Countries aiming to introduce PFM/IC, as well as other public financial management reforms, are usually encouraged to adopt internationally recognised standards as best practice. However little or no thought is often given to the context in which such standards are to be applied. These international standards, and especially those relating to PFM/IC, reflect several assumptions about the organisations which are to adopt them. For PFM/IC those assumptions are about the application of the standards to a managerial-based organisation. Where the current context is that of traditional administrative-based government organisations, these standards cannot be applied without managerial reform. And this reform ought to come first. (The experience of this author is that those assumptions are not generally recognised by those seeking to apply them in developing and transition economies nor recognised by those advising them.)

Therefore, as has been pointed out earlier in this guide, trying to apply such standards may not be appropriate for a particular country at the time the PFM/IC reform is proposed to be implemented. In adopting a managerial approach various factors need to be considered. These include local cultural traditions, the relationships between political and appointed officials, the organisation and quality of the civil service, the existing management arrangements (or lack of them), the authority that individual managers have with the current arrangements over operational activity, the experience and training of managers to enable them to apply the standards in a managerial context, the quality of the existing budgetary arrangements and the strength of the existing financial control arrangements. In Chap. 3 a distinction was drawn between PFA/IC and PFM/IC and this distinction illustrates when adopting international standards may not be appropriate.

This chapter accepts that it would be appropriate to adopt PFM/IC international standards, that is, the standards published by the Committee of Sponsoring Organizations of the Treadway Commission’ (‘COSO’).Footnote 1 There are five standards and these cover the control environment, risk management, control activities, information and communication and monitoring, although updating has resulted in some modifications to them.

These five standards of internal control exist to secure the achievement of the objectives of the organisation and to do so within the legal constraints and regulatory requirements, efficiently and effectively and with proper regard for accountability. They therefore have a clear purpose and are not simply bureaucratic requirements associated with the development of internal control. They are integral to management. They are not ‘stand-alone’. This is an appreciation that those responsible for the application of PFM/IC should achieve. The five standards are about managers having the authority and the information they require to make those judgements necessary to enable them to achieve their objectives. This would include meeting any regulatory requirements, including legal, financial and budgetary limitations, in the most efficient and effective manner. They provide an important improved procedural approach to the management of public organisations. However, most countries implementing PFM/IC have treated these standards simply as bureaucratic ‘stand-alone’ requirements, rather than being integral to the managerial process. They have therefore focussed their implementation upon the bureaucracy of the procedures to be adopted, rather than upon the effectiveness of management, that is, the manager as decision maker. (In most developing and transition economy countries a ‘nominal’ responsibility has been placed upon the political head of the organisation, the minister or mayor, to ensure that these standards are implemented. This cannot be a ‘substantive’ responsibility without other changes being made. The necessary changes have been described earlier in this guide. Given the wide range of responsibilities that fall in practice upon a minister or mayor, an expectation that they will exercise anything other than a ‘nominal’ responsibility is misplaced. In other words, countries have not taken account the managerial context in which COSO is meant to apply and therefore the assumptions that lie behind the COSO initiative.)

Each of the five standards of COSO as they were originally specified is discussed in this chapter. They may be more appropriately described as ‘managerial disciplines’. (Other examples of these standards exist such as the ISO 31000 standard which applies to risk management but again the responsibility is focussed upon the management.)

The COSO standards are normally treated as applying only to public organisations concerned with public expenditure, but they should apply equally (albeit with some adaptation) to those organisations concerned with the generation of income.

They are about ‘good quality’ management!

11.1 The Implicit Assumptions Contained Within the International Standards of Best Practice (COSO)

COSO is about how large international private companies should be managed and describes five standards of internal control that should be applied.

Internal control has been defined by COSO “as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide ‘reasonable assurance’ regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations

  • Reliability of financial reporting

  • Compliance with applicable laws and regulations.”

These standards, of which there are five, that is, the control environment, risk management, control activities, information and communication and monitoring, reflect the requirements of the private sector. The standards are periodically updated with the latest comprehensive update being in 2017.Footnote 2 In addition, COSO also published guidance on specific features of enterprise risk management such as on cloud computing and artificial intelligence.

The public sector provides services which are not subject to a market test and it also has the responsibility to levy and collect compulsory taxes. Citizens of a country cannot escape from this compulsory levy except by legislative permission: there is no option available, as there would be in the private sector by not utilising a public service. Effective management of public expenditure and taxation policies is essential. These standards, which have been described previously as ‘managerial disciplines’ should be adapted to apply to organisations responsible for the development and management of both expenditure and tax policies.

In the public sector a critical feature of public financial management is the existence of the budget and that budget will have legislative approval. Governments and local governments are also required to ensure that public services are delivered consistently and evenly to those members of society that they are expected to serve. Reliability and sustainability ought also to be characteristics in the management of the delivery of public services, and governments generally (subject to political policy change) should be assumed to have a continuing existence. They are not subject to the vagaries of the marketplace.

In applying these standards to public organisations, a ministry of finance, the state secretary for that ministry and the head of the department responsible for the application of PFM/IC (the ‘driver’ department) should recognise that they contain implicit assumptions about the organisations to which they are being applied. Therefore, a simple ‘read across’ from the private to the public sector can be misleading. Unless public organisations recognise the significance of these assumptions, applying these standards will not achieve the objective of introducing effective internal control.

“Learning another language is not only about learning different words for the same things but learning another way to think about things” (Anon). This applies to these standards. The assumptions contained in the COSO model are about the management and objectives of organisations. The standards will only help top and senior management if those assumptions are replicated in the management and objectives of a public sector organisation. To regard these five standards as ‘stand-alone’ features which, if adopted, will deliver effective PFM/IC is mistaken. The key assumptions lying behind these five standards are that:

  • There is a process for setting objectives and performance standards and ensuring that externally set regulatory requirements are met which are consistent with budgetary availability.

  • A professional operational management and supporting staff exists, and if not, either staff will be replaced or added to as necessary.

  • An effective operational managerial structure has been established or can be established designed to deliver the objectives and performance standards of the organisation including meeting externally set regulatory requirements and that would include appropriate personnel management arrangements.

  • The objectives and performance standards exist in a form that operational managers can be held to account for any failure to deliver them.

  • Operational managers have the delegated authority to undertake their responsibilities and are accountable for their performance.

  • Financial information is available which allows operational managers to make decisions both about the volume of activity and the most efficient and effective way of delivering their objectives.

  • Performance information is available which enables an operational manager to make judgements about achieving the expected level of operational performance, including externally set regulatory requirements against the available financial resources.

  • Constant regard is had by all managers to the level of efficiency and effectiveness, that includes the impact upon the user/customer of the outputs of the organisation.

  • Financial and performance reports are available which enable not only internal management at all levels but also external stakeholders (which for public sector organisations would include parliament or the local government council, external regulators and civil society) to make judgements about the performance of the organisation.

  • Financial management is integral to the management of the organisation and a feature of that is that the organisation is managed in a manner which is financially stable. Without that reliability in service delivery cannot be achieved.

These assumptions which are implicit in the COSO standards (as has been indicated) might be better described as managerial disciplines demonstrate very emphatically that introducing PFM/IC is as much a management reform as a financial reform. As a management reform the requirements of PFM/IC need to sit within a managerially focussed organisation. Consequently, the COSO standards will not produce the potential benefits unless the public sector organisation has moved from a traditional administrative style (usually a firmly ‘top-down’ style) to a managerial style of organisational arrangements. This does mean that if these standards are to be effectively applied a competent, managerially oriented civil service (or local government) organisation needs to exist. Managers then need information about objectives, performance and finance to enable them to meet their responsibilities. Countries should not assume therefore that a simple bureaucratic implementation of these standards can be achieved without ensuring that a public organisation exists which has a managerial capability. Civil servants (and local government officials) need to be trained managers and therefore be prepared to take decisions.

Treating these standards as managerial disciplines designed to help managers achieve their objectives efficiently and effectively and to improve accountability demonstrates that civil and local government service and other reforms, such as budgetary and accounting reforms, may be necessary prior to the introduction of these standards. The standards are not ‘ends in themselves’. The COSO executive summary points out the five standards are integratedFootnote 3 and therefore their impact should be considered as a whole. The COSO standards are about improving the quality or, to put it another way, the professionalisation of management.

In developing and transition economies aiming to apply the COSO standards, none of the assumptions summarised above is recognised. The usual practice, in the experience of this author, is to treat the COSO standards as only about financial and budgetary control, not management. This seems to be because the personnel involved in the reform process are usually only concerned with such issues and often start from an internal audit perspective. As this is a wrong approach, the minister of finance, that ministry state secretary and the head of the ‘driver’ department should ensure that in applying these standards there is a recognition of the assumptions implicit in these standards and that the managerial context is reflected in the reform processes. This means, as has been explained previously in this guide, that;

  • Clarity exists over the different roles of the political level of management and that of the civil or local government service officials.

  • An appropriate operational management structure exists.

  • Objectives exist which have been set by the political level of management but only following consultation with operational management and those objectives should recognise the need to meet externally set obligations and should be consistent with available budgets.

  • Performance standards and objectives exist which again should be consistent with available budgets.

