

civil servants




4483




Law No 4483



examination (44835)

Permitting the




allegation

Not permitting the




allegation

OBJECTION





is conducted)

to the Chief Public



about whom the

investigation is

conducted


OBJECTION





complainant)

127

MONITORING

1 Introduction











helps






Risk Management

Control Activities


Monitoring

Control Activities

128












31 Senior Manager













32 Internal Audit














Manager



129


















information

37 External Audit











Finance








130



SENIOR MANAGER





SUB-UNIT MANAGERS

SUB-UNIT PERSONNEL












practices






on the CHU Handbook

131










































than one week







132





the questionnaire
























to provide guidance






















133
















134







What

information is

available in the

report about the

effectiveness of

internal control

system For

example what

information

does internal

audit report

include on risk

management

Are there any

problems

according to

internal audit

report

What are the

problems in

question

What are the works


spending units for

fixing these

problems

It is possible that

SDUs provide

spending units

with guidance

on actions to be

taken



problems






management










problems



necessary works

(delivering

trainingsgiving


fixing the problems

135

136







61 Internal Audit






approach































137






Coordination Board

















62 External Audit





body









audit










accountability




138






































DECLARATION









139



















7111 Responsibility




















operation


to monitor and









140





















7114 Internal Audit






realized


















implementation

7115 External Audit





141



declaration















































142



of risk management









structure












Impact

Probability


Ownership and























143


















mentioned headings






weaknesses











his own declaration














144














(administration)





































145










Manager


















146

MONITORING ANNEXES

















Control

Control Environment

Risk Assessment

Control Activities


Monitoring
























147






the SDU

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1






CONTROL ENVIRONMENT












ethics









administration








148

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1











applications etc)













units and staff













integration points





produced

149

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



administration





out







assigned




etc) must be stated



administration




















with the staff



150

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




































and communicated







another person


151

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



of power









them








RISK ASSESSMENT










plans














152

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




administrations









resources







administration





evaluation



to staff
















against risks

153

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



contribution





administration







and so on)












CONTROL ACTIVITIES



are managed













154

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1








activities






















the relevant staff
















155

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1













written documents

















emergencies
















156

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




conducted










tasks and so on




administration









documents




information system












communication


157

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1















stakeholders



answered or not















understandable





the operations







158

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1
















purposes












administration





considered




ongoing problems






about these



159

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



MONITORING







meaningful risks












methods used








questionnaires)















160

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1










not



control








and SDU





staff









and complaints by









161

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1
















by management
















explain


GRAND TOTAL

162




I INTRODUCTION

11 Mission







- Risk Management



- Monitoring











V CONCLUSION

V1 Strengths



163


I RESPONSIBILITY



























Internal Audit


External Audit


SDU


164





























165









summarised below


Human Resources



Data security




166

Other developments

(Date)

Signature

Name

Title

167


I RESPONSIBILITY




















Internal Audit


External Audit


SDU



168












faced













Human Resources


Data security


169




Other developments








(Date)

Signature

Name

Title

170























(Date)

Signature

171


(SENIOR MANAGER)

Name-Surname

Title

I RESPONSIBILITY































Programme









control systems





172

Internal Audit













ministry



space



plan

External Audit


SDU






during this year

III RISK MANAGEMENT























173















in the Ministry















summarised below








next year










(Date)

Signature

Name

Title

174

GLOSSARY

CONCEPT DEFINITION






















management






















175








































Management and

Control









176














































177














Risk Strategy and

Policy Document

(RSPD)






















administration









performance



4

Internal Auditor 98






4 INFORMATION 99






6 COMMUNICATION 110

















126




















5










GLOSSARY 174

6















Commission














7

INTRODUCTION














control












8



































European Union


















be used is given

9









component































10


RISK MANAGEMENT

INFORMATION AND


MINISTER














administration




















between the head of







feedback he prefers







control system






RISK STEERING BOARD















and risk management









approval of Head of

Administration

11

RISK MANAGEMENT

INFORMATION AND








AUTHORISING OFFICER








end







each other






unit



control system










Administration










risk management






activities






authorising officer



control system




12

RISK MANAGEMENT

INFORMATION AND










means








UNIT


management in the























ACCOUNTING OFFICER












records


UNIT








reporting




and advice ensuring















13

RISK MANAGEMENT

INFORMATION AND



INTERNAL AUDIT








way or not







between


internal audit







recommendations

EXTERNAL AUDIT





administrations









conducts and give

recommendations

14

15

CONTROL ENVIRONMENT

1 INTRODUCTION





















personnel



Risk Management

Control Environment

Control Activities


Monitoring








16


















3 LEGISLATION

31 Legal Basis








17





implemented










CONTROL

ENVIRONMENT

STANDARD

RELATED LEGISLATION

1 Ethical Values

and Integrity





2 Mission

organisational

structure and Tasks

Law No 3046




3 Competence

and Performance

of Personnel





18

CONTROL

ENVIRONMENT

STANDARD

RELATED LEGISLATION













Purposes





4 Delegation of

Authority

Law No 3046


Law No 5393

Organisational Laws


19


41 What is Ethics








Law No 5176
































20


Granting

decleration

of property

Relations with

the previous

civil servants

Accountability

requirement for

managers

Informing

transparency

and

participation

Binding

explanations

and unreal

declerations

Being

economic

Utilisation

of public

properties

and

resources

Prohibiton

of giving

presents and

drawing

benefits

Not abusing

duties and

authorities to

draw benefits

Avoiding

conflict of

interest

Notification

of authorised

bodies

Courtesy

and

respect

Esteem

and trust

Integrity and

Impartiality

Commit

ment to

aims and

mission

Compliance

with service

standards

Service

awareness

for public

Public service

awareness in

fullfilment of

duties

ETHICAL

BEHAVIOR

PRINCIPLES

21






outside


behaviours










service








administration












45 Ethics Training







servants




22





51 Mission

















be stated










reviewed















23














the administration





53 Job Descriptions







process










administration







MAKING JOB ANALYSIS

24




How is the job done



Why is the job done


(Equipment)








