Union, principally financed by the EU
A joint initiative of the OECD and the European
Development of Internal Control:
Methodology and Responsibility
Janet Thomas
HM Treasury/ National Audit Office
United Kingdom
Workshop on “Audit/Evaluation of PIFC Systems”
Ankara 8-9 July 2008
© OECD
Content of presentation
 What is internal control?
 COSO, Intosai, EU view, UK view
 UK “methodology”
 Governance, role of audit committee, management of risk,
role of internal and external audit, statement on internal
control
 How it all fits together
 Assessment against COSO/ INTOSAI
 Key concepts
 Accountability
 Delegation
 Proportionality
What is internal control?
COSO (1992)
Internal control is broadly defined as a process
effected by an entity’s board of directors,
management and other personnel designed to
provide reasonable assurance regarding
achievement of objectives in the following
categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and
regulations
What is internal control?
INTOSAI (2004)
Internal control is an integral process that is effected by an
entity’s management and personnel and is designed to
address risks and to provide reasonable assurance that in
pursuit of the entity’s mission, the following general
objectives are being achieved:
Executing orderly, economical, efficient and effective
operations
Fulfilling accountability operations
Complying with applicable laws and regulations
Safeguarding resources against loss, misuse and damage
What is internal control?
COSO/ INTOSAI components
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
What is internal control?
European Commission
Reforms from 2000 onwards – “wise men’s
report”
Treaty obligations “legality and regularity”
Financial regulation definition Art 28a
Acquis requirements for accession
 Chapter 32 Financial control
 Criteria for opening and provisionally closing Ch 32
based on development of PIFC strategy and
legislation
The three pillars of PIFC
 Managerial accountability
 Financial management and control systems
developed and monitored by a central
harmonisation unit
 Supported by functionally independent
internal audit
What is internal control?
United Kingdom government view
Formerly implicit rather than explicit, but long tradition of
internal audit
Acted on Turnbull (1999) and Sharman (2001)
recommendations
Focuses on provision of annual “statement on internal
control”
Introduction of resource accounting and budgeting, 2001
Treasury guidance from “CHU” on corporate governance,
audit committee handbook, government internal audit
standards and guidance, “managing public money”,
management of risk guidance
The UK “methodology”
Governance is the key
Defined accountability – role of Minister and
Accounting Officer, both responsible and
answerable to Parliament
Corporate Governance Code: Responsibilities of
departmental Board
To ensure that effective arrangements exist to
provide assurance on risk management,
governance and internal control
Role of Audit Committee
Internal Audit function
The UK “methodology”
Role of audit committee: 5 principles
 Supports the Board and the Accounting Officer by
reviewing the comprehensiveness, reliability and
integrity of assurances that risk management,
governance and internal control are functioning
effectively
 Independent and objective with a good
understanding of the priorities of the organisation
 Provides an appropriate mix of skills
 Terms of reference to define scope of work
 Effective communication with Board, Head of Internal
Audit, external audit and other stakeholders
The UK “methodology”
Role of internal audit:
To provide an independent and objective
opinion to the Accounting Officer on risk
management, control and governance*, by
measuring and evaluating their effectiveness
in achieving the organisation’s agreed
objectives.
*
The policies, procedures and operations established to ensure
the achievement of objectives, the appropriate assessment of
risk, the reliability of internal and external reporting and
accountability processes, compliance with applicable laws and
regulations and compliance with behavioural and ethical
standards.
The UK “methodology”
Management of risk
 All government organisations must have basic risk
management processes in place
 Guidance provided in “The Orange Book”
 Risk should managed to a level which is tolerable
 Effectiveness of risk management audited internally
and externally
 Accounting Officer must comment on risk
management in his annual “Statement on Internal
Control”
The UK “methodology”
The Statement on Internal Control
 Every Accounting Officer must sign an annual
Statement on Internal Control
 Prescribed format given in Financial Reporting
Manual
 Scope of responsibility
 Purpose of the system of internal control
 Capacity to handle risk
 Risk and control framework
 Review of effectiveness (significant internal control issues
must be mentioned)
The UK “methodology”
The Statement on Internal Control: examples of
significant internal control issues
 Failure to achieve a Public Service Agreement target
 Organisation had to seek additional funding from
Treasury
 Adverse opinion from external auditor – material
impact on the accounts
 Head of Internal Audit and/or Audit Committee agree
that an issue is significant
 Public interest and/or damage to the organisation’s
reputation
The UK “methodology”
Role of external audit (National Audit Office)
 To review the Statement on Internal Control for each
government organisation
 Compliance with Treasury requirements
 Consistency with external auditor’s work on financial
statements
 To provide an assurance to Parliament that the
resource accounts have been properly prepared, are
free from material misstatement, and that
transactions have appropriate Parliamentary authority
 To provide value-for-money reports assessing the
economy, efficiency and effectiveness with which
public money has been used
How it all fits together
Accounting Officer
Board
Objectives
Business plan
PSAs and
Performance
Measures
Budget
Accounts
Risk register
Risk monitoring
Internal
audit
Annual report
Statement on internal
control
NAO
Audit
committee
Parliament/ PAC
How do we match up against
COSO/ INTOSAI?
Control environment:
Accountability to Parliament, Board and Audit Committee
Risk assessment:
Risk management systems widespread, audited internally and
externally, reported on in annual Statement on Internal Control
Control activities:
Delegated to the organisation, described in the Statement on
Internal Control
Information and Communication:
Annual reports, regular reporting to Board and Audit Committee
Monitoring:
Internal audit reports, regular monitoring by Board and Audit
Committee, results of monitoring summarised in Annual
Statement on Internal Control
How do we match up against
the Commission guidance?
 Managerial accountability
 Clearly defined and expressed in statement on internal control
 Financial management and control systems developed and monitored
by a central harmonisation unit
 Guidance produced centrally eg on governance; risk management
 But development of systems delegated to Government
Departments
 Supported by functionally independent internal audit
 Internal audit units in each Government Department
Key concepts
 Statement on Internal Control – informs
on all aspects of internal control, published
on internet
 Accountability – of Minister and Accounting
Officer
 Delegation – control and management of
spending delegated to departments,
monitored by Treasury
 Proportionality – no sledgehammer to
crack a nut
 Guidance – not always prescription
All UK guidance is available at
www.hm-treasury.gov.uk
and on departmental websites
Thank you!
Good luck!