  • Operational managers have the necessary delegated authority to make decisions and to expend resources coupled with an accountability process to senior civil service management and ultimately from it to the political level of management.

  • Appropriate skilled staff are available.

  • The performance information a manager requires is available.

  • Constant regard is had to the effectiveness of operations and to user/customer reactions and attitudes.

  • The financial information a manager needs to deliver objectives efficiently and effectively is available.

  • Which means the development of cost and management accounting and that the relevant reports are available to managers at all levels in a form that the manager needs.

  • Financial and performance information is also available to external stakeholders, not least the parliament, who are then able to exercise influence over the operations of the organisation, that is, transparency and external accountability.

These are the characteristic features of a managed organisation: they are not those of a traditionally administered organisation.

The fact that COSO was primarily aimed at commercial companies makes no difference in principle to its use for non-market organisations, merely that it requires an appreciation of the differences between the private and public sector contexts and consequently an appropriate adaptation. (Management in the public sector, as has been pointed out earlier, for many services is much more complex with more confusing signals than in the private sector.)

The effectiveness of the application of these standards depends upon the quality of management, both political and operational. What is important is clarity about the policy, objectives and performance standards and objectives set by the political level of management including the strategy for delivering them. Clarity is also required about how a ministry or local government or other public organisation is managed, both operationally and financially, to secure the efficient and effective delivery of those objectives and performance standards. The introduction of these international internal control standards ought to be a signal that a managerial/performance culture is being established. Therefore, as has been explained earlier in this guide, accompanying the application of these standards a parallel managerial reform process should occur, and if this does not occur, then these standards will not be properly applied.

Previously in this guide, the person responsible for the application of PFM/IC within an organisation was identified as the chief civil service (or local government) official such as a state secretary within an organisation. That official should ensure that introducing these standards results in an organisation capable of delivering its objectives and performance standards and objectives, efficiently and effectively and within any legal, financial or other constraints and that due regard is had to the interests of the users of the service or activity. Merely introducing the bureaucracy associated with the application of the international standards will not, of itself, demonstrate that PFM/IC has been applied and that the ministry or local government is well managed. This is not correct at all.

In many countries a responsibility is placed upon the political head of the organisation, the minister or mayor, to ensure that these standards are implemented. This cannot mean that this official must make all implementation decisions. The substantive implementation responsibility should fall upon the head of operational management, that is, the most senior civil service or local government official with that official being accountable to the political head for the effective application of the standards.

11.2 Appreciating the Impact of COSO

11.2.1 The Standards of COSO

Countries which have implemented PFM/IC following the COSO standards have tended to address four of these standards, ‘the control environment’, ‘control activities’, ‘information and communication’ and ‘monitoring activities’, in general terms only. They have merely required the responsible official to pay attention to them, with the evidence of their application being the additional bureaucratic procedures that have been introduced. However, as has been pointed out, evidence of the existence of the bureaucratic procedures is not the same as the substantive application of those procedures. In most countries little specific indication is provided of what managerial and operational changes have resulted from their application.

The exception to this is the standard relating to risk management. A great deal of attention has been paid to risk management, but much of the emphasis has been upon risks to financial control systems such as risks of losses through error, fraud or other misuse of resources rather than to the risks of not achieving objectives and performance standards or of not providing a consistently reliable service or of meeting externally set regulatory requirements. With risk management the bureaucratic procedures are easy to specify and their existence can be easily checked. However, this does not mean that risk management is being effectively deployed by managers. Risk management has been regarded as perhaps the most important element and much energy has been devoted to providing advice and training programmes. Unfortunately, much of this is misguided. The officials being trained have largely been finance officials and internal auditors and this may be appropriate if risk were confined to financial control matters (i.e., not to broader financial management matters). But it is not so confined! COSO is fundamentally about those risks which will prevent managers (at all levels) achieving their objectives and performance standards and objectives, including any externally set standards and doing so efficiently and effectively. This goes well beyond audit and accounting. Therefore, a priority before risk management is introduced is the existence of objectives and performance standards and objectives, a management structure with managers having an active concern to utilise risk management as a way of ensuring that their objectives and performance standards and objectives can be achieved. For effective management an information and communications process should also exist that provides the information that managers need and which facilitates the establishment of a ‘corporate’ approach to the management of the organisation so that in making decisions managers have regard not only to their individual objectives but to the broader objectives of the whole organisation. (A ‘corporate approach’ is ‘an approach to managing people that supports an organisation’s long-term goals with an overall planned and coherent framework. This helps ensure that the various aspects of people management work together to develop the behaviours and performance needed to create and distribute value. It focuses on longer term people issues, matching resources to future needs and large-scale concerns about structure, quality, culture, values and commitment’.Footnote 4)

The officials who should be trained in risk management should be the operational managers because risk management should be their responsibility. They will not be interested simply in financial systems risks unless they have a material impact upon their part of the organisation, upon its reputation and its ability to achieve its objectives. They will need to consider all risks, of whatever type, affecting their ability to deliver their objectives and performance standards. Some risks will also be of interest to the political level of management, such as a failure to meet political objectives or reputational risk (and reputational risk often can be adversely affected by a failure to meet externally set regulatory requirements) and the responsibility of a state secretary or equivalent is to ensure that information about such risks is available to that level of management.

The development of risk management has been regarded as a priority activity in introducing COSO but this is not how it should be. Other standards of the COSO framework, apart from monitoring, should come first. Again, this illustrates how risk management has been regarded as a ‘stand-alone’ activity rather than being integral to the managerial processes.

As with other international standards, the COSO standards are regularly updated and the head of the department responsible for the application of PFM/IC should familiarise him/herself with those and be aware of updates. In doing so the head should recognise that the updates tend to be written in the language of business enterprise and therefore need adapting to the operational environment of the public sector.

11.2.2 COSO and Management

As COSO is about management, the emphasis in introducing PFM/IC should be on a management structure with managers appointed and their responsibilities defined. Those managers, at all levels, need objectives and standards to work to, including performance objectives and standards. Those objectives and standards should be derived from the objectives for the organisation as a whole, which should be set by the political level and then cascaded down the organisation by the senior operational management. The performance standards should be, in general, related to user needs and any externally set regulatory requirements.

This is what is required before any of the standards of the COSO internal control framework can be made effective. Unfortunately, in most countries, none of this occurs. The experience of this author in the application of PFM/IC in most countries shows that the focus of application has been upon whether the bureaucratic procedures associated with the five COSO standards have been applied. Assessments of reform performance have been based around assessments of the extent to which the bureaucracy associated with these five standards has been introduced. They have not been regarded as managerial disciplines. This is a mistake and a mistake encouraged very often by aid organisations because the existence of the bureaucracy provides evidence of apparent action by the recipient country. Unless these five standards are linked to managerial reform, with the development of a managerial structure, the appointment of managers, the setting of objectives, the development of information and financial systems with the accompanying accountability arrangements, these standards will have little or no practical effect upon the achievement of the objectives of the organisation efficiently and effectively.

Another issue that should be addressed is how is that management to be made effective, with effectiveness being defined for this purpose, as delivering the objectives and performance standards set for them to time, to standard, within budget, efficiently and effectively. Considerable emphasis is placed upon the issue of laws, decrees, rules and regulations and checking that the content of these has been obeyed. Whilst this can be important, management cannot easily be defined in such documents. Management at the top level in organisations is about setting the strategy, leadership, coordinating staff activity, making judgements between competing objectives, taking initiatives and applying the available budgetary and other resources to and ensuring that objectives are delivered efficiently and effectively. This also requires a willingness to take risks because management involves making decisions and all decisions involve some element of risk. However, in most countries whether or not the requirements of these laws, decrees, rules and regulations introducing the five COSO standards have been obeyed has tended to be the measured by how they have been incorporated into the internal rules of the organisation, not by the effect they have had upon the decision making processes. This is the ‘check list’ approach. What is much more important is an assessment of managerial effectiveness. In other words what matters is the impact that these five COSO standards have had upon the performance of the management and hence of the organisation. Therefore, this is what the department responsible for implementing PFM/IC should concentrate on in assessing the quality of their application.

A particular example of the difficulties of just looking at the literal application of laws, decrees, rules and regulations is the application of the first standard, the control environment. Injunctions incorporated into laws and regulations about setting the ‘right’ control environment (very difficult to define in any event) will not work unless accompanied by a commitment from the highest levels such as the prime minister and the cabinet of ministers to the need for all public organisations to ensure that appropriate ethical values and integrity (‘tone at the top’) are expressly stated and implemented. This requirement should cover both politically appointed officials and civil servants (including local government officials). This should also be accompanied by a further requirement that each organisation is committed to ‘good governance’ (see Chap. 1). However, none of this can be fulfilled in practice unless an appropriate managerial structure exists with the assignment of authority and responsibility, including accountability arrangements for the different levels of management.

An approach to an assessment based simply upon the application of the laws, decrees, rules and regulations would in practice tell the department responsible for the application of PFM/IC very little about the real success in implementing the five standards of COSO.

11.3 The Five Standards of COSO

In this section of this chapter each of the five standards is explained. They are discussed in the order in which they should be applied not in the order incorporated into the COSO or INTOSAI publications. This changed order reflects the reality of the operational/managerial arrangements that apply before the introduction of PFM/IC. For example, and as indicated previously, risk management relating to objectives cannot be applied until objectives exist and a management structure has been established with managers appointed to deliver those objectives.