direction







Unitamp Sub Unit






Authorities




personnel

25











is sensitive or not
















Managing payments






ANNOUNCING JOB

DESCRIPTIONS TO THE

PERSONNEL


26


Commission

Contracting process




Job description

Recruitment process

Assessment




documents
















27























Job descriptions

Job requirements


Staff analysis



Procedure etc)

Recruitment process









Humans First

28








Appraisal system


Training Activities






development





the personnel





























29
















this report







delegator















follows










30





monitoring function


















units





















31






listed as follows




administration







administrations



senior manager









Deputy Head of

Administration



Development

Unit

Authorising

Officer


Authorising

Officer Authorising

Officer

32

33

RISK MANAGEMENT









external factors







standards




corporate terms






Monitoring

Control Activities

Risk Management

Control Environment








34






decision making



























staff















35



guidance






opportunities
























management




Risk appetite






Communication Plan

36




highest level












the stakeholders










37
















for approval








ARC









with the standards


















administration

38












to the ARC





effectively












administration







66 Employees













crash

39

67 Internal Auditor



























40



shown in figure RM3





Idetification of

risks

Assessment of

risks

Monitoring and

reviewing risks

Responding to

risks

Risk

Managament

strategy

Risk Managament

Process

Idetification of

risks

Assessment of

risks

Monitoring and

reviewing risks

Responding to

risks

Risk

Managament

strategy

Risk Managament

Process

41








































42










form)









see Box RM7)






identifying risk




















43



Politic

Economic

Social

Technologic

Legal

Environmental

Example




expected levels



the administration













2009


44


objectives









activities




complicated





ask










key points

45

72 Risk Assessment












assessment process

















2)







risk



46
































47


risk




Register)















48






the audience is


presentation



Likelihood 7



Risk Score 7x3 = 21

RRRiiissskkk 222








Risk Score 5x9 = 45

RRRiiissskkk 333





Risk Score 2x3 = 6


Imp

act

10 10 20 30 40 50 60 70 80 90 100 9 9 18 27 36 45 54 63 72 81 90 8 8 16 24 32 40 48 56 64 72 80

7 7 14 21 28 35 42 49 56 63 70 6 6 12 18 24 30 36 42 48 54 60 5 5 10 15 20 25 30 35 40 45 50

4 4 8 12 16 20 24 28 32 36 40 3 3 6 9 12 15 18 21 24 27 30

2 2 4 6 8 10 12 14 16 18 20 1 1 2 3 4 5 6 7 8 9 10

1 2 3 4 5 6 7 8 9 10

Likelihood

Prioritisation








49






















administration


50







changing






Figure RM5







is accepted



desirable




Preventive Controls

Corrective Controls

Directive Controls

Detective Controls

Emergency Plans


Tolerating

Treating

Transferring

Avoiding

51
































Tolerate

Control

Transfer

Avoid


52





must be considered






be considered

53








RRRiiissskkk 111



RRRiiissskkk 222












RRRiiissskkk 333


relevant expertise

RRRiiissskkk 444





activities



54

74 Reviewing Risks





































risks




listed in box RM19

55



















period

















56


























57



Programme Budget


Identify

Measure (impact x

probability)

Prioritise

Tolerate

Control

Transfer

Avoid

Operational Level

Unit Level


Risk Assessment


Risk Register

Control Activities

Mo

nito

ring

an

d E

valu

atio

n





76 Learning







58













59



Step 1










Step 2






Step 3






Step 4






Table)



amalgamating them)





prioritised




date)

60

Step 5








change their score

Step 6






Step 7



Step 8





Step 9








Step 10











61


62


RISK REGISTER


Date 20

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Se

ria

l n

o

Re

fere

nc

e N

o

Str

ate

gic

Ob

jec

tiv

e

Un

its

Ob

jec

tiv

e

Risk Identified

Tim

e fra

me

Pro

ba

bility

Imp

ac

t

Ris

k s

co

re(R

)

Ch

an

ge

(Dir

ec

tio

n o

f ri

sk)


control activities

Sta

rtin

g d

ate

Risk

owner

Monitoring

and

Reporting

Risk

45

-100

9-4

4

Reason 1-8

Columns





written



63



6



important

7




8






10




11






13






Colours

High risk

Medium risk

Low risk


64





CONSOLIDATED REPORT

(Corporate Risks)


