Internal control objectives

advertisement
Management assurance framework
Queensland Shared Services
Version number: V8.0
Reference number: QSS/2134-01
Policy owner: Director, Corporate Assurance and Risk Management
Total number of pages: 18
Effective date: July 2015
Review date: July 2016
Security classification: PUBLIC
Uncontrolled when printed
Table of Contents
1
Introduction ............................................................................................................................ 3
1.1
Background .................................................................................................................. 3
1.2
Internal control and risk environment ............................................................................ 3
1.2.1 Governance of QSS operations ........................................................................... 3
1.2.2 Risk management ................................................................................................ 4
1.2.3 Control activities .................................................................................................. 4
1.2.4 Information and communication ........................................................................... 4
1.2.5 Monitoring ............................................................................................................ 4
2
Purpose ................................................................................................................................. 4
3
Scope .................................................................................................................................... 5
4
Management assurance framework details ............................................................................ 5
4.1
Internal control objectives ............................................................................................. 5
4.1.1 Governance controls............................................................................................ 5
4.1.2 Business process controls ................................................................................... 5
4.1.3 Information technology general controls .............................................................. 6
4.2
Internal control assessment .......................................................................................... 6
4.2.1 Assessment scope............................................................................................... 6
4.2.2 Methodology ........................................................................................................ 6
4.2.3 Assurance from third party providers ................................................................... 7
4.2.4 DSITI Internal Audit ............................................................................................. 7
4.3
Reporting ...................................................................................................................... 7
4.3.1 Interim status update ........................................................................................... 7
4.3.2 Final management assurance report ................................................................... 7
Queensland Shared Services
Security classification: Public
4.3.3 Post balance date assurance............................................................................... 8
4.4
Continuous improvement .............................................................................................. 8
4.5
CARM solution .............................................................................................................. 8
5
Responsibilities ...................................................................................................................... 9
6
Endorsement and approval .................................................................................................. 11
Appendix A: Contacts ................................................................................................................... 12
Appendix B: References ............................................................................................................... 12
Appendix C: Definitions ................................................................................................................. 13
Appendix D: Internal control assurance model .............................................................................. 15
Appendix E: DSITI assurance framework ...................................................................................... 17
Appendix F: MAF process map ..................................................................................................... 18
Page 2 of 18
Security classification: Public
1
Introduction
1.1
Background
Management assurance framework
Queensland Shared Services (QSS) is a provider of corporate services to Queensland
Government entities, that is, state government departments and statutory bodies (hereafter
referred to as customers). QSS provides financial services, human resource management services
and underlying application support and maintenance services to its customers. QSS has
established Service Agreements (SAs) with its customers.
QSS is a business area (division) within the Department of Science, Information Technology and
Innovation (DSITI) and the Director-General of DSITI is the accountable officer for QSS.
Agency accountability and financial administration requirements are underpinned by the
Queensland Financial Accountability Act 2009 (FAA) and the Queensland Financial and
Performance Management Standard 2009 (FPMS).
Under section 61 of the FAA, accountable officers are responsible for the efficient, effective and
economical operation of their department and for the establishment and maintenance of
appropriate systems of internal control and risk management.
To discharge this responsibility, section 77 of the FAA includes the requirement, for departments
only, that an accountable officer must delegate the establishment and review of financial internal
controls to the chief finance officer (CFO). The CFO must provide to the accountable officer a
statement before or at the same time the CFO certifies the annual financial statements, about
whether the financial internal controls of the department are operating efficiently, effectively and
economically. As prescribed in section 57(1)(d) of the FPMS, the CFO statement must include
assurance over external service providers in relation to their internal controls.
As an external service provider of corporate services, QSS is responsible for the design,
implementation, maintaining and monitoring of an internal control framework for its operations.
In carrying out this responsibility, QSS has regard to the interests of its customers, other key
government stakeholders and to the general efficiency, effectiveness and economical operation of
its business.
1.2
Internal control and risk environment
The FAA defines internal control as:
…the methods adopted within an entity to safeguard its assets; check the accuracy and reliability
of its accounting information; and secure compliance with the prescribed requirements that apply to
the entity.
QSS has established its internal controls based on the principles outlined in the Committee of
Sponsoring Organisations (COSO) Internal Control Integrated Framework Guidance on Monitoring
Internal Control Systems, May 2013.