11.3.1 An Overview

The extent to which each of the standards can be applied depends upon the extent to which a managerial approach has been established. For example, the application of the control environment standard, as has been said above, depends upon the extent to which a managerial structure has been developed, including the separation of policy and strategy development from operational management, managers appointed and objectives and performance standards and objectives established with accountability arrangements defined. Those accountability arrangements should not just be the internal accountability arrangements but also external accountability, not least to parliament and civil society. Although the political top manager may nominally be responsible for setting the control environment in practice, the application of that environment depends heavily upon the approach adopted by the top operational manager, in a ministry that would be the state secretary (or equivalent). However, the behaviour and attitude of the political official(s) responsible for the ministry or other public organisation can affect how operational management is implemented and its success. The political head may also change relatively frequently compared to an appointed official and it would be totally inappropriate to expect the control environment to change with each new political head. That way would lie instability. In practice none of these five standards could be introduced completely, certainly during the early stages in the development of PFM/IC: they will evolve over time. Also, as each of the five standards overlaps with others, it is difficult, if not impossible, to disentangle the extent to which a particular standard has been applied compared with another. For example, if objectives are not being achieved is it because of inadequacies in the risk management processes or is it because of weaknesses in the provision of information or communications with another part of the organisation or with third parties, or again a weakness in the controls designed to secure the delivery of the objectives, or just poor management?

Chapter 13 of this guide refers to the need for management to prepare a statement of internal control. This statement should explain how management has performed during the year in terms of meeting its objectives and performance standards. The statement should give the reader a clear understanding of the challenges facing the organisation and how those challenges have been responded to including remarks about what has gone wrong and the actions taken to make corrections. In other words, the statement should be an indicator of the quality of management. This statement would provide an important indicator of the quality of the internal control arrangements and would provide the best source of evidence.

11.3.2 The Individual Standards

11.3.2.1 The Control Environment Standard

Internal control (IC) encompasses more than financial and budgetary control and more than compliance checks. It is a set of management arrangements that enhances the efficient and effective delivery of the organisation’s objectives on time, in line with the performance standard and within the established budget. IC is based upon the COSO model. Both PIFC and IC should apply across the entire public sector and are applicable for the management and implementation of both national and EU funds.Footnote 5

The control environment determines the management attitude to the achievement of objectives, to the quality of the performance standards including externally set regulatory requirements, the operational processes, how operational managers and staff relate to each other, to the political management, to parliament and to the stakeholders in the organisation, particularly the users of its services (i.e., its clients/customers) and suppliers. It also determines attitudes to the utilisation of public resources and to developing efficiency and effectiveness. Overall, it provides the basis for internal control across an organisation. The control environment depends very much upon the personalities of the top and senior management (political and official) and the personnel policies that are applied. (See also Chap. 14 which includes a discussion on delegation and personnel policies.) In the public sector, the control environment also should have regard to the principles of ‘good governance’ (see Chap. 1) although experience shows that this is rarely considered and neither are the principles of public administration considered (see Chap. 14), including the circumstances where delegation is appropriate or not. Again, the appropriateness of the personnel policies and their relevance to the control environment are not considered. A characteristic of a control environment should be that it encourages a focus on the achievement of the objectives and performance standards and objectives of the organisation, so therefore these need to be in place first. The control environment should define the standards of conduct that are expected to be applied throughout the organisation. That includes the integrity and ethical values of the organisation, how they can be embedded in the organisation and how the organisation’s relations with third parties are to be conducted. It also requires the development of a ‘can do’ approach. The control environment is also affected by the distinction made between the responsibility for policy and strategy development and operational management. As has been explained previously, this is because successful operational management depends upon the professional capabilities of the manager. To a large extent the control environment illustrates the ‘intangibles’ of management, that is, features that cannot be precisely described in a ‘job description’.

In practice this standard is very difficult to implement and to demonstrate with evidence that it exists. Civil servants and other public officials appointed to managerial posts ought to be appointed basically for competence reasons, although this does not always happen and staff may be appointed for political reasons. The expectation for the most senior civil service and local government officials (e.g., the state secretary and departmental heads) should include a capacity to set the control environment, even though it may not be defined in precise terms, and through their leadership ensure that the requirements of the control environment are implemented throughout the organisation.

A feature of the control environment should be a well-developed and managed personnel policy with a good and consistent leadership. As has been indicated, introducing PFM/IC represents a considerable change to the way in which public organisations are managed. Change can be very damaging to organisations unless it is well handled by the leadership of the organisation, that is, by the top and senior operational management. Staff must be motivated to work hard and use their talents and abilities, including initiative to make the best contribution they can to the work of the organisation. Change can cause morale to decline and be a cause of insecurity. Motivation is not just simply a function of financial reward, and in practice, different people are motivated by different things, in different ways and at different stages of their careers. A very important factor in staff motivation in the public sector is the quality of the work that is being undertaken.Footnote 6 Other factors affecting quality can include how far staff are allowed to ‘self manage’ aspects of their jobs, the extent of staff development through training and the existence of development opportunities and feedback.Footnote 7 Monetary rewards can work very well for tasks that are routine and measurable, but are less successful when creativity and imagination are required. Staff development policies designed to help staff develop their careers should be an important feature in motivation. Organisational culture also has a key role to play in the motivation of employees. If they are to be genuinely motivated to do a good job, rather than simply to comply with organisational rules and regulations, a sense of common purpose needs to be developed and employees need to understand how their individual contributions ‘fit’ within wider organisational objectives. Leadership and clarity are essential components of good personnel management. Yet this author has not come across any linkages between the introduction of PFM/IC and the development of personnel policies.

Associated with the control environment should be the development of professionalism within the civil and local government service. Professionalism is not just about competence and technical skill but is also about ethical behaviour. To reinforce behaviour codes of conduct or integrity for both politically appointed officials and civil servants should exist. The content of the civil service or public official code should be determined by the organisation responsible for the public service within a country and that for the politically appointed officials should be determined ideally, by the prime minister’s or president’s office. These should not just be ‘token’ codes but should be rigorously enforced.

The reality is that an assessment of the quality of the control environment where there is no or very limited delegation with operational decisions being made by politically appointed officials would be very difficult to make (or even perhaps impossible). In such circumstances, assuming that the assessment would be undertaken by the ‘driver’ department in the ministry of finance on behalf of the state secretary in that ministry, any remedial action probably could only be taken by the minister of finance and his/her hands may be tied by political considerations especially if it involved criticism of another minister. If that other minister is not interested in the control environment or does not conform to the expected principles underpinning that control environment (e.g., the principles of good governance) unless there is a response to minister of finance criticisms, the responsibility for action moves up to the prime minister which in turn makes any decision even more political. If in these circumstances the offending minister is not really interested in or committed to applying the standards of internal control, then it is impossible to ensure that the rest of the organisation has that commitment. This is an important reason why the separation of operational management from policy and strategy development, with the application of PFM/IC, is so desirable.

A key factor in the establishment of the control environment is financial resilience. Without that the control environment will be subject to stresses that affect an organisation’s ability to achieve its objectives. The COSO commentary on the control environment does not specifically refer to the establishment of a stable or predictable financial environment. However, implicit in the whole of COSO is that effective financial management and internal control exists and that means that the organisation management needs to be able to demonstrate that it is currently financially stable and has the financial resources to enable it to meet its objectives and that it will remain stable in the medium to longer term. Financial resilience means that expenditure and income will be matched at least over time and consequently that decisions made by the management or which are the consequences of external factors will not result in the financial destabilisation of the organisation. It also means that even within a financial year, budgetary flows are predictable and stable. However, experience shows that for countries introducing PFM/IC financial resilience is not considered as a factor in the management and delivery of public services and activities, and whilst an important feature of public financial management is the maintenance of financial resilience, in many developing and transition economy countries financial resilience depends upon the quality of the budgetary process, including its links with government objectives, and the quality of the assessment of the economic position of the country.

The arrangements for assessing the quality of the internal control environment were described in the SIGMA paper referred to above (see note 6) issued by the OECD: Support for Improvement in Governance and Management Guidelines for assessing the quality of internal control systems.Footnote 8 This paper described a set of principles that should be followed by managers. Five principles were described covering the quality of the internal control environment, that is, the public organisation:

  • Principle 1: Demonstrates a commitment to integrity and ethical values.

  • Principle 2: Exercises oversight responsibility.

  • Principle 3: Establishes structures, reporting lines, authorities and responsibilities.

  • Principle 4: Demonstrates commitment to competence.

  • Principle 5: Enforces accountability.

IC quality assessment is a primary responsibility for the public organisation’s management. This should not only consist of the evaluation of overall conformity with the established regulatory framework, but rather focus on how the functioning of IC enhances the operational efficiency and effectiveness of the public organisation and the achievement of its objectives.Footnote 9

The characteristics that should be looked for in assessing the quality of the control environment were summarised in a European Commission paper based upon COSO as:Footnote 10

  1. 1.

    The organisation demonstrates a commitment to integrity and ethical values.

  2. 2.

    The oversight body demonstrates independence from management and exercises oversight of the development and performance of internal control.