1 2 3 4 5 6 7 8

Se

ria

l N

o

Re

fere

nc

e N

o

Str

ate

gic

Ob

jec

tiv

e

Risk Identified

Status


Previous risk

score and colour

Current risk score

and colour

45-100 45-100

9-44 9-44

1-8 1-8

Columns




65


written




7






Colours

High risk

Medium risk

Low risk


information

66


Va

lue

Ra

ng

e

Probability

Impact


Legislation

10

High



5 years Taking into

consideration the

structure of the

administration they


policies and



administration the


risky event occurs

Risks which

can have a

major impact

on attaining

strategic

objectives

These are risks

which are

generally

faced in the

long term but

can cause

the

administration

to divert form

its objectives

in case of

occurrence





in an effective and


this category



the





which are above the

acceptable level


a high risk




unit in case of

intentional or

unintentional non-

compliance with the




too complicated and

unclear

9

8

7

6

Medium



These are generally

such risks that the




Risks which

can have a

certain level

of impact on

attaining

strategic

objectives



competence of the


unit to provide the


in an effective and


certain level of







a certain level of

obligation upon the


unit in case of

intentional or

unintentional non-

5

67

4


this category


acceptable level


a medium risk

compliance with the

legislation

3

Low

Risks with low

probability of

occurrence within 5

years These are


the administration




likelihood of

occurrence

Risks which

can have the

least impact

on attaining

strategic

objectives

Their impacts

are generally

little and

cover a

limited area



the


unit to provide the


in an effective and


this category



the





which are below the

acceptable level


a low risk



the


unit in case of

intentional or

unintentional non-

compliance with the

legislation

2

1

Unknown


idea about the


occurring within 5




larger data

The impact of

a risk likely to

occur on

strategic

objectives of

the

administration

could not be

determined




determined



could not be

determined



of non-compliance


could not be

determined




68





existing controls




















risk owner

















69


70

71

72

CONTROL ACTIVITIES









administration














these documents













Risk Management

Control Activities


Monitoring

Control Environment

73














into consideration














benefits)


documented clearly











74
















differences














experiences




and







75














identified

















analysed


desired effects






76




























reduced













77



































further details

78

58 Anti-corruption





preventive controls





















timely








transparency


and






the results is





79









a major disruption


























responsibilities













80


correction







not be selected

81






Identify objectives

Identify risks to


Select method of

responding to risks

Accepting

Controlling

Transferring

Avoiding

Taking the

opportunity

Select control

method(s)

Preventative

Detective

Corrective

Directive






supervision




processes

anti-corruption



information storage



Or


control activities

82

83







terminated)


mitigating risks














working effectively






84




Risk management



not be achieved





Cash management





preventive



Asset management


safe - preventive





Document control



preventive



being taken on time


controls needed to


prior to issue







at points of use



controlled and





inappropriately


preventive

85








detective





preventive

Procurement


procurement process











preventive









Stores


store










detective

Revenue management



on a timely basis







preventative



86



- preventive

IT security


computerised data


preventative




inappropriately



- preventive





87



Risk management

Appropriate risk

management policies




activities











in place and being

applied









minimised








archived









and



service failure




operational and

performance plans






period results


88





review actual

performance against

targets



targets



expected results









necessary










the quality of


and indicators



and indicators






standards






The organisation



results






all employees








89
























needs













ensure accuracy and

completeness



sequences





controlled





assets



to all staff








90








examined








controlled





portable assets



damage


sprinkler systems











waste or fraud











balances exist









custody

91






events







authority




to be made








promptly recorded











custody is clearly

allocated



authorised staff












alteration










Documentation


92




clearly documented




examination






















The organisation




information systems



conditions change


consistency

Effective computer


operation and are

monitored







are clearly defined





monitored

Effective computer







owners





93




authorised







development and




authorised


approved




separate libraries




are monitored



is documented


and monitored


software

There is effective


operations





Controls ensure the


















authorisation







key fields

94










completeness




erroneous data














updates

95


Example 1







Scenario A




do this checking

Scenario B

Cost same as above





Possibilities







Example 2






Scenario 1

96







Scenario 2











97













activities










and up-to-date






Risk Management

Control Activities


Monitoring

Control Environment














98


Minister



administration
















Internal Auditor









Authorising Officer




















etc)

99




Realisation Officer





Accounting Officer











provided by the SDU





consideration








internal control




forums etc











below

100


personnel









was received














101

























Planning

information need

Organising

information

Creating and

collecting

information

Reviewing and

keeping

information


information

INFORMATION

MANAGEMENT PROCESS

102



received






























standards














justifications





103








respondents and





























administration


Registry and Filing










104














necessary






organisations
















organisations





Archiving Services







February 2005





the documents

105













websites and so on)


understandable


research)






from a website




106









be needed



information pool











lists







regarding access to



or repositories






and recording






with managers











access it









damage





107






where necessary










Management System


ensured
















Standardisation)
















108













processes




informed basis

















109




administration













distributed


In the working plan





produced



















responded easily




be ensured




110







planned











tasks of the SDUs





















support reporting



make decisions


taken



111



communication





they provide






assess these







expected


Internal





responsibilities










management






risks)










the administration





and personnel










organised


112








demanded



administration







activities etc)




















same level





of units



employees



EXTERNAL

















website



useful










113


















621 Reporting


















ObjectiveActivity

Other staff

Medium-

level managers

VERTICAL

REPORTING

Strategic

Operational

Top

Management

114












CHU and



Finance














accountability











administrationunit

HORIZONTAL

REPORTING

115

himself














should be prevented
























processed or not







Civil Servants

116












faith



administration)





results
















consideration

117









consideration







referred to




etc)







administration


blow the whistle




118


Whistle blower

Is it illegal



Do I have good will

Do I draw benefit

from this

sec

ure

co

mm

un

ica

tion

ch

an

ne

ls (e-m

ail

ad

dre

sses te

leo

ph

on

e

nu

mb

ers

sec

ure

co

mm

un

ica

tion

ch

an

ne

ls (e-m

ail

ad

dre

sses te

leo

ph

on

e

nu

mb

ers


whistle blowing

Evaluation Criteria


Unit



from outside the

administration)