1.2.1 Governance of QSS operations
QSS has a formalised organisational structure with distinct operational responsibilities including:
 Service Delivery (Finance, Human Resources and Mail)
 Systems
 Business Transformation
 Corporate Assurance and Risk Management (CARM)
Page 3 of 18
Queensland Shared Services
Security classification: Public
The Executive Directors are responsible for the provision of services within their area of
responsibility and they report directly to the Assistant Director-General, QSS within DSITI. CARM
is an independent business unit which directly reports to the Assistant Director-General, QSS.
1.2.2 Risk management
QSS has implemented a robust risk management process in accordance with the approved DSITI
departmental risk management framework, policy and guidelines. Risk management assessment is
performed regularly and a risk register is in place which incorporates risk treatment plans for the
identified risks. The risk register is tabled at the monthly QSS Executive Management Group (QSS
EMG) meeting for review. The CARM unit coordinates the risk management process.
1.2.3 Control activities
QSS management has established its internal control environment with documented control
objectives and control activities through a risk management process. These control objectives have
been developed to address risks relating to QSS delivery of financial, human resource
management (including payroll) and information technology services.
1.2.4 Information and communication
QSS has implemented an effective communication process around its management reporting and
business operations to communicate pertinent information for reporting and decision making.
There are different forums, committees and groups established within QSS to facilitate such
communication. Key stakeholders have been identified and an effective communication strategy
implemented with customers and suppliers.
1.2.5 Monitoring
QSS has established a reasonable number of internal monitoring and review processes necessary
for evaluating the continual effectiveness of controls. The monitoring and control functions are
carried out as follows:
 The QSS EMG is responsible for overseeing the primary governance of QSS. The QSS EMG
convenes weekly and at least once a month reviews and provides direction on QSS issues
covering governance, risk management, compliance and audit.
 The CARM unit regularly monitors the effectiveness of established internal controls and
compliance with relevant policies and practices as part of the annual Management Assurance
Framework (MAF) testing and reporting.
 At the DSITI departmental level, the DSITI Audit and Risk Management Committee provides
oversight in relation to the internal control systems, risk management systems and the internal
and external audit functions.
2
Purpose
The purpose of the MAF is to provide a high level framework for QSS to effectively manage its
internal controls and comply with relevant legislation for the provision of Service Agreement based
services. Refer to Appendix B for a list of references used to develop the MAF.
Effective implementation of the MAF enables QSS to provide reasonable assurance to its
customers that management has maintained, in all material respects, efficient, effective and
economical internal controls for its operations.
The MAF forms part of the QSS Internal Control Assurance Model (refer to Appendix D) and
DSITI Assurance Framework (refer to Appendix E).
Page 4 of 18
Security classification: Public
3
Management assurance framework
Scope
The MAF is limited to the scope of services as outlined in the SAs signed between QSS and its
customers. It does not encompass responsibilities undertaken by customers for their part of service
provision or the external audit assurance requirements under the Standard on Assurance
Engagements ASAE 3402 Assurance reports on controls at a service organisation.
4
Management assurance framework details
The framework includes the below components:
Refer to Appendix F for the detailed process of implementing the MAF.
4.1
Internal control objectives
The following is a list of the internal control objectives identified through the risk management
process.
4.1.1 Governance controls
Internal control objective 1: A formal governance structure is established with clear roles and
responsibilities to ensure effective decision making, monitoring and review of QSS’s operations
and performance and information is communicated to relevant QSS stakeholders.
Internal control objective 2: A robust risk management process has been implemented by
business areas to manage operational risks effectively.
4.1.2 Business process controls
Internal control objective 3: Processing of transactions is subject to customer agency
authorisation and adequate procedures are implemented within QSS to ensure the accuracy,
completeness and integrity of documents being processed.
Page 5 of 18
Queensland Shared Services
Security classification: Public
Internal control objective 4: Segregation of duties (SoD) is implemented either through
preventative or compensating controls to mitigate SoD risks.
Internal control objective 5: Validation and reconciliations are performed adequately to ensure
the accuracy, completeness and integrity of transactions processed.
Internal control objective 6: Processes and procedures have been implemented to manage
customer agencies’ records in accordance with relevant record management standards.