  3. 3.

    Management establishes, with oversight by the oversight body, structures, reporting lines and appropriate authorities, responsibilities and empowerments in the pursuit of objectives.

  4. 4.

    The organisation demonstrates a commitment to attract, develop and retain competent individuals in alignment with its objectives.

  5. 5.

    The organisation holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

The oversight body referred to here is taken from the COSO principles and refers to the controlling board of a company. In the circumstances of developing and transition economy countries, the oversight body cannot be assumed to be the politically appointed top and senior management where that management has operational responsibilities and therefore has no role which is independent of the day-to-day operational management. It is doubtful if the politically appointed top and senior management could act as the oversight body even where that management is not responsible for operational activities unless it included a significant and genuinely independent membership which in a politically based organisation would be most unlikely. The question then is who could form this ‘oversight body’? There are four possibilities. One is that the ministry of finance exercises this responsibility through the ‘driver’ department, acting on its behalf. A second is that this is made a specific responsibility of the external auditor. A third is that each public organisation is required to appoint a body, such as an audit committee, which is independent of management and which has a capacity to report directly to the most senior level of management in an organisation (and that could be the political level of management) and that its reports are also copied to the department of the ministry of finance responsible for the implementation of PFM/IC. A fourth is that the government or parliament establishes a new body with a specific responsibility for overseeing the development of internal control activity within public organisations. Which solution should be adopted will depend upon local circumstances and that any organisation responsible for assessment has a high degree of independent membership. This points towards the third or fourth solutions. In addition, the external auditor should always review the quality of the internal control arrangements and report on them to parliament. What will be critical in assisting that organisation make a quality assessment of the internal control arrangements will be the statement of internal control referred to in Chap. 13.

11.3.2.2 The Information and Communication Standard

There is in practice potential overlap between this standard and the ‘control environment’ standard. For internal control to be effective the managers and staff within the organisation need to know both what the organisation’s objectives are and those that are set for themselves. Ideally, they ought also to know what the objectives are and the services and activities provided by other parts of their organisation. In other words, managers and staff need to know what is expected of them and how their responsibilities relate to those of others in the organisation. They also need to know the operational context for the whole organisation, as well as for their particular part of the organisation. That operational context includes knowing the resources available to them, that is, their budgets (i.e., total budgets including all elements of expenditure, not just some, such as only the sums available for procurement), how actual expenditure or income is occurring during the year, performance information that relates directly to their areas of responsibility and how performance is developing during the year, whether the demands upon a particular service are rising or falling, the short- and longer term strategic objectives, the pressure to improve efficiency and effectiveness, the reaction of users of the service (whether internal or external to public organisations), actual and potential legislative, environmental and other changes affecting the operational environment.

The exact information that will be required will depend upon the role and responsibilities of the manager and individual staff members. But, for example, if a manager has responsibility for the delivery of an objective, information about performance towards achieving that objective should be available to that manager as well as information about the financial resources that have been consumed. This should be available on a systematic and regular basis. If that manager is also responsible for efficiency and effectiveness, as he/she should be, then that manager must know not only what the total available budget is but also in a format that is relevant to the manager. The manager should receive financial accounting information showing progress against the budget in a similar format. In addition, the manager should have available information showing the allocation of budgets and accounting information over, for example, different cost centres, what drives costs or whatever else the manager requires. The manager should also have available costing information so that judgements can be made about the most efficient methods of undertaking activities. In addition, effectiveness can only be judged by the impact that the activity is having and therefore the manager should be provided with user or customer information, whether the user or customer is internal to the government or external. The ‘driver’ department should ensure that managers and staff have available to them the information they need. Unless they have that information, managers cannot effectively be responsible for risk management which is central to the successful delivery of objectives and performance standards.

Again, where a first-level organisation uses second-level organisations to undertake activities on its behalf, the managers of the first-level organisation must have the information necessary to enable them to exercise effective control and supervision of second-level organisation activity. The manager must also ensure that second-level organisation activity is coordinated with that of the first-level organisation and of other second-level organisations. This applies whether the second-level organisation is non-market based or market based (a state- or local government-owned enterprise). The question that should be asked is, are the communication arrangements between the controlling or supervising organisation adequate to enable it to properly exercise its responsibilities?

The responsibility of the political leadership of an organisation is to ensure that the top and senior operational management is kept informed of political developments that would affect the operational management. The responsibility of the top or senior operational management is to ensure that the information individual operational managers require is available to them. If all this information is not available, managers can hardly be blamed for a failure to deliver objectives efficiently and effectively. On the other hand, managers themselves may need to specify the information they require, and if top and senior management refuse to make the information flow possible, then at least some part of any responsibility for the failure to achieve objectives is transferred to those top and senior managers.

No organisation operates within a static environment and the changes affecting the operational environment need to be communicated throughout the organisation. Changes may become apparent at any level in an organisation, not just at the top and senior management level. Managers at all levels need to be aware of their responsibility to communicate significant change upwards to more senior managers through the accountability process.

Information and communication are not simply about internal activity. It is also about the provision of information to external organisations and individuals, its clients and customers. Communications with each of these groups should be clear, purposeful, relevant and timely. Without that the effectiveness of the organisation will be difficult to judge and its reputation could be adversely affected. Such external communications can include financial reports (but designed in a manner that is relevant to the reader of the report), communications about the organisation’s policies and proposals and why the services that it delivers to its publics are designed in the way that they are and why any charges that it levies are also what they are and why they have changed (if that has occurred) from one period to the next. Clarity should also exist about arrangements for appeals against the actions of the organisation and how, where appropriate, compensation can be sought.

There are many factors that should be considered in assessing whether the information and communications strategy is being properly implemented. The analysis shown below illustrates the difficulty that exists for both management and the ministry of finance ‘driver’ department in trying to identify separate features of management within each of the control standards. Overall, the real issue is the quality of management (Table 11.1).

Table 11.1 Factors affecting information and communications that top and senior operational management should be concerned about
Full size table

Where there is little or no delegation of operational management responsibility from the political level, there can be difficulties with communicating the policies and strategies within an organisation. This is because politically appointed officials do not normally regard staff communications as falling within their remit, except for those with whom they directly work. Again, the appointment of different political officials responsible for different policies (e.g., several deputy ministers or mayors) without any recognition of the need for coordination to harness the resources of the whole organisation itself encourages the development of a ‘silo’ mentality. (The existence of ‘silo mentalities’ is a classical feature of public administration organisations.) A ‘team meeting’ of top politically appointed officials does not automatically mean that coordination will exist at lower levels in the organisation. Where operational implementation of policy is a responsibility of a civil or local government service management, then the development of a staff communications policy and associated activities should be easier to achieve provided that the top and senior civil or local government service management perceive the necessity and are willing to implement such a policy. The organisational arrangements should accommodate this. But whatever the top management structure, emphasis should be put on developing an information and communications strategy for the organisation and an operational environment that encourages open and trusting relationships.

A feature of an effective information and communications policy is that if it is to encourage open and trusting relationships there must be adequate protection for ‘whistle blowers’.Footnote 11 This means that public organisations must find a reliable method of identifying and correcting any unlawful or unethical conduct that occurs within their organisation. Consequently, public organisations should:

  • Not obstruct officials from reporting misconduct potentially harmful to the organisation or to the public it is serving;

  • Introduce procedures for ensuring reliable reporting without incurring any penalties.

Whatever the information and communication arrangements within an organisation, there can be a lack of understanding or interpretation between those making any statements (in whatever form) and those hearing or reading them. Merely issuing advice or an instruction does not mean that it will necessarily be interpreted in the way in which the author intended. How the recipient interprets that advice or instruction depends very much upon the position and perceptions of the recipient. Senior managers communicating with their staffs must be aware of the potential risk of the recipient of the communication hearing what they want to hear, rather than what the senior manager wanted them to hear. This author has been told by officials from several different countries that all that is necessary is to issue an instruction or regulation and it will be followed. That is a mistake! The same problems exist with external communications. Care should be taken to avoid the use of ‘jargon’.

Effective communication in the workplace helps staff and managers form highly efficient teams. It builds trust, reduces competition and encourages cooperation within and between units and departments and helps staff work together harmoniously leading to higher productivity, integrity and responsibility. Staff must know their roles and should know that they are valued.

A manager who openly communicates with staff can foster a positive relationship that benefits the whole organisation. Good communications can also improve employee morale. Employees do appreciate good communication from more senior management.

The department responsible for the application of PFM/IC therefore should not just rely on legislative requirements set out in a public internal control or public financial management law or other formats to ensure that good communications are a feature of the internal control arrangements. This is though the apparently usual process in some countries adopting this reform. A deep understanding of effective communications is necessary and in reviewing the application of this standard, evidence that this exists should be looked for. In other words, the ‘driver’ department responsible for applying PFM/IC should look for the features of an information and communications strategy outlined here and for the effectiveness of the strategy. That responsibility also extends to external communications.

A European Commission paper based upon COSO defined a set of principles affecting information and communication. These were that the public organisation:

  • Principle 13: Obtains, generates and uses relevant, quality information.

  • Principle 14: Ensures proper internal communication.