Authorising officer

119







































meetings




120














2005








Radio Law no 2813







Laws





Corruption


121



Meetings Informing

Receiving

opinion

Making joint

decisions

Relatively cheap

A method that

people are

accustomed to

Contribute to the

culture of

participation

Open to discussion

and dialogue

Opportunity to come


problems in the

administration



method


useful




Reports

Informing

Receiving

opinion

Making

decisions

Evaluation

Informs the target

group about the

subject in a sound

manner


making process of

the manager


accurate up to date

relevant and

adequately detailed

information



Brochures

Periodicals

Informing

Promotion

Opportunity for

creative design

Comprehensible

Particular and wide

target groups

Opportunity to

establish long term


group

Opportunity to make

regular up-dates


Limited feedback


on target group

Questionnaire

Interview

(letter

e-mail

telephone

face to face)

Receiving

opinion

Evaluation

A method that

people are

accustomed to


a wide group


particular target

groups

Scientific methods

can be used




accurately


may be low



122


Press releases

and

conferences

Informing

Receiving

opinion

Cheap

Easy to organise

Opportunity to

communicate to

many people



group or not




thoroughly


feedback


ideas

Making joint

decisions

Obtaining many

ideas regarding a

subject

Contribution to the

culture of

participation

Cheap flexible easy

to organise


useful



Workshop Informing

Receiving

opinion

Making joint

decisions


new networks


Chance of finding


Cheap flexible easy

to organise

Chance of examining

the subject

thoroughly


particular target

groups



atmosphere

Non-scientific


useful





selected group


Receiving

opinion

Making joint

decisions

Opportunity to

become creative

and flexible

Opportunity to work

together with

different groups


new networks


particular target

groups

Opportunity to

examine the subject

thoroughly

Opportunity to

discuss different




selected group



useful




123

opinions and ideas



grouprsquos

opinion with

the

leadership

of a

moderator

Faster and cheaper

compared to one-to-

one interview

Opportunity to

discuss different

opinions and ideas

Spoken discussion

accelerates the


are reflected in

writing



moderation


the quality of data

Conference

Call

Making joint

decisions

Finding

common

solutions to

problems

Opportunity to

discuss different

opinions and ideas

Opportunity to

examine the subject

thoroughly

Experienced

decision-makers and

persons with deep

information

accumulation

coming together



management





Websites and

intranet

e- mail

Informing

Receiving

opinion

Cheap

Easy to organise


many people


sharing

Need for updating



124








Report






(General budget







Report








Ministry of Finance


and Fiscal Control)


Opinion


Activity Report










TGNA






Report




Expectations Report





Report

Ministry of Finance


and Fiscal Control)

Public Opinion


(Art 52 53 54 of Law No 5018)









125


Application


If related to

EVALUATION

Written petition


application that is

recorded

Registration in the

document registry

system (written

electronic)

a separate folder


applications

NOTIFICATION



is about)

To the relevant




To whistle-blower

NOTIFICATION



been violated

To Prime Ministry




have been violated




General and upper


Director General



General


Relevant

Administration

Disciplinary Board

126


Application



Written petition

(person or a

particular event

serious allegations

name family

name signature

domicile address)

Registration in the

document registry

system (written or

electronic - a

separate folder

system for

notification

applications)



NOTIFICATION

Directly Chief

Public Prosecutor

Other positions or

civil servants




4483




Law No 4483



examination (44835)

Permitting the




allegation

Not permitting the




allegation

OBJECTION





is conducted)

to the Chief Public



about whom the

investigation is

conducted


OBJECTION





complainant)

127

MONITORING

1 Introduction











helps






Risk Management

Control Activities


Monitoring

Control Activities

128












31 Senior Manager













32 Internal Audit














Manager



129


















information

37 External Audit











Finance








130



SENIOR MANAGER





SUB-UNIT MANAGERS

SUB-UNIT PERSONNEL












practices






on the CHU Handbook

131










































than one week







132





the questionnaire
























to provide guidance






















133
















134







What

information is

available in the

report about the

effectiveness of

internal control

system For

example what

information

does internal

audit report

include on risk

management

Are there any

problems

according to

internal audit

report

What are the

problems in

question

What are the works


spending units for

fixing these

problems

It is possible that

SDUs provide

spending units

with guidance

on actions to be

taken



problems






management










problems



necessary works

(delivering

trainingsgiving


fixing the problems

135

136







61 Internal Audit






approach































137






Coordination Board

















62 External Audit





body









audit










accountability




138






































DECLARATION









139



















7111 Responsibility




















operation


to monitor and









140





















7114 Internal Audit






realized


















implementation

7115 External Audit





141



declaration















































142



of risk management









structure












Impact

Probability


Ownership and























143


















mentioned headings






weaknesses











his own declaration














144














(administration)





































145










Manager


















146

MONITORING ANNEXES

















Control

Control Environment

Risk Assessment

Control Activities


Monitoring
























147






the SDU

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1






CONTROL ENVIRONMENT












ethics









administration








148

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1











applications etc)













units and staff













integration points





produced

149

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



administration





out







assigned




etc) must be stated



administration




















with the staff



150

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




































and communicated







another person


151

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



of power









them








RISK ASSESSMENT










plans














152

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




administrations









resources







administration





evaluation



to staff
















against risks

153

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



contribution





administration







and so on)