4.1.3 Information technology general controls
Internal control objective 7: Logical access security (including application security management)
is implemented adequately to comply with relevant information security standards and ensure the
confidentiality, integrity and availability of information systems and data.
Internal control objective 8: Change management processes have been implemented effectively
with segregation of duties to manage all information, communication and technology changes.
Internal control objective 9: Business continuity (BCP) and Disaster recovery (DRP) plans are
developed and implemented effectively to ensure the continued business operations in case of
unexpected events or disruptions to the systems.
Internal control objective 10: Physical and environmental security is restricted to prevent
inadvertent or unauthorised access to systems, assets and information that are managed,
maintained, owned or used by QSS.
4.2
Internal control assessment
QSS performs annual control self-assessments to test the internal control objectives and
associated internal control activities, covering the period from 1 July to 30 June of each financial
year.
4.2.1 Assessment scope
The assessment scope will be determined based on the following items:
 internal control objectives for QSS to provide services to its customers as outlined in the
service agreements
 internal control activities including the key specific policies and procedures established to meet
internal control objectives
 QAO QSS ASAE 3402 Assurance Report testing coverage and issues identified; all processes
related to the issues raised in the recent QAO QSS ASAE 3402 report should be considered to
be included in the MAF testing depending on the risk level
 DSITI Internal Audit coverage for QSS during the current financial year and issues identified.
 the QSS risk register
 initiatives and internal control environment changes within QSS during the current financial
year
 consultation with key stakeholders within QSS.
4.2.2 Methodology
Control self-assessment methodology will be used to test the effectiveness of the internal control
activities. The following steps will be undertaken:
Page 6 of 18
Security classification: Public





Management assurance framework
Control self-assessments including comprehensive internal control activities will be distributed
and completed by QSS Service Delivery (Finance, Human Resources and Mail), QSS Systems
and any other applicable business areas.
Sampling techniques will be used to submit evidence to support responses. The actual
sampling size will be determined before the testing, taking into account the complexity and
consistency of the control activities applied for each customer agency.
Responses and supporting evidence will be reviewed and approved by responsible directors.
Responses and supporting evidence will be independently analysed and control weaknesses, if
any, will be identified by the CARM unit with action plans agreed with management.
The CARM unit will continue to monitor the implementation of action plan by management.
4.2.3 Assurance from third party providers
QSS obtains assurance reports from its third party providers annually and performs an assessment
of those against the internal control objectives.
The assessment process is to provide reasonable assurance regarding:
 compliance with control objectives and procedures
 appropriate risk management policies and procedures are in place
 appropriate internal controls are in place
 monitoring and reporting is adequate, accurate and timely.
4.2.4 DSITI Internal Audit
DSITI Internal Audit plays a key role in the departmental assurance framework. In accordance with
the approved internal audit annual audit plan, Internal Audit sets out the audits intended to be
carried out for QSS. The audit findings and recommendations arising from such audit activity are
formally reported to QSS management for consideration and corrective action.
The CARM unit is responsible for monitoring the implementation of corrective actions implemented
by management.
QSS will communicate with the appropriate customer agency officer any issues raised by DSITI
Internal Audit which may have a material impact on customer agencies.
4.3
Reporting
4.3.1 Interim status update
In February of each year QSS provides each customer agency’s Chief Finance Officer a status
update by email, containing:
 a list of all audit issues raised by DSITI Internal Audit and the current status update
 a list of material control exceptions identified through previous financial year’s MAF testing and
status update
The purpose is to provide each customer agency with an update of QSS internal controls and
highlight any material internal control weaknesses to the customer.
4.3.2 Final management assurance report
By 31 July each year QSS provides each customer agency’s accountable officer with a detailed
management assurance report and an accompanying letter. The assurance report covers the
previous financial year and provides assessment results concerning the effectiveness of internal
controls established and operated by QSS. The intent is to provide reasonable assurance that, in
all material aspects, the internal controls have been operating efficiently, effectively and
economically.
Page 7 of 18
Queensland Shared Services
Security classification: Public
The final management assurance report will include the following information:
 assessment results for control objectives and control activities operated by QSS
 DSITI Internal Audit issues identified and a status update on management actions
 assurance outcomes provided by QSS third party providers.