  • Principle 15: Ensures proper external communication.Footnote 12

11.3.2.3 The Control Activities Standard

The political management should have a responsibility to ensure that the objectives of the organisation are delivered, that they are delivered efficiently and effectively, that performance standards and objectives are observed and especially those set by external regulators, that the resources of the organisation are properly safeguarded and used only for the purposes of the organisation and not, for example, for political or personal purposes. They also have an obligation to ensure that the objectives imposed upon the organisation by others and most notably by the ministry of finance to maintain adequate budgetary and financial control are properly met. Top and senior operational and political management also have a responsibility to ensure that the financial reports to the ministry of finance, including the year-end financial statements and other statement, are reliable. Controls should also be concerned with the longer term financial viability of the organisation. The actual application of these responsibilities, as has been shown in earlier chapters, should be undertaken in practice normally by the operational management and this should be made clear through the delegation and accountability arrangements. The accountability arrangements should be designed to ensure that the political management can be confident that the operational management is acting competently and responsibly. The aim of the control activities should be to ensure that all this is achieved. The control activities should be designed to reduce the risk of failure by the operational management to achieve objectives and performance standards efficiently and effectively and that public resources are being properly utilised. The operational management should also ensure that commitments are not entered into which would affect adversely the financial sustainability of the organisation and should advise the political management where such a risk appears to be occurring or would occur if particular decisions were made.

A key feature of control activity is ‘accountability’. Lower levels of management are accountable to more senior levels for the delivery of their objectives within the relevant constraints. Top and senior operational management responsibility is to test out in its actions whether the control activities are effective and this should be demonstrated in the accountability arrangements. That is, are the reporting systems effective; do they address the key issues; are reports used as the basis for decisions; do follow up processes exist and are acted upon? Similarly, the accountability arrangements between the top operational management and the political level of management should be assessed by both sets of management to ensure that they provide the confidence that the political level of management requires.

The department responsible for the application of PFM/IC should assess as one of its monitoring activities both how well the control activities within an organisation are operating and the range of those control activities, most notably that they are not limited to traditional financial and budgetary controls. An indicator of this is by establishing how successful the organisation has been in achieving its objectives, within budget, to time, to standard, efficiently and effectively and meeting all regulatory requirements. Some of the detailed analyses to assess the quality of the individual internal control processes include:

  • Is each level of management clear about the scope of its responsibilities and the extent of its discretion?

  • Are the internal management reporting arrangements consistent with the delegation arrangements?

  • Do senior managers respond effectively to reports?

  • Is there onward reporting to higher levels of management in appropriate circumstances?

  • Do clear guidelines exist which indicate how management at all levels should respond to accountability reports?

  • Are such reports supplemented by ‘face to face’ meetings?

  • Do opportunities exist for group discussions so that issues and the information associated with them may be more widely shared or challenged?

The control activities should focus on outputs as well as inputs and a responsibility of top and senior operational management is to ensure that the appropriate controls exist.

One area of internal control activity that is frequently overlooked is that concerned with the risks to the longer run financial resilience of the organisation. This is discussed in Chap. 8. Most internal controls are focussed upon current operations, yet the ability to continue current operations into the future is heavily influenced by longer run financial considerations. By undertaking strategic financial planning an organisation should be able to forecast its future demands for current funding from the national budget or for new capital investment. Only then will an organisation be able to either argue for additional resources or to assess the scale of the cuts to existing activities (if that is the situation) or consider adjustments to its strategic plans that it may need to make. Strategic plans should also exist and those strategic plans should include a financial dimension to demonstrate what the costs will be of achieving strategic objectives.

To assist top and senior operational management determine the appropriateness of the internal control arrangements (and it is their responsibility to ensure that these controls are appropriate) they ought to ask themselves a series of questions covering output and input controls and the controls concerned with longer term financial sustainability. (These questions which link with other internal control standards should also enable the ‘driver’ department responsible for the application of PFM/IC to form a judgement about the effectiveness of the controls.) Examples of some of the questions which refer to ministries, but which can be adapted to meet the needs of other types of public organisation such as local governments, are as follows:

Overall Questions:

  1. (i)

    Can we (i.e., the top and senior operational management) be sure that managers at all levels have the right information, at the right time, in the right form to enable the organisation to deliver its objectives, to time, to standard, within budget, efficiently and effectively:

    • Is each manager within the organisation clear about the objectives and standards that the manager is expected to meet?

    • Are the relevant managers fully aware of externally set regulations and do systems exist to demonstrate how they are being met?

    • Has each manager the information available so that not only can that manager monitor what is happening but also be fully and properly accountable?

    • What controls exist to ensure that objectives and standards are achieved efficiently and effectively?

    • Where the health and safety of clients and staff is a major concern (as in hospitals or high-rise housing or child care facilities), is there absolute clarity about standards expected and do management systems exist to secure observance of health and safety standards?

  2. (ii)

    As each manager should be expected to deliver the objectives efficiently and effectively, has each manager the full budgetary and performance information available to enable the manager to do so? Has the manager also the appropriate management accounting information and does the necessary cost and management information system exist; is the management as well as the finance department staff sufficiently well trained to use that information?

  3. (iii)

    Has each manager the appropriate technical guidance to enable the relevant operational standards to be delivered and do monitoring arrangements exist to secure observance?

  4. (iv)

    Where charges are levied for services provided or for the use of assets and other resources, do those charges fully reflect the costs of provision or where a policy decision has been made to subsidise those costs or to provide a surplus, that the financial information has been properly and fully calculated and therefore that the real level of subsidy is apparent and to whom?

Questions About Input Controls:

  1. (v)

    Do the appropriate controls over inputs exist to ensure that:

    • Assets and other resources (including stocks and stores) are used only for the purposes of the organisation, that is, exclude use for political or private purposes?

    • No significant liabilities, including all fiscal liabilities, are entered into without the specific approval of top management and, if necessary, with the specific approval of the ministry of finance?

    • No contracting out of the delivery of public services exists without a thorough investigation into the financial and operational viability and quality of the private companies or other private institutions involved?

    • No future contractual obligations to suppliers exist which will make the future financing of the service or activity difficult to achieve or which may lead to an imbalance in the provision of other services or activities?

    • Procurement is only undertaken in accordance with the procurement regulations/legislation?

    • All externally set technical regulatory regulations concerning the delivery of particular services are observed?

    • All financial regulations issued by the ministry of finance are being adhered to (if such regulations do not exist, then either the ministry of finance should be asked to issue such regulations or the organisation itself should develop and issue its own financial regulations)?

    • All income and payment arrangements adhere to the requirements set out in those financial regulations, including where appropriate the separation of duties?

  2. (vi)

    Do controls over inputs inhibit or support management’s ability to deliver the objectives of the organisation? Where those controls, especially over the number of personnel or the allocation of personnel, require decisions to be made by someone other than the manager or even by another organisation, the responsibility of the manager is diluted. The question then is, is this desirable and to what extent does it reduce the accountability of the manager? The consequential question for top and senior management then is how does this, in turn, affect their responsibilities and should any external controls be challenged, for example, over staffing arrangements?

  3. (vii)

    Do the ministry of finance budgetary and cash flow controls reflect the needs of the operational management or is change required? The question that has then to be addressed by top and senior operational managers is what are the most appropriate controls to meet the needs of operational management? This is likely to require significant new controls or an adaptation of those required by the ministry of finance, for example, to give managers greater ability to manage resources to achieve objectives.

  4. (viii)

    Are the arrangements for the recruitment, allocation, retention and training of staff consistent with the needs of the organisation or do they inhibit the organisation in the delivery of its objectives? (Sometimes organisational managements have little control over the recruitment, promotion and training of staff. Staff may be appointed for political reasons rather than because of their competencies. Is that an appropriate arrangement given the need to achieve objectives and to secure managerial accountability?)

  5. (ix)

    Are the controls that exist within the IT systems sufficient to protect against fraudulent misuse through inadequate security arrangements and against hacking and other forms of attack: what is the evidence that those controls have been fully tested? Are the controls only nominal or are they properly applied in practice and what is the evidence for that?

  6. (x)

    Have all operating system updates issued by software manufacturers been applied?

  7. (xi)

    Is there confidence that the reporting to the ministry of finance (and where appropriate to other third parties) is accurate and timely and that the financial statements properly present the financial position of the organisation? (Internal and external audit have an important role but the primary responsibility is that of the management.)

  8. (xii)

    As the organisation will have a responsibility to store information and that may be physically and electronically, are the archiving arrangements consistent with the centrally determined arrangements for archiving (if any) and are those arrangements adequate for the purpose, both physically to ensure that the records are not damaged, and are they held securely to prevent misuse or change to those records? Are the records properly maintained so that they are accessible to future enquirers? Are the systems sufficiently secure to prevent loss of data though breaches of security, mismanagement or IT breakdowns? Do ‘back-up’ systems exist? Archiving applies to all operational as well as financial records. Can these questions be answered positively for electronically held records as well as for physical records?

Questions About the Controls Concerned with Longer Term Financial Sustainability:

  1. (xiii)

    Does a process of strategic financial planning exist which evaluates the impact of present and proposed policies upon the organisation’s future finances considering all those factors that are likely to impact upon those finances?