CONTROL ACTIVITIES



are managed













154

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1








activities






















the relevant staff
















155

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1













written documents

















emergencies
















156

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




conducted










tasks and so on




administration









documents




information system












communication


157

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1















stakeholders



answered or not















understandable





the operations







158

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1
















purposes












administration





considered




ongoing problems






about these



159

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



MONITORING







meaningful risks












methods used








questionnaires)















160

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1










not



control








and SDU





staff









and complaints by









161

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1
















by management
















explain


GRAND TOTAL

162




I INTRODUCTION

11 Mission







- Risk Management



- Monitoring











V CONCLUSION

V1 Strengths



163


I RESPONSIBILITY



























Internal Audit


External Audit


SDU


164





























165









summarised below


Human Resources



Data security




166

Other developments

(Date)

Signature

Name

Title

167


I RESPONSIBILITY




















Internal Audit


External Audit


SDU



168












faced













Human Resources


Data security


169




Other developments








(Date)

Signature

Name

Title

170























(Date)

Signature

171


(SENIOR MANAGER)

Name-Surname

Title

I RESPONSIBILITY































Programme









control systems





172

Internal Audit













ministry



space



plan

External Audit


SDU






during this year

III RISK MANAGEMENT























173















in the Ministry















summarised below








next year










(Date)

Signature

Name

Title

174

GLOSSARY

CONCEPT DEFINITION






















management






















175








































Management and

Control









176














































177














Risk Strategy and

Policy Document

(RSPD)






















administration









performance



5










GLOSSARY 174

6















Commission














7

INTRODUCTION














control












8



































European Union


















be used is given

9









component































10


RISK MANAGEMENT

INFORMATION AND


MINISTER














administration




















between the head of







feedback he prefers







control system






RISK STEERING BOARD















and risk management









approval of Head of

Administration

11

RISK MANAGEMENT

INFORMATION AND








AUTHORISING OFFICER








end







each other






unit



control system










Administration










risk management






activities






authorising officer



control system




12

RISK MANAGEMENT

INFORMATION AND










means








UNIT


management in the























ACCOUNTING OFFICER












records


UNIT








reporting




and advice ensuring















13

RISK MANAGEMENT

INFORMATION AND



INTERNAL AUDIT








way or not







between


internal audit







recommendations

EXTERNAL AUDIT





administrations









conducts and give

recommendations

14

15

CONTROL ENVIRONMENT

1 INTRODUCTION





















personnel



Risk Management

Control Environment

Control Activities


Monitoring








16


















3 LEGISLATION

31 Legal Basis








17





implemented










CONTROL

ENVIRONMENT

STANDARD

RELATED LEGISLATION

1 Ethical Values

and Integrity





2 Mission

organisational

structure and Tasks

Law No 3046




3 Competence

and Performance

of Personnel





18

CONTROL

ENVIRONMENT

STANDARD

RELATED LEGISLATION













Purposes





4 Delegation of

Authority

Law No 3046


Law No 5393

Organisational Laws


19


41 What is Ethics








Law No 5176
































20


Granting

decleration

of property

Relations with

the previous

civil servants

Accountability

requirement for

managers

Informing

transparency

and

participation

Binding

explanations

and unreal

declerations

Being

economic

Utilisation

of public

properties

and

resources

Prohibiton

of giving

presents and

drawing

benefits

Not abusing

duties and

authorities to

draw benefits

Avoiding

conflict of

interest

Notification

of authorised

bodies

Courtesy

and

respect

Esteem

and trust

Integrity and

Impartiality

Commit

ment to

aims and

mission

Compliance

with service

standards

Service

awareness

for public

Public service

awareness in

fullfilment of

duties

ETHICAL

BEHAVIOR

PRINCIPLES

21






outside


behaviours










service








administration












45 Ethics Training







servants




22





51 Mission

















be stated










reviewed















23














the administration





53 Job Descriptions







process










administration







MAKING JOB ANALYSIS

24




How is the job done



Why is the job done


(Equipment)








direction







Unitamp Sub Unit






Authorities




personnel

25











is sensitive or not
















Managing payments






ANNOUNCING JOB

DESCRIPTIONS TO THE

PERSONNEL


26


Commission

Contracting process




Job description

Recruitment process

Assessment




documents
















27























Job descriptions

Job requirements


Staff analysis



Procedure etc)

Recruitment process









Humans First

28








Appraisal system


Training Activities






development





the personnel





























29
















this report







delegator















follows










30





monitoring function


















units





















31






listed as follows




administration







administrations



senior manager









Deputy Head of

Administration



Development

Unit

Authorising

Officer


Authorising

Officer Authorising

Officer

32

33

RISK MANAGEMENT









external factors







standards




corporate terms






Monitoring

Control Activities

Risk Management

Control Environment








34






decision making



























staff















35



guidance






opportunities
























management




Risk appetite






Communication Plan

36




highest level












the stakeholders










37
















for approval








ARC









with the standards


















administration

38












to the ARC





effectively












administration







66 Employees













crash

39

67 Internal Auditor



























40



shown in figure RM3





Idetification of

risks

Assessment of

risks

Monitoring and

reviewing risks

Responding to

risks

Risk

Managament

strategy

Risk Managament

Process

Idetification of

risks

Assessment of

risks

Monitoring and

reviewing risks

Responding to

risks

Risk

Managament

strategy

Risk Managament

Process

41








































42










form)









see Box RM7)






identifying risk




















43



Politic

Economic

Social

Technologic

Legal

Environmental

Example




expected levels



the administration













2009


44


objectives









activities




complicated





ask










key points

45

72 Risk Assessment












assessment process

















2)







risk



46
































47


risk




Register)