It is important to mention that the management assurance report is not intended to diminish the
customer’s responsibility and accountability for designing, implementing and reporting on the
adequacy and effectiveness of its own risk management and internal control system.
4.3.3 Post balance date assurance
By mid-August each year QSS provides each customer agency’s accountable officer with a
separate post balance date assurance letter prior to certification of their financial statements.
This assurance letter states whether or not there have been any significant internal control
changes or financial events within QSS since the balance date that may have a material effect on
the financial management of the customer agency. Where applicable, the impact of any change or
event is identified and quantified in the letter.
4.4
Continuous improvement
The CARM unit facilitates the continuous improvement of implementing the MAF through working
with management in the following activities:
 review and update QSS risk register
 review and update internal control objectives to reflect relevant legislative changes, other
external drivers and QSS risks
 review and update control activities and control self-assessments to reflect the control
environment changes, new initiatives within QSS and audit issues raised by DSITI Internal
Audit and external auditor
 continuously improve the control self-assessment methodologies and techniques to ensure
efficient and effective assurance processes.
4.5
CARM solution
The CARM solution is a web based system implemented and utilised by QSS to simplify the control
self-assessment process and related MAF testing and reporting. The CARM solution is used to:
 assess control activities, develop improvement plans and review, consolidate and analyse
results on a real time basis
 improve efficiency and timeliness of the process
 support the quality assurance process
 improve reporting mechanisms and enable effective compliance reporting
 facilitate business improvements
 enable assessment of non-financial systems (e.g. human resources, information
technology)
 store data in a central electronic repository resulting in easy access to information and a
considerable improvement to the efficiency and effectiveness of the appraisal process.
The CARM unit provides the system support, maintenance and helpdesk function to all users.
Page 8 of 18
Security classification: Public
5
Management assurance framework
Responsibilities
The below table describes the responsibility of each stakeholder to ensure the effectiveness of
MAF implementation.
Role
Director-General,
DSITI
Assistant DirectorGeneral, QSS
Executive Directors
and Directors
Internal Audit
External audit –
Queensland Audit
Office
Responsibility
 Approve the MAF
 Endorse and sign the management assurance reports and post balance date
assurance letters issued to customers’ accountable officers
 Requires the Assistant Director-General, Queensland Shared Services (QSS) to
establish and maintain the MAF
 Requires QSS to regularly review the framework and its associated system of
reporting on internal control objectives and internal control activities.
 Own the control environment encompassing the responsibility for establishing,
endorsing and reviewing the MAF and associated internal control environment
and internal control objectives
 Review and certify the management assurance reports and post balance date
assurance letters following acceptance by the executive directors
 Provide leadership to the QSS Executive Management Group (EMG) which
shapes and endorses the values, principles and operating policies that form the
basis of the framework of internal controls.
 Ensure that the framework is incorporated within their area of responsibility
 Ensure that internal controls and other policies and procedures aimed at ensuring
QSS meets its internal control objectives are established and maintained
 Develop processes that identify, monitor and review operational risks and
developing strategies that mitigate identified risks
 Be cognisant of audit recommendations and, where weaknesses are identified,
take appropriate and timely action to strengthen control and compliance
procedures
 Actively support the annual program of work provided by internal and external
audit
 Implement appropriate responses to issues raised by internal and external audit
 Review the adequacy and effectiveness of control self-assessments and refine
where necessary
 Review and complete the control self-assessments
 Oversee all aspects of QSS internal control activities within their area of
responsibility and ensure that managers apply a range of tools, structures, forums
and strategies to adhere to the MAF.
 DSITI Internal Audit has a direct reporting relationship to the Director-General,
DSITI and the DSITI Audit Committee
 In accordance with the approved DSITI internal audit annual audit plan, Internal
Audit sets out the audits intended to be carried out which includes coverage
within QSS. The audit findings and recommendations arising from such audit
activity are formally reported to departmental management for consideration and
corrective action
 Monitor and report on the implementation of agreed audit recommendations
 Provide independent audit advice as an observer to QSS EMG.
 Support the role of the Auditor-General in providing Parliament with an
independent assessment of the financial management-related activities of public
sector entities
 Undertake independent ASAE 3402 controls assurance review of QSS in
accordance with its program of work
 Report on audit issues and recommendations requiring further consideration or
attention to QSS EMG
 Provide external audit assurance to the Director-General, DSITI.
