Financial Management Compliance Framework Internal control principles Supplementary material to be used as guidance only Introduction Definition of internal control The Financial Management Compliance Framework (FMCF) requires that agencies establish and maintain an effective approach for the identification, assessment monitoring and management of financial management risks. Internal control is broadly defined as a process, affected by the Responsible Body, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives with the following areas of the Financial Management Compliance Framework: An internal control system should address the risks associated with the financial management of the agency and clearly articulate expectations and internal accountabilities for management of these risks. This supplementary material provides guidance in relation to internal control principles and outlines an internal control framework that is based on the requirements of the FMCF. The internal control framework is designed to assist agencies to: identify existing controls within across business functions e.g. operations, management identify areas that require additonal and/or strengthed controls so that they can be enhanced and developed check the status of the framework for internal controls implemented across the organisation and provide a guide for discussion and thought. The model presented was developed using the COSO internal control – integrated framework principles which are considered to be the international standard for internal control. This supplementary material includes the following information: Definition of internal control – Process – People – Reasonable assurance Internal control framework – Objectives – Principles of internal control – Components of internal control – Model of internal control framework financial management governance and oversight; financial management structure, systems, policies and procedures; and financial management reporting. The definition reflects certain fundamental concepts: Internal Control is a process. It’s a means to an end, not the end itself. Internal Control is affected by stakeholders. It’s not merely policy manual and forms, but it is a process that involves stakeholders at every level of the agency. Internal Control can be expected to provide only reasonable assurance, not absolute assurance, to an agency’s management and Responsible Body. Internal Control is geared to the achievement of objectives in one or more separate but overlapping categories. Definition of the elements within internal controls Process Business processes are managed through the basic management processes of planning, executing and monitoring Internal Control is a part of business processes and is integrated with them Internal Control enables them to function and monitor their conduct and continued relevance Internal Control is a tool used by management, not a substitute for management Internal Controls are most effective when they are built into an agency’s infrastructure and are part of the essence of the agency Internal Controls should be ‘built in’ rather than ‘built on’ People Financial management governance and oversight Internal Control is effected by various Stakeholders, including the Responsible Body, Management and staff Governing the processes by which an agency is directed, controlled and held to account. These Stakeholders must know their responsibilities and limits of authority Financial management structure, systems, policies and procedures: A clear and close linkage needs to exist between stakeholders’ duties and they way in which they are carried out, as well as with the agency’s objectives The Directions set standards for all agencies to achieve sound systems of internal control. Financial management reporting Reasonable assurance Internal Control, no matter how well designed and operated, can provide only reasonable assurance to management and the Responsible Body, regarding achievement of an agency’s objectives The likelihood of achievement is affected by limitations inherent in all control systems, the use of testing, the need for judgement and the fact that much of the evidence available is persuasive rather than conclusive in nature Financial management reporting is consistent with applicable statutory and other government/portfolio reporting obligations. Components of internal control The internal control framework model identifies six components of internal control that need to be in place and integrated to ensure the achievement of the three key principles: Internal control framework Compliance Objectives Compliance activities ensure consistent standards of accountability and management practices across all stakeholder groups. The internal control system can be expected to provide reasonable assurance of achieving the objective of sound financial management within agencies Monitoring The achievement of sound financial management practices is based on the Standing Directions for the Minister for Finance under the Financial Management Act 1994 (‘Directions’) An assessment of a control’s performance over time and will be a combination of ongoing and separate evaluation. Monitoring is included in supervisory and management’s activities. The Directions support the Financial Management Act by specifying matters that must be complied with by agencies to: Information and communication implement and maintain appropriate financial management practices; and achieve a consistent standard of accountability and financial reporting. The flow of information allows for successful control actions, from instructions on responsibilities to the summary of findings arising from monitoring activities for management action. Information must be identified, captured and communicated in a timely manner. Principles of internal control Control activities The objective of achieving leading edge financial management practices is based upon the three key components of sound financial management which form the basis of the Financial Management Compliance Framework: The policies and procedures that ensure management directives are carried out. This can be through a range of activities including approvals, authorisations, verifications and recommendations, performance reviews and segregation of duties. Risk assessment The identification and analysis of relevant risks to achieving the agency’s objectives form the basis for determining control activities. Control environment Environment sets the tone of the organisation and influences the control consciousness of its people. Factors include integrity, ethical values, competence, authority and responsibility. The Control Environment is the foundation for all other components of control. Internal control framework model The model below illustrates the integration of Principles, Components and Stakeholders (people) within an internal control framework. Compliance Financial Management Act 1994 Financial Management Regulations 2004 Audit (Public Bodies) Regulations 2005 Standing Directions of the Minister for Finance Financial Reporting Directions Agency’s applicable Act Legal Compliance Requirements Information and Communication Information Technology systems External reporting requirements Internal reporting requirements Financial management, structure, systems, policies and procedures Financial management, governance and oversight Compliance Monitoring Information and communication Control activities Financial reporting Stakeholder groups Responsible Body, Secretary, CEO, Ministers including Minister for Finance, portfolios Monitoring Internal Audit Assurance Specialist Assurance Reviews On-going monitoring – Board, CEO, Senior Executive Groups Self-Assessment Control Activities Education and training Financial management structure Preparation for audit / external audit requirements Self-Assessment Business Continuity Outsourcing Risk assessment Control environment Risk assessment Financial Risk Management See also FMCF supplementary material: Direction 2.3 Control Environment Financial Code of Practice Financial governance policy Delegations of Authority Board and Audit Committee Victorian Public Service Code of Conduct