Internal control framework

Financial Management Compliance Framework
Internal control principles
Supplementary material to be used as guidance only
Definition of internal control
The Financial Management Compliance Framework (FMCF)
requires that agencies establish and maintain an effective
approach for the identification, assessment monitoring and
management of financial management risks.
Internal control is broadly defined as a process, affected by
the Responsible Body, management and other personnel
designed to provide reasonable assurance regarding the
achievement of objectives with the following areas of the
Financial Management Compliance Framework:
An internal control system should address the risks associated
with the financial management of the agency and clearly
articulate expectations and internal accountabilities for
management of these risks.
This supplementary material provides guidance in relation to
internal control principles and outlines an internal control
framework that is based on the requirements of the FMCF.
The internal control framework is designed to assist agencies
identify existing controls within across business functions
e.g. operations, management
identify areas that require additonal and/or strengthed
controls so that they can be enhanced and developed
check the status of the framework for internal controls
implemented across the organisation and provide a guide
for discussion and thought.
The model presented was developed using the COSO internal
control – integrated framework principles which are
considered to be the international standard for internal
This supplementary material includes the following
Definition of internal control
Reasonable assurance
Internal control framework
Principles of internal control
Components of internal control
Model of internal control framework
financial management governance and oversight;
financial management structure, systems, policies and
procedures; and
financial management reporting.
The definition reflects certain fundamental concepts:
Internal Control is a process. It’s a means to an end, not
the end itself.
Internal Control is affected by stakeholders. It’s not merely
policy manual and forms, but it is a process that involves
stakeholders at every level of the agency.
Internal Control can be expected to provide only
reasonable assurance, not absolute assurance, to an
agency’s management and Responsible Body.
Internal Control is geared to the achievement of objectives
in one or more separate but overlapping categories.
Definition of the elements within internal
Business processes are managed through the basic
management processes of planning, executing and
Internal Control is a part of business processes and is
integrated with them
Internal Control enables them to function and monitor
their conduct and continued relevance
Internal Control is a tool used by management, not a
substitute for management
Internal Controls are most effective when they are built
into an agency’s infrastructure and are part of the essence
of the agency
Internal Controls should be ‘built in’ rather than ‘built on’
Financial management governance and oversight
Internal Control is effected by various Stakeholders,
including the Responsible Body, Management and staff
Governing the processes by which an agency is directed,
controlled and held to account.
These Stakeholders must know their responsibilities and
limits of authority
Financial management structure, systems, policies and
A clear and close linkage needs to exist between
stakeholders’ duties and they way in which they are
carried out, as well as with the agency’s objectives
The Directions set standards for all agencies to achieve sound
systems of internal control.
Financial management reporting
Reasonable assurance
Internal Control, no matter how well designed and
operated, can provide only reasonable assurance to
management and the Responsible Body, regarding
achievement of an agency’s objectives
The likelihood of achievement is affected by limitations
inherent in all control systems, the use of testing, the need
for judgement and the fact that much of the evidence
available is persuasive rather than conclusive in nature
Financial management reporting is consistent with applicable
statutory and other government/portfolio reporting
Components of internal control
The internal control framework model identifies six
components of internal control that need to be in place and
integrated to ensure the achievement of the three key
Internal control framework
Compliance activities ensure consistent standards of
accountability and management practices across all
stakeholder groups.
The internal control system can be expected to provide
reasonable assurance of achieving the objective of sound
financial management within agencies
The achievement of sound financial management practices is
based on the Standing Directions for the Minister for Finance
under the Financial Management Act 1994 (‘Directions’)
An assessment of a control’s performance over time and will
be a combination of ongoing and separate evaluation.
Monitoring is included in supervisory and management’s
The Directions support the Financial Management Act by
specifying matters that must be complied with by agencies to:
Information and communication
implement and maintain appropriate financial
management practices; and
achieve a consistent standard of accountability and
financial reporting.
The flow of information allows for successful control actions,
from instructions on responsibilities to the summary of
findings arising from monitoring activities for management
action. Information must be identified, captured and
communicated in a timely manner.
Principles of internal control
Control activities
The objective of achieving leading edge financial management
practices is based upon the three key components of sound
financial management which form the basis of the Financial
Management Compliance Framework:
The policies and procedures that ensure management
directives are carried out. This can be through a range of
activities including approvals, authorisations, verifications and
recommendations, performance reviews and segregation of
Risk assessment
The identification and analysis of relevant risks to achieving
the agency’s objectives form the basis for determining control
Control environment
Environment sets the tone of the organisation and influences
the control consciousness of its people. Factors include
integrity, ethical values, competence, authority and
responsibility. The Control Environment is the foundation for
all other components of control.
Internal control framework model
The model below illustrates the integration of Principles, Components and Stakeholders (people) within an internal control framework.
 Financial Management Act 1994
 Financial Management Regulations 2004
 Audit (Public Bodies) Regulations 2005
 Standing Directions of the Minister for
 Financial Reporting Directions
 Agency’s applicable Act
 Legal Compliance Requirements
Information and Communication
 Information Technology systems
 External reporting requirements
 Internal reporting requirements
systems, policies
and procedures
governance and
Information and communication
Control activities
Stakeholder groups
Responsible Body,
Secretary, CEO, Ministers
including Minister for
Finance, portfolios
 Internal Audit Assurance
 Specialist Assurance Reviews
 On-going monitoring – Board, CEO, Senior
Executive Groups
 Self-Assessment
Control Activities
 Education and training
 Financial management structure
 Preparation for audit / external audit
 Self-Assessment
 Business Continuity
 Outsourcing
Risk assessment
Control environment
Risk assessment
 Financial Risk Management
 See also FMCF supplementary material:
Direction 2.3
Control Environment
 Financial Code of Practice
 Financial governance policy
 Delegations of Authority
 Board and Audit Committee
 Victorian Public Service Code of Conduct