Page 9 of 18
Queensland Shared Services
Role
QSS Executive
Management Group
Corporate
Assurance and Risk
Management
(CARM) unit
Customers of QSS
Page 10 of 18
Security classification: Public
Responsibility
 Ensure formal decision-making, monitoring and review structures or forums are
established within QSS
 Ensure structures or forums are transparent and subject to scrutiny
 Ensure structures or forums communicate effectively with stakeholders as
appropriate
 Ensure reviews are undertaken around QSS operational performance and
management of risk in the context of QSS internal control objectives
 Be accountable to the Assistant Director-General, QSS and focus on the quality
of internal controls that support the delivery of services. This includes the
effectiveness of and conformance with the MAF, risk management, compliance
and audit issues management.
 Implement and manage a risk-based control self-assessment program
 Independently review the control self-assessment results and follow up noncompliant control activities
 Prepare statements of assurance including results from internal and external
audit reviews
 Actively support the annual program of work provided by internal and external
audit
 Facilitate appropriate responses to issues raised by internal and external audit
 Complete an annual review of the MAF to ensure its currency
 Review and update internal control objectives as required
 Regularly review and update internal control activities and control selfassessments to reflect internal control environment changes.
 Ensure the accuracy, completeness and authorisation of its financial data and
that legislative requirements have been met. Customers rely on QSS to ensure
that the relevant control mechanisms continue to function as intended to the
extent that QSS has control over those mechanisms
 Ensure that it has a complementary set of internal controls in relation to its
responsibilities in the end-to-end processes for services provided by QSS
 Provide complete, accurate and timely documentation and instructions to QSS
 Provide correct agency authorisations or approvals based on customer
delegations
 Ensure that specific delegations and authorisations provided to QSS to approve
expenditure on behalf of the customer are appropriate for the operations of the
agency and are in accordance with the FAA and the Public Service Act 2008
 Monitor delegations and authorisations exercised on behalf of the agency by QSS
 Ensure the accuracy, completeness and integrity of the agency’s financial
statements and that financial statement reporting requirements have been met –
these specific responsibilities cannot be delegated to QSS
 Own and operate information systems or utilise system applications which QSS
maintains and accesses to provide agreed services to the customer
 Maintain an effective system of internal controls to support the confidentiality,
integrity and accuracy of information systems that it owns and operates and
system applications that it utilises
 Grant and approve user access to its systems for its own staff and customers
 Satisfy themselves that the access sought to its information is appropriate and
reviewed on a regular basis
 View the control and security environment at QSS as an integral part of its own
internal control structure in relation to its information systems and data.
Security classification: Public
6
Management assurance framework
Endorsement and approval
This framework has been endorsed by:
Name
Irene Violet
Position
A/Assistant Director-General
Queensland Shared Services
Signature
Endorsed and signed
Date:
07/08/2015
This framework has been approved by:
Name
Jamie Merrick
Position
A/Director-General
Department of Science, Information Technology and Innovation
Signature
Approved and signed
Date:
11/08/2015
Page 11 of 18
Queensland Shared Services
Security classification: Public
Appendix A: Contacts
Corporate Assurance and Risk Management
Queensland Shared Services
Department of Science, Information Technology and Innovation
Level 5, 160 Mary Street
Brisbane Qld 4000
Telephone: 07 3179 1264
Email: carm@dsiti.qld.gov.au
Appendix B: References








Page 12 of 18
Financial Accountability Act 2009
Financial and Performance Management Standard 2009
Financial Accountability Regulation 2009
Financial Accountability Handbook – Queensland Treasury
Public Service Act 2008
Internal Control – Integrated Framework, Guidance on Monitoring Internal Control Systems,
Volume 2: Application, Committee of Sponsoring Organizations of the Treadway Commission
(COSO), May 2013
Australian Auditing Standards
Australian Accounting Standards
Security classification: Public
Management assurance framework
Appendix C: Definitions
Term
Definition
Accountable officer
Chief Executive Officer with responsibility for management of the department or
agency as defined under the FAA
Customers
A customer is a Queensland Government department or other body to which QSS
provides a range of corporate services under a SLA
Committee of
Sponsoring
Organisations
(COSO)
The COSO of the Treadway Commission is an internationally recognised voluntary
private sector organisation that has established a common internal control model
against which organisations may assess their control systems.