  2. (xiv)

    Is there a process which assesses the commitments of the organisation given its current policies, such as public/private partnership arrangements, and tests the financial viability of those policies over the longer term, considering likely trends in the availability of budgetary funds and other sources of income (which may be affected by the state of the economy)?

  3. (xv)

    Does a long-term financial planning process exist which systematically informs the political level of management and the top and senior operational management of the forecast financial resilience of the organisation given the commitments that have been entered into with the development of current policies? Does that planning process inform the political level of management about the financial consequences of the introduction of new policies and other likely new commitments that may be or are emerging (e.g., through climate and legislative change) which are beyond the control of the management of the organisation, and which could affect policy making decisions?

  4. (xvi)

    Do those processes consider the impact of any fiscal liabilities that have been entered into?

  5. (xvii)

    Does a process of consultation exist with the ministry of finance about its judgement of the future government financial planning, based upon economic forecasts, and how this may impact upon the finances of individual ministries given government priorities?

These examples of control activities also demonstrate the interlocking of this standard with those for the control environment and information and communications. They also emphasise that control activities are not simply about financial and budgetary controls but that technical controls also are very important and a failure to observe technical controls is likely to result in major future costs as well as costs to reputation.

A European Commission paper based upon COSO summarised the requirements of control activities as the public organisation:

  • Principle 10: Selects and develops control activities

  • Principle 11: Selects and develops general control activities

  • over technology

  • Principle 12: Deploys control activities through policies and proceduresFootnote 13

The responsibility of the top and senior operational management should be to ensure that the control activities that are employed are effective and that the political management is satisfied with their quality. They also need to satisfy the external auditor and consequently parliament, and those to whom the organisation is accountable (e.g., to the cabinet of ministers, to parliament and to civil society). The top operational manager should ensure therefore that appropriate control activities actually exist, operate effectively and be confident that all staff are familiar with the controls that affect them and how they should operate. This would mean that staff job descriptions fully cover the responsibilities for the relevant controls and that staff appraisal arrangements also cover references to awareness of those internal control arrangements. Periodic assessments of the efficiency and effectiveness of these controls should occur with internal audit and any relevant external organisation being assessors.

The exact form of the control activities will depend upon the services and operational activities that the organisation is engaged in.

11.3.2.4 The Risk Management Standard

11.3.2.4.1 An Overview

An important element of control activity is that the risk management processes operate effectively. The aim of risk management is not to eliminate risk because only by taking risks will change and improvements in the delivery of services and activities occur. The purpose is to identify and then manage the risks so that objectives and standards can be achieved and that adverse consequences can be avoided or minimised by careful assessment, planning and management. The ‘driver’ department of the ministry of finance should issue detailed guidance on how the reporting associated with risk management should be developed and applied taking into account the arrangements for delegation and managerial accountability that exist at the time.

The key to the effective management of risks is the ‘tone at the top’ of the organisation (the ‘control environment standard’). This affects the priority that the different levels of operational management and staff give to risk management and the comprehensiveness of the risk management arrangements. The behaviour and actions of the top and the senior management and how they communicate with and challenge the different levels of management about risk illustrates the degree of significance attached to risk management. If the leadership attitude is one of indifference and there is no real top-level ownership, especially by top operational management, or the messages from the political leadership and top-level operational management are inconsistent, this will be damaging to the risk management process.

The primary concern of the political level of management should be with the relevance and quality of the organisation’s risk management policy.

Whatever the managerial circumstances and the level of risk, there are various ways in which risks can be addressed. One way is through building in additional controls, another is by changing the management arrangements, or by some form of insurance, by sharing the risk with a third party, by changing designs or even not going ahead with a policy, project or activity because the perceived risks are too great.

The UK Treasury issued a publication on the Management of Risk—Principles and Concepts. This emphasised significance of the role of management as: “For the risk management framework to be considered effective, the following principles shall be applied: A. Risk management shall be an essential part of governance and leadership, and fundamental to how the organisation is directed, managed, and controlled at all levels. B. Risk management shall be an integral part of all organisational activities to support decision-making in achieving objectives. C. Risk management shall be collaborative and informed by the best available information and expertise. D. Risk management processes shall be structured to include: a. risk identification and assessment to determine and prioritise how the risks should be managed; b. the selection, design and implementation of risk treatment options that support achievement of intended outcomes and manage risks to an acceptable level; c. the design and operation of integrated, insightful and informative risk monitoring; and d. timely, accurate and useful risk reporting to enhance the quality of decision-making and to support management and oversight bodies in meeting their responsibilities. E. Risk management shall be continually improved through learning and experience.”Footnote 14 (Although this publication has been issued by a country with a well-developed public sector management structure, it does contain very clear guidance which could be usefully applied in countries introducing PFM/IC.)

For risk management to be effective:

  • The political head of the organisation and the person responsible for the quality of PFM/IC within the organisation, that is, the state secretary in a ministry, recognise the significance of risk management in the achievement of the objectives and performance standards of the organisation including technical performance standards and provide leadership in its development.Footnote 15

  • Clarity of objectives and performance standards and objectives exist and a management structure is in place designed to deliver the objectives and standards.

  • An appropriate control environment exists.

  • Adequate information flows and communication arrangements exist.

  • Internal controls are effective.

  • Accountability arrangements exist, both internally and externally.

If the top political and operational management are not interested in the development of risk management throughout the organisation (i.e., genuinely interested as opposed to ‘going through the motions’), then there is something wrong not only with the risk management process but also with the management arrangements themselves. The risk management process must be of genuine interest to these top officials. They cannot though be expected to personally manage all risks. Their personal concerns should be that there is effective risk management throughout the organisation and that they are focussed on the significant risks to the organisation, perhaps no more than 15 to 20. However, this number does depend upon the nature of the service or activity. If the number rises above this level, then there is almost certainly something not right about the risk management assessment arrangements and the top management is being drawn into too much detail. This is likely to devalue the risk management as a process. Once a risk has been accepted, then what matters most, given systematic review, is change in the level of risk. Why is that change occurring?

The Orange Book referred to above also defines 13 different categories of risk, that is, Strategy risks—Governance risks—Operations risks—Legal risks—Property risks—Financial risks—Commercial risks—People risks—Technology risks—Information risks—Security risks—Project/Programme risks—Reputational risks.Footnote 16 For countries adopting PFM/IC to analyse risks over these 13 different categories at the initial stages of development may be too complex. The following may be an oversimplification but initially an important distinction should be made between managerial or strategic risk management and systems risk management.

Managerial or strategic risk management should be concerned with the key or strategic risks facing an organisation, which could fall into any of the categories identified above. A responsibility of the top operational management is to work with the political management to identify those risks with which the political management is concerned and how it wishes that they should be managed including being kept informed about them. Most risks will be managed by the operational management but others may have aspects which are of particular interest to the political management as well as to operational management. The top operational management should identify and focus upon those managerial or strategic risks that have a direct impact upon their effective management of the organisation.

Examples of high-level risks that political management may be concerned about include significant potential damage to the reputation of the organisation, significant legal action against the organisation, significant financial losses, risk of death or serious injury to users of the service or to employees, an attack on the IT security systems that results in the theft of private personal data or the corruption of a major IT system that prevents a service or activity being delivered, such as social security payments or the taking of decisions that could significantly affect the long-run financial resilience of the organisation.

Another example of high-level risk that organisations should take into account is risk to the continued operation of the organisation as a whole or significant parts of it. An important responsibility therefore of top and senior management (political and official) is business continuity planning in the event of some major external threat to the organisation. A recent example of this is the impact of a disease upon management and the clients/customers of the organisation and on the organisations that are major suppliers.

Systems risks may or may not be important to top and senior operational management, and sometimes political management may need to become involved. However, it all depends upon the circumstances. If the system is vital to the effective functioning of the organisation (such as a social security system or disease prevention in a hospital), then the top political management would inevitably become involved. Otherwise, most system risks could be managed by operational management.

As has been pointed out previously, all decisions involve some element of risk and in some countries the risks associated with usual day-to-day management activity have been incorporated into the formal risk management processes. This is a mistake. These normal operational responsibilities should not be included in the formal risk management processes and to include them, as some organisations do, is to devalue the impact of risk management.

Whatever decisions are made about risk management, whether by political or top operational management, risks should be subject to regular review because circumstances change. How frequently such reviews should occur should depend upon the particular risk being considered!

11.3.2.4.2 Managers and Risk

The introduction of risk management into the management process adds considerably to the responsibilities of managers. In some organisations, defining and managing risk will be a complex process requiring considerable skill, expert knowledge and the exercise of judgement. Hence there may be a need to appoint staff to support the managers who are expert in identifying and making judgements about risk in a particular area of activity, for example, in the provision of health services, in the development of infrastructure, in policing and prison services, in services with a high risk of fraud such as those providing benefits to individuals or in fraud and corrupt practice in purchasing and supply arrangements. Those risks that involve the health and safety of employees should always be discussed with the potentially affected employees, or their representatives, including the proposed mitigation measures.

The management approach to risk at lower managerial levels should be based upon the risk to the achievement of that manager’s objectives and the relevant performance standards (emphasising again that each manager should have objectives and standards). The process for addressing lower level risks should be, in principle, the same as that described above for high-level risks. Each lower level manager should report those that he/she regards as the more serious risks to the next higher level of management to determine whether in turn they should be referred further up the management structure until they reach top and senior management. They should also report to the next higher level of management on changes in the level of risk, especially where those changes indicate a worsening of the level of risk. Once risks have been identified, the individual manager’s responsibility is to analyse those risks to determine how those risks should be managed and which risks may need to be reported to and agreed with more senior management.