48






the audience is


presentation



Likelihood 7



Risk Score 7x3 = 21

RRRiiissskkk 222








Risk Score 5x9 = 45

RRRiiissskkk 333





Risk Score 2x3 = 6


Imp

act

10 10 20 30 40 50 60 70 80 90 100 9 9 18 27 36 45 54 63 72 81 90 8 8 16 24 32 40 48 56 64 72 80

7 7 14 21 28 35 42 49 56 63 70 6 6 12 18 24 30 36 42 48 54 60 5 5 10 15 20 25 30 35 40 45 50

4 4 8 12 16 20 24 28 32 36 40 3 3 6 9 12 15 18 21 24 27 30

2 2 4 6 8 10 12 14 16 18 20 1 1 2 3 4 5 6 7 8 9 10

1 2 3 4 5 6 7 8 9 10

Likelihood

Prioritisation








49






















administration


50







changing






Figure RM5







is accepted



desirable




Preventive Controls

Corrective Controls

Directive Controls

Detective Controls

Emergency Plans


Tolerating

Treating

Transferring

Avoiding

51
































Tolerate

Control

Transfer

Avoid


52





must be considered






be considered

53








RRRiiissskkk 111



RRRiiissskkk 222












RRRiiissskkk 333


relevant expertise

RRRiiissskkk 444





activities



54

74 Reviewing Risks





































risks




listed in box RM19

55



















period

















56


























57



Programme Budget


Identify

Measure (impact x

probability)

Prioritise

Tolerate

Control

Transfer

Avoid

Operational Level

Unit Level


Risk Assessment


Risk Register

Control Activities

Mo

nito

ring

an

d E

valu

atio

n





76 Learning







58













59



Step 1










Step 2






Step 3






Step 4






Table)



amalgamating them)





prioritised




date)

60

Step 5








change their score

Step 6






Step 7



Step 8





Step 9








Step 10











61


62


RISK REGISTER


Date 20

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Se

ria

l n

o

Re

fere

nc

e N

o

Str

ate

gic

Ob

jec

tiv

e

Un

its

Ob

jec

tiv

e

Risk Identified

Tim

e fra

me

Pro

ba

bility

Imp

ac

t

Ris

k s

co

re(R

)

Ch

an

ge

(Dir

ec

tio

n o

f ri

sk)


control activities

Sta

rtin

g d

ate

Risk

owner

Monitoring

and

Reporting

Risk

45

-100

9-4

4

Reason 1-8

Columns





written



63



6



important

7




8






10




11






13






Colours

High risk

Medium risk

Low risk


64





CONSOLIDATED REPORT

(Corporate Risks)


1 2 3 4 5 6 7 8

Se

ria

l N

o

Re

fere

nc

e N

o

Str

ate

gic

Ob

jec

tiv

e

Risk Identified

Status


Previous risk

score and colour

Current risk score

and colour

45-100 45-100

9-44 9-44

1-8 1-8

Columns




65


written




7






Colours

High risk

Medium risk

Low risk


information

66


Va

lue

Ra

ng

e

Probability

Impact


Legislation

10

High



5 years Taking into

consideration the

structure of the

administration they


policies and



administration the


risky event occurs

Risks which

can have a

major impact

on attaining

strategic

objectives

These are risks

which are

generally

faced in the

long term but

can cause

the

administration

to divert form

its objectives

in case of

occurrence





in an effective and


this category



the





which are above the

acceptable level


a high risk




unit in case of

intentional or

unintentional non-

compliance with the




too complicated and

unclear

9

8

7

6

Medium



These are generally

such risks that the




Risks which

can have a

certain level

of impact on

attaining

strategic

objectives



competence of the


unit to provide the


in an effective and


certain level of







a certain level of

obligation upon the


unit in case of

intentional or

unintentional non-

5

67

4


this category


acceptable level


a medium risk

compliance with the

legislation

3

Low

Risks with low

probability of

occurrence within 5

years These are


the administration




likelihood of

occurrence

Risks which

can have the

least impact

on attaining

strategic

objectives

Their impacts

are generally

little and

cover a

limited area



the


unit to provide the


in an effective and


this category



the





which are below the

acceptable level


a low risk



the


unit in case of

intentional or

unintentional non-

compliance with the

legislation

2

1

Unknown


idea about the


occurring within 5




larger data

The impact of

a risk likely to

occur on

strategic

objectives of

the

administration

could not be

determined




determined



could not be

determined



of non-compliance


could not be

determined




68





existing controls




















risk owner

















69


70

71

72

CONTROL ACTIVITIES









administration














these documents













Risk Management

Control Activities


Monitoring

Control Environment

73














into consideration














benefits)


documented clearly











74
















differences














experiences




and







75














identified

















analysed


desired effects






76




























reduced













77



































further details

78

58 Anti-corruption





preventive controls





















timely








transparency


and






the results is





79









a major disruption


























responsibilities













80


correction







not be selected

81






Identify objectives

Identify risks to


Select method of

responding to risks

Accepting

Controlling

Transferring

Avoiding

Taking the

opportunity

Select control

method(s)