Control environment
The control environment includes the governance and management functions
concerning the customer’s internal control and its importance in the agency. It sets
the tone of an organisation, influencing the control consciousness of its employees
and is the foundation for effective internal control providing discipline and structure.
Reference: ASA 315, Understanding the Entity and its Environment and Assessing
the Risks of Material Misstatement, para 80. Australian Auditing and Assurance
Standards Board, October 2009
DSITI Audit and Risk
Management
Committee
This committee acts as an advisory body to the Director-General, DSITI to assist in
the effective discharge of the responsibilities in the FAA and FPMS and other relevant
legislation and prescribed requirements. The committee is chaired by the DirectorGeneral, DSITI.
Financial
Accountability Act
2009 (FAA)
The FAA is legislation enacted by the State of Queensland to provide for
accountability in the administration of the State’s finances and financial administration
of departments and statutory bodies.
Financial and
Performance
Management
Standard 2009
(FPMS)
The FPMS is subordinate legislation made under the FAA. It provides a framework for
an accountable officer to develop and implement systems, practices and controls for
efficient, effective and economic financial and performance management of the
department or statutory body.
Governance
Section 7 of the FPMS states that governance is the way the department or statutory
body manages the performance of its functions and operations.
Governance is generally accepted to encompass management’s behaviour and
accountability for the way it directs an agency’s operations. It may also relate to the
agency’s structure, responsibilities, competencies, reporting and risk management
processes.
Information systems
As defined by the FPMS, information systems mean the methods, mechanisms and
records established within the department or statutory body to identify, assemble,
analyse, classify, record and report transactions and other events affecting the
department or statutory body. Within QSS this may include tools categorised as
business application systems.
Internal control
objective
The specific target used to determine whether an internal control is operating
effectively, efficiently and economically is called the internal control objective.
Management
assurance
framework (MAF)
A description of the QSS internal control environment, internal control objectives and
internal control activities established to provide reasonable assurance that QSS is
managing its business operations efficiently, effectively and economically.
Material/materiality
In the context of the MAF, the concept of materiality relates to the internal controls
and the systems being reported on, not the financial reports/statements of the
customer agency. The MAF is used to assess whether the internal controls at QSS
are suitably designed and are operating effectively, efficiently and economically in all
material respects in delivering SLA services to customer agencies. Such assessment
includes those financial controls which are relevant to the financial reporting of
customer agencies.
Page 13 of 18
Queensland Shared Services
Term
Security classification: Public
CARM solution
Definition
The CARM solution is a web based system implemented by the CARM unit to simplify
and automate the process of completing and reporting on the MAF control selfassessments.
QSS Executive
Management Group
(QSS EMG)
The QSS EMG is the primary governance body of QSS in providing leadership and
stewardship for directing and controlling the business of QSS. It is chaired by the
Assistant Director-General, QSS.
Queensland Audit
Office (QAO)
The QAO supports the role of the Auditor-General in providing Parliament with an
independent assessment of the financial management-related activities of public
sector entities. It provides independent audit services and reports to Parliament to
enhance public sector accountability.
Reasonable
assurance
A general acknowledgement that it is not possible to certify absolutely and certainly
that an event will or will not occur due to the limitations inherent in all internal control
systems. In the context of the management assurance report, it therefore refers to the
degree of satisfaction that the evidence obtained from monitoring activities
undertaken by QSS supports the certifications made.
Service Agreement
(SA)
A formal agreement between QSS and a customer agency for the provision of
services. The SA includes details of all services provided by QSS including a
description of each service, QSS responsibilities, customer agency responsibilities
and QSS performance measures.
Services
Functions and activities that QSS can provide to customers on a fee-for-fee service
basis and which are described in the SA.
Page 14 of 18
Security classification: Public
Management assurance framework
Appendix D: Internal control assurance model
Page 15 of 18
Security classification: Public
Management assurance framework
Appendix E: DSITI assurance framework
Page 17 of 18
Queensland Shared Services
Appendix F: MAF process map
Page 18 of 18
Security classification: Public
Download