An example of a service that will require specialist risk management skills is that of the management of hospitals. Hospital management will be concerned with the management of clinical and non-clinical risks and these will be managed in different ways.

Through risk management there are significant opportunities for achieving improved quality of care, major costs savings, improved public perception and a reduction in clinical negligence claims by having the correct risk management strategy. The goals of the risk management strategy could include:

  • enhanced quality of care;

  • protection against criminal prosecution;

  • financial savings from reduced risk, which includes reduction in claims against the trust [hospital] and optimisation of insurance premium expenditure;

  • cost-efficient risk reduction;

  • improved public image;

  • improved staff morale and productivity.Footnote 17

Another example is the management of schools. A major immediate concern to the managers of a school will be the health and safety of pupils. Risk assessment involves considering the severity of consequences if a person or pupil is exposed to a potential risk, combined with the likelihood of it happening. The level of risk will increase as the likelihood of injury or illness or its severity increases. A risk assessment can help determine:

  • How severe a risk is;

  • Whether existing control measures are effective;

  • What action should be taken to control the risk; and

  • How urgently the action needs to be taken.Footnote 18

11.3.2.4.3 The Practicalities of Introducing Risk Management

A degree of bureaucracy is necessary to identify risk, indicate who is responsible for its management, demonstrate the actions that have been taken and identify the trends in the development of the risk. A formal risk register therefore should be established: a single register covering all risks can be unwieldy and a more practical approach can be to establish risk registers that address managerial or strategic risks and separately for lower order risks.Footnote 19 Again, different risk registers can be developed for different parts of the organisation. Which is the most appropriate approach depending upon the management arrangements within the organisation? Top and senior operational management, subject to any political management concerns, should determine the monitoring and reporting arrangements. The overall responsibility for the risk register process should lie with the head of operational management. However, the actual ‘process’ responsibility could be delegated to another official. That a specific official should have this bureaucratic responsibility in no way removes from the top operational manager, the state secretary or equivalent, their ultimate responsibility for managing risk and for ensuring that an appropriate risk management process applies throughout the organisation.

Decisions should also be made about the frequency for the reporting of risks. This could vary depending upon the type of risk and the personalities involved. This will mean that the risk register(s) will need to be updated (and coordinated) so that each higher level of management is aware of the development of risks and the effectiveness of the mitigation measures. How often updating or review of risks should occur will depend upon the nature of the risk and the bureaucracy should have the capacity to be flexible about the updating arrangements. Particular regard should be had to trends in the movement of individual risks—is the risk declining or increasing?

11.3.2.4.4 The Responsibilities of the Top and Senior Operational Management

The top and senior operational management have a substantial range of risk management responsibilities even though in practice some would be delegated to other officials. The main responsibilities of the head of operational management should include to:

  1. a.

    Ensure that risk management is incorporated within the operational management processes, including job descriptions and that all risks are fully identified and managed at an appropriate level.

  2. b.

    Ensure that those management processes are actually undertaken and are regularly reviewed with active steps being taken to mitigate risks.

  3. c.

    Provide direction, guidance and advice on risk management best practice throughout the organisation.

  4. d.

    Determine the risk appetite/tolerance for the organisation (see below for a discussion on ‘risk appetite’) and to inform and agree the risk appetite parameters with the political head of the organisation, also after considering the views of any external advisers.Footnote 20

  5. e.

    Receive regular reports on managerial and strategic risks and the trends which are emerging so that he/she can require corrective actions to be taken.

  6. f.

    Prepare reports to the political head of the organisation on those managerial and strategic risks which directly affect the political head, paying particular attention to changes in the levels of risk.

  7. g.

    Provide any feedback from the political level of management to other managers on the risk management process.

  8. h.

    Ensure that appropriate training is provided to the different levels of official on risk management (whether politically appointed or civil or local government officials) and/or that specialist officials are appointed where fraud or corrupt practice is a high area of risk.

  9. i.

    Ensure that a process exists which identifies the possible causes of risk appetite/tolerances being exceeded. Those causes can include mismanagement, natural events, unforeseen international price movements, failures in a supply chain such as bankruptcy (but this risk in some circumstances should have been foreseen and therefore the real cause is mismanagement), misjudgement of demand for a service or activity (again a potential cause is mismanagement) or in construction, unstable ground conditions or unavailability of key workers such as engineers.

  10. j.

    Ensure that systematic communication arrangements exist within the organisation to raise awareness about risk and the policies of the top management so that there is a wide understanding throughout all levels of management of the level of risk that is acceptable: this should inform all activities, that is, policies, programmes, projects and operational service delivery.

  11. k.

    Ensure that second-level organisations establish risk management and that top and senior operational management of the first-level organisation are informed of the strategic risks and all fiscal risks that affect the second-level organisation so that the top and senior operational management of the first-level organisation can decide whether they need to become involved in the management of those risks and whether they should inform the political level of management.

  12. l.

    Where an external advisory committee, such as an audit committee, exists which has an interest in the quality of risk management, maintain a close liaison with that committee and ensure that its recommendations are fully considered.

  13. m.

    Prepare an annual risk management/risk appetite statement.

How does top and senior operational management undertake these responsibilities towards risk management in practice? The United Kingdom National Audit Office addressed this in a publication by setting out a series of questions for top and senior operational management to consider.Footnote 21 These are:

  1. 1.

    “How do we ensure that our focus is on managing the things that matter? Are we content that management’s assessment of risk is not overly optimistic?

  2. 2.

    Are we clear about where we are prepared to tolerate differing levels of risk and, in turn, how these influence and drive the actions of management?

  3. 3.

    How confident are we that risks are being managed appropriately and that we will be informed of the most significant risks to our business?

  4. 4.

    What information do we need both to take decisions and to challenge the rigour with which risk is managed throughout the organisation?

  5. 5.

    How do we ensure that our decisions are based on a clear and balanced evaluation of the costs and impacts associated with risks and mitigations?

  6. 6.

    How do we learn from successes and failures both within our own and other organisations?”

11.3.2.4.5 Risk Appetite Impact and Likelihood

‘Risk appetite’ has been defined as “the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives”. Even though the top operational management may define the policy on risk appetite, the political leadership should agree that policy because of its significance. “Organisations will have different risk appetites depending on their sector, culture, and objectives. A range of appetites exist for different risks and these may change over time.”Footnote 22 No risks should be acceptable which exceed the defined risk appetite. However, ‘risk appetite’ is not always quantifiable and may require managerial judgement. PFM/IC requires a managerial approach to the delivery of the objectives of an organisation, and as all managerial decisions involve a greater or lesser degree of risk, the existence of a risk appetite statement provides guidance to managers about the risks that can be taken to achieve an objective.Footnote 23

In making decisions about risk two features are important. These features are what is the likelihood of the risk occurring and if the risk does occur what will be the impact? The management should assess these in terms of how the risk will affect the achievement of the objectives and performance standards and objectives. The estimates of the costs can then be compared with the costs of taking mitigating actions and the extent to which those mitigating actions will reduce the risk. This type of analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of information and the resources available. Also risk analysis can be influenced by opinions, biases, perceptions of risk and judgements and the quality of the information used. Often a scoring method may be applied to provide a basis for assessing the significance of the risk. Both impact and likelihood should be scored (although some risks may be difficult to quantify and managers will need to make judgements).Footnote 24

The Institute of Risk Management has listed stages in the development of risk appetite statements.Footnote 25 These are:

  1. 1.

    “Identify stakeholders and their expectations, together with an analysis of the risks to strategy, tactics, operations, and compliance, as set out in the risk register.

  2. 2.

    Establish the desired level of risk exposure that will lead to a risk appetite statement that provides a set of qualitative and quantitative statements.

  3. 3.

    Define the range of acceptable volatility or uncertainty around each of the types of risks leading to a statement of acceptable risk tolerances.

  4. 4.

    Reconcile the risk appetite, risk tolerances with the current level of risk exposure and plan actions to bring current risk exposures into line with risk appetite.

  5. 5.

    Formalize and ratify a risk appetite statement(s), communicate the statement with stakeholders and implement accordingly.”

11.3.2.4.6 Publication

Risk management/appetite statements ideally should be published on the grounds of transparency and accountability and as one of the improvements emerging from the development of the quality of corporate governance. In countries which are in the process of adopting PFM/IC, there are basically two other significant reasons for the ministry of finance ‘driver’ department to require the development of annual risk management/appetite statements and for the completion of such a statement to be a specific responsibility of top and senior management. These are:

  • To cause top and senior management to be aware of their risk management responsibilities and that risk management is not a lower level requirement which can easily be met by leaving it to lower level staff or internal audit and to be completed through the traditional bureaucratic procedures; and

  • To require top and senior management to engage in the systematic and ongoing review of risks and to then make decisions about the range of risks that the organisation faces, the extent to which risk is acceptable in order to achieve objectives and the appropriate mitigating measures.