Preventative

Detective

Corrective

Directive






supervision




processes

anti-corruption



information storage



Or


control activities

82

83







terminated)


mitigating risks














working effectively






84




Risk management



not be achieved





Cash management





preventive



Asset management


safe - preventive





Document control



preventive



being taken on time


controls needed to


prior to issue







at points of use



controlled and





inappropriately


preventive

85








detective





preventive

Procurement


procurement process











preventive









Stores


store










detective

Revenue management



on a timely basis







preventative



86



- preventive

IT security


computerised data


preventative




inappropriately



- preventive





87



Risk management

Appropriate risk

management policies




activities











in place and being

applied









minimised








archived









and



service failure




operational and

performance plans






period results


88





review actual

performance against

targets



targets



expected results









necessary










the quality of


and indicators



and indicators






standards






The organisation



results






all employees








89
























needs













ensure accuracy and

completeness



sequences





controlled





assets



to all staff








90








examined








controlled





portable assets



damage


sprinkler systems











waste or fraud











balances exist









custody

91






events







authority




to be made








promptly recorded











custody is clearly

allocated



authorised staff












alteration










Documentation


92




clearly documented




examination






















The organisation




information systems



conditions change


consistency

Effective computer


operation and are

monitored







are clearly defined





monitored

Effective computer







owners





93




authorised







development and




authorised


approved




separate libraries




are monitored



is documented


and monitored


software

There is effective


operations





Controls ensure the


















authorisation







key fields

94










completeness




erroneous data














updates

95


Example 1







Scenario A




do this checking

Scenario B

Cost same as above





Possibilities







Example 2






Scenario 1

96







Scenario 2











97













activities










and up-to-date






Risk Management

Control Activities


Monitoring

Control Environment














98


Minister



administration
















Internal Auditor









Authorising Officer




















etc)

99




Realisation Officer





Accounting Officer











provided by the SDU





consideration








internal control




forums etc











below

100


personnel









was received














101

























Planning

information need

Organising

information

Creating and

collecting

information

Reviewing and

keeping

information


information

INFORMATION

MANAGEMENT PROCESS

102



received






























standards














justifications





103








respondents and





























administration


Registry and Filing










104














necessary






organisations
















organisations





Archiving Services







February 2005





the documents

105













websites and so on)


understandable


research)






from a website




106









be needed



information pool











lists







regarding access to



or repositories






and recording






with managers











access it









damage





107






where necessary










Management System


ensured
















Standardisation)
















108













processes




informed basis

















109




administration













distributed


In the working plan





produced



















responded easily




be ensured




110







planned











tasks of the SDUs





















support reporting



make decisions


taken



111



communication





they provide






assess these







expected


Internal





responsibilities










management






risks)










the administration





and personnel










organised


112








demanded



administration







activities etc)




















same level





of units



employees



EXTERNAL

















website



useful










113


















621 Reporting


















ObjectiveActivity

Other staff

Medium-

level managers

VERTICAL

REPORTING

Strategic

Operational

Top

Management

114












CHU and



Finance














accountability











administrationunit

HORIZONTAL

REPORTING

115

himself














should be prevented
























processed or not







Civil Servants

116












faith



administration)





results
















consideration

117









consideration







referred to




etc)







administration


blow the whistle




118


Whistle blower

Is it illegal



Do I have good will

Do I draw benefit

from this

sec

ure

co

mm

un

ica

tion

ch

an

ne

ls (e-m

ail

ad

dre

sses te

leo

ph

on

e

nu

mb

ers

sec

ure

co

mm

un

ica

tion

ch

an

ne

ls (e-m

ail

ad

dre

sses te

leo

ph

on

e

nu

mb

ers


whistle blowing

Evaluation Criteria


Unit



from outside the

administration)

Authorising officer

119







































meetings




120














2005








Radio Law no 2813







Laws





Corruption


121



Meetings Informing

Receiving

opinion

Making joint

decisions

Relatively cheap

A method that

people are

accustomed to

Contribute to the

culture of

participation

Open to discussion

and dialogue

Opportunity to come


problems in the

administration



method


useful




Reports

Informing

Receiving

opinion

Making

decisions

Evaluation

Informs the target

group about the

subject in a sound

manner


making process of

the manager


accurate up to date

relevant and

adequately detailed

information



Brochures

Periodicals

Informing

Promotion

Opportunity for

creative design

Comprehensible

Particular and wide

target groups

Opportunity to

establish long term


group

Opportunity to make

regular up-dates


Limited feedback


on target group

Questionnaire

Interview

(letter

e-mail

telephone

face to face)