Examples of risk management statements are included in the annex to this chapter. They reflect different approaches to risk management. The common features are that the details are published and the approaches to risk management as well as who is responsible are also made clear. In other words, they meet the most desirable features of transparency and accountability. Unfortunately, countries currently adopting PFM/IC do not appear so far, to publish such types of statements. Yet a requirement for top and senior management to publish such statements would encourage risk management to become embedded into managerial arrangements. In the examples, risk management is shown to be a fundamental feature of management processes and therefore the operational context will reflect this as will the existence of objectives and performance information coupled with accountability pressures to achieve those objectives and levels of performance. Without a specific requirement falling upon top and senior management to specify the risk management arrangements they have established and the extent to which risk is considered and is acceptable, there is every possibility that considerations about risk will be superficial. This in turn, means that there will be less likelihood of objectives and standards being achieved. What is published for external stakeholders such as other ministries and the ministry of finance as well as parliament, pressure groups and service users (i.e., civil society) may be different from that published for the benefit of internal stakeholders (i.e., primarily the managers within the organisation). Without such an internal statement, lower level managers within the organisation will be providing services and activities with no or insufficient guidance on the levels of risk that they are permitted to take. They may also be deterred from developing new ideas and proposals to improve services and activities for fear of taking on additional risks because they do not know what level of risk is acceptable to top and senior management. In an administrative culture that has been traditionally risk averse, which is the situation in most of the countries adopting PFM/IC, clarity about top and senior management towards risk is very important.

Where publication of comprehensive information is deemed to be too difficult in a particular country, then all such reports should be available internally within a government. Similarly equivalent reports for individual local governments and state-owned enterprises should also be published.

Where agencies and state-owned enterprises are subject to the control or supervision by a ministry or local government, that ministry or local government should ensure, as part of its performance or service level agreement with the second-level organisation, whether market or non-market based (see Chap. 12), that risk management is introduced in those organisations. The risk management arrangements that have been put in place should be covered in the reporting arrangements between the second-level organisations and the controlling or supervising ministry or local government. (NB. A particular feature of the risk management control arrangements between first- and second-level organisations of whatever type should be that no fiscal risks should be entered into without the specific agreement of the first-level organisation.) Footnote 26

11.3.2.4.7 A European Commission Overview About Risk Management and COSO

A European Commission paper based upon COSO summarised the requirements of risk assessment as the public organisation:

  1. 6.

    Specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

  2. 7.

    Identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed.

  3. 8.

    Considers the potential for fraud in assessing risks to the achievement of objectives.

  4. 9.

    Identifies and assesses changes that could significantly impact the system of internal control.Footnote 27

11.3.2.5 The Monitoring Activities Standard

The purpose of monitoring is to evaluate whether the arrangements for PFM/IC are making it possible for an organisation to achieve its objectives, doing so efficiently and effectively, to time, to standard and within budget and also within the laws and regulations to which the organisation is subject. Monitoring is also concerned to ensure that the organisation has adopted and is applying a commitment to integrity and ethical values. If these features are not occurring, the next question is why is this? The focus of monitoring in many countries that are introducing PFM/IC has been simply on whether the bureaucratic processes relating to the four other standards are in place with observations about the deficiencies that exist (if any). However, the SIGMA Guidelines for assessing the quality of internal control (IC) systems states that “Monitoring of the IC system is essential to ensure that IC remains aligned with changing objectives, environment, laws, resources, and risks. IC monitoring assesses the quality of performance over time and promptly resolves the findings of audits and other reviews. Corrective actions are a necessary complement to control activities in order to achieve objectives.”Footnote 28

The monitoring processes that have been adopted in this author’s experience do not in general appear to address the main purpose of the reform. In most countries they also do not recognise that each standard is not a ‘stand-alone’ process which can be separately assessed. The procedural processes associated with each standard, as has been shown, are not easy to separately identify except at the most superficial level. Because the standards are interlocking, the monitoring process needs to reflect this. This will be best achieved by looking at the overall performance of the organisation in achieving its objectives and performance standards and objectives efficiently and effectively. Reliance is also often placed on ‘self-certification’. What this means in practice is difficult to understand. The monitoring process needs to establish how far the assumptions, referred to at the beginning of this chapter, that lie behind the COSO process have been recognised. Monitoring is not therefore a simple ‘tick-box’ end of year type of process checking that the required bureaucratic procedures have been implemented. To emphasise, introducing the COSO standards is not simply a bureaucratic exercise but it has a specific purpose. This purpose is to achieve the objectives of the organisation efficiently and effectively, to time within budget, to standard with proper regard for integrity and ethical values, transparency and accountability and as part of this ensure that the law and regulatory requirements to which the organisation is subject are fully met. Monitoring should be aimed at this purpose, that is, is it being achieved and if not why not? Anything else at best can be regarded as an interim process. Each of the individual standards is ultimately aimed at this purpose. The most effective test for the application of PFM/IC is how successful the organisation management has been in meeting this purpose. That is the point from which monitoring should start.

Without such an evaluation, whether the COSO standards have been properly applied cannot be established. Therefore, whether the policy of PFM/IC is meeting expectations also cannot be established. So, the question cannot be asked. Monitoring should start from whether the objectives and performance standards and objectives of the organisation have been achieved efficiently and effectively, within the law and budgetary constraints. The monitoring aim should then be to identify if they have not, what are the weaknesses that have allowed this to occur.

Monitoring responsibility within an organisation should be that of the top and senior operational management where the overall responsibility lies for the achievement of the objectives and performance standards. Monitoring should form part of the accountability arrangements flowing up the organisation, ultimately to the top and senior management, official and political. Monitoring should identify weaknesses in the quality of the management of the organisation itself (i.e., technical, operational and financial). A failure to properly carry out certain procedures is a management failure, not just a procedural failure which can simply be corrected by bureaucratic action.

Apart from the top and senior management, monitoring will be of concern to others. One will be to external regulators concerned with the observance of technical standards, another will be to the ‘driver’ department of the ministry of finance responsible for the application of PFM/IC and a third will be to parliament. The role of the ministry of finance in monitoring should be to judge the quality of operational management. Lack of achievement of objectives and performance standards, a failure to meet external regulatory standards as well as the quality of financial control should affect future budgetary allocations. Parliamentary monitoring (i.e., scrutiny) should have a central concern for the quality of management, the delivery of objectives efficiently and effectively and the meeting of technical regulations. Parliament may have its own scrutiny requirements and it may rely for advice on the external auditor who should have a concern about the quality of public expenditure through its assessments of value for money. This may lead on to a further form of external scrutiny, that of civil society.

What should also stimulate monitoring is that it should result in each public organisation publishing an annual report covering all its activities and, unless consolidated into a whole of government statement, its financial statements, along with a ‘statement of internal control’ (see Chap. 13). The ‘statement of internal control’ should describe the effectiveness of internal controls applying within an organisation.

Monitoring should be an ongoing process and the PFM/IC driver department should provide advice on how that is to be undertaken, including the extent of the monitoring required. As PFM/IC is developed it may also wish to regularly review the outputs of those monitoring arrangements.

Internal audit has an important role in the monitoring process. But it can only undertake this role effectively if internal audit recognises that it is operating within the managerial context set by PFM/IC. This means that internal audit should have a thorough understanding of the PFM/IC reform and how it affects decision making by managers. Therefore, the training of internal audit should be aimed to ensure that internal audit capability extends beyond traditional internal control monitoring based simply upon systems controls with a focus upon financial and budgetary controls.

The aim of an internal audit evaluation is to provide a ‘lens’ to show to the top and senior operational management how effective the application of the COSO standards by management is.

A European Commission paper based upon COSO summarised the requirements of monitoring as the public organisation:

  1. 16.

    Selects, develops and performs ongoing and/or separate evaluations.

  2. 17.

    Evaluates and communicates deficiencies.Footnote 29

11.4 Summary

In this chapter the international standards of internal control have been described. These standards are essentially managerial disciplines. The context into which they are to be applied is an operational management context. These international standards cannot be isolated from this managerial context and treated as individual ‘stand-alone’ features of PFM/IC. The impact of each standard also cannot be clearly separated one from the other. Yet that is how they are treated in many developing and transition economy countries applying the standards. In considering the application of these standards regard should also be had to the assumptions that underpin these standards and these assumptions reflect the managerial context in which the standards are to be applied. Again, this is not usually something which is either recognised or considered.

The detailed analysis of the application of each of these standards demonstrates how they impact upon the managerial arrangements. Those managerial arrangements should be designed to deliver the objectives and performance standards and objectives of the organisation efficiently and effectively within the budgetary and legal framework. These standards apply principally to operational management. Therefore, an important precursor to their implementation is the separation of operational management from the political level. These standards though also provide an opportunity for the political level of management to have an informed insight into how well the operational level of management is working. From this point of view therefore the political level of management should support the full application of these standards, but again what is essential is managerial reform.

An indicator of how well the standards have been applied would be described in the statement of internal control which each organisation ought to prepare as part of the annual reporting arrangements (see Chap. 13). This statement should be available to the ministry of finance, to parliament and to the wider public (civil society) as part of the transparency and accountability arrangements. Either accompanying the statement of internal control or separately, a public organisation should publish a statement about its approach to risk, that is, its risk appetite.