Receiving

opinion

Evaluation

A method that

people are

accustomed to


a wide group


particular target

groups

Scientific methods

can be used




accurately


may be low



122


Press releases

and

conferences

Informing

Receiving

opinion

Cheap

Easy to organise

Opportunity to

communicate to

many people



group or not




thoroughly


feedback


ideas

Making joint

decisions

Obtaining many

ideas regarding a

subject

Contribution to the

culture of

participation

Cheap flexible easy

to organise


useful



Workshop Informing

Receiving

opinion

Making joint

decisions


new networks


Chance of finding


Cheap flexible easy

to organise

Chance of examining

the subject

thoroughly


particular target

groups



atmosphere

Non-scientific


useful





selected group


Receiving

opinion

Making joint

decisions

Opportunity to

become creative

and flexible

Opportunity to work

together with

different groups


new networks


particular target

groups

Opportunity to

examine the subject

thoroughly

Opportunity to

discuss different




selected group



useful




123

opinions and ideas



grouprsquos

opinion with

the

leadership

of a

moderator

Faster and cheaper

compared to one-to-

one interview

Opportunity to

discuss different

opinions and ideas

Spoken discussion

accelerates the


are reflected in

writing



moderation


the quality of data

Conference

Call

Making joint

decisions

Finding

common

solutions to

problems

Opportunity to

discuss different

opinions and ideas

Opportunity to

examine the subject

thoroughly

Experienced

decision-makers and

persons with deep

information

accumulation

coming together



management





Websites and

intranet

e- mail

Informing

Receiving

opinion

Cheap

Easy to organise


many people


sharing

Need for updating



124








Report






(General budget







Report








Ministry of Finance


and Fiscal Control)


Opinion


Activity Report










TGNA






Report




Expectations Report





Report

Ministry of Finance


and Fiscal Control)

Public Opinion


(Art 52 53 54 of Law No 5018)









125


Application


If related to

EVALUATION

Written petition


application that is

recorded

Registration in the

document registry

system (written

electronic)

a separate folder


applications

NOTIFICATION



is about)

To the relevant




To whistle-blower

NOTIFICATION



been violated

To Prime Ministry




have been violated




General and upper


Director General



General


Relevant

Administration

Disciplinary Board

126


Application



Written petition

(person or a

particular event

serious allegations

name family

name signature

domicile address)

Registration in the

document registry

system (written or

electronic - a

separate folder

system for

notification

applications)



NOTIFICATION

Directly Chief

Public Prosecutor

Other positions or

civil servants




4483




Law No 4483



examination (44835)

Permitting the




allegation

Not permitting the




allegation

OBJECTION





is conducted)

to the Chief Public



about whom the

investigation is

conducted


OBJECTION





complainant)

127

MONITORING

1 Introduction











helps






Risk Management

Control Activities


Monitoring

Control Activities

128












31 Senior Manager













32 Internal Audit














Manager



129


















information

37 External Audit











Finance








130



SENIOR MANAGER





SUB-UNIT MANAGERS

SUB-UNIT PERSONNEL












practices






on the CHU Handbook

131










































than one week







132





the questionnaire
























to provide guidance






















133
















134







What

information is

available in the

report about the

effectiveness of

internal control

system For

example what

information

does internal

audit report

include on risk

management

Are there any

problems

according to

internal audit

report

What are the

problems in

question

What are the works


spending units for

fixing these

problems

It is possible that

SDUs provide

spending units

with guidance

on actions to be

taken



problems






management










problems



necessary works

(delivering

trainingsgiving


fixing the problems

135

136







61 Internal Audit






approach































137






Coordination Board

















62 External Audit





body









audit










accountability




138






































DECLARATION









139



















7111 Responsibility




















operation


to monitor and









140





















7114 Internal Audit






realized


















implementation

7115 External Audit





141



declaration















































142



of risk management









structure












Impact

Probability


Ownership and























143


















mentioned headings






weaknesses











his own declaration














144














(administration)





































145










Manager


















146

MONITORING ANNEXES

















Control

Control Environment

Risk Assessment

Control Activities


Monitoring
























147






the SDU

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1






CONTROL ENVIRONMENT












ethics









administration








148

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1











applications etc)













units and staff













integration points





produced

149

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



administration





out







assigned




etc) must be stated



administration




















with the staff



150

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




































and communicated







another person


151

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



of power









them








RISK ASSESSMENT










plans














152

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




administrations









resources







administration





evaluation



to staff
















against risks

153

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



contribution





administration







and so on)












CONTROL ACTIVITIES



are managed













154

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1








activities






















the relevant staff
















155

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1













written documents

















emergencies
















156

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1




conducted










tasks and so on




administration









documents




information system












communication


157

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1















stakeholders



answered or not















understandable





the operations







158

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1
















purposes












administration





considered




ongoing problems






about these



159

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1



MONITORING







meaningful risks












methods used








questionnaires)















160

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1










not



control








and SDU





staff









and complaints by









161

No Questions

Yes

8

No

In D

evel

op

men

t9 Explanation

Points 2 0 1
















by management
















explain


GRAND TOTAL

162




I INTRODUCTION

11 Mission







- Risk Management



- Monitoring











V CONCLUSION

V1 Strengths



163


I RESPONSIBILITY



























Internal Audit


External Audit


SDU


164





























165









summarised below


Human Resources



Data security




166

Other developments

(Date)

Signature

Name

Title

167


I RESPONSIBILITY




















Internal Audit


External Audit


SDU



168












faced













Human Resources


Data security


169




Other developments








(Date)

Signature

Name

Title

170























(Date)

Signature

171


(SENIOR MANAGER)

Name-Surname

Title

I RESPONSIBILITY































Programme









control systems





172

Internal Audit













ministry



space



plan

External Audit


SDU






during this year

III RISK MANAGEMENT























173















in the Ministry















summarised below








next year










(Date)

Signature

Name

Title

174

GLOSSARY

CONCEPT DEFINITION






















management






















175








































Management and

Control









176














































177














Risk Strategy and

Policy Document

(RSPD)






















administration









performance

