Monitoring the Change from Administration to Management: Demonstrating This Through the Utilisation of a Statement of Internal Control

Abstract

“As with any reform information should be available about how well the reform is proceeding and what have been the results of the reform. With PFM/IC very often the information about the reform progress is limited to information about the procedural arrangements that have been adopted, that is, the laws and regulations. This tells the observer, who could be a ministry of finance, a parliament, a state auditor or civil society nothing about how effectively the reform has been applied, the level of benefits arising from the reform or indeed the costs. It says nothing about weaknesses which may have emerged or how they have been dealt with. In this chapter a more effective form of reporting is recommended which is called a ‘statement of internal control’. This statement should be prepared by the head of operational management and approved by the political head of the organisation. Examples are given of this statement. Ideally this statement should be published as part of the transparency and accountability arrangements.

The PFM/IC reform is not simply about a reform to existing procedures. The reform is more fundamental than that. It is about moving from a traditional administrative approach to the utilisation of public resources to an entirely new environment, which is the management of public resources. The monitoring of this change should be an important dimension to the reform. A requirement for public organisations to prepare annually a statement demonstrating the recognition of this change and how it has impacted upon the ability of an organisation to achieve its objectives and performance standards and objectives and at the same time ensuring that its resources have been efficiently and effectively utilised and income collected should be an essential component of the reform. This statement, which is called here a statement of internal control (this statement may have different titles in different countries where an equivalent type statement exists), should explain how management has performed during the year. The statement should give the reader a clear understanding of the challenges facing the organisation and how those challenges have been responded to including remarks about what has gone wrong and the actions taken to make corrections. In other words, the statement should be an indicator of the quality of management. The statement should also address risk management. Where it does not do so a separate statement about how risk is being identified and managed also should be published. The publication of such a statement is an important feature in developing accountability and transparency and should be a requirement in the development of PFM/IC. The external auditor (the auditor general or equivalent) should be expected to review this statement and it should be available to the parliament. However, in many countries neither a statement of internal control nor a statement about risk management are features of public organisation reporting. At the very least the ministry of finance should require that such statements are prepared and the information contained in these statements is available to it. Where individual organisational statements are not published a summary should be published as part of the annual report on the government’s financial statements.

13.1 Reporting on the Quality of Internal Control

13.1.1 Management and the Statement of Internal Control

In the current climate of fiscal restraint and declining availability of resources, it is important that central government bodies can demonstrate the resources that they are responsible for are appropriately managed and controlled. High quality and proportionate internal control systems will help organisations achieve their aims. A useful method of demonstrating how well an organisation is performing would be a requirement on the operational management to prepare a ‘Statement of Internal Control’. The Statement on Internal Control (SIC) should be a public accountability document that describes the effectiveness of internal controls in an organisation.¹

As has been explained throughout this guide, the PFM/IC reform represents a significant reform from a traditional administrative approach with an emphasis upon establishing a managerial approach concerned not only with securing financial and budgetary control but also with the achievement of objectives and performance standards and doing so efficiently and effectively. The evidence of this change. The effectiveness of the reform should be demonstrated annually. This would be by the preparation and publication by the top operational management of public organisations (the state secretary or equivalent) of a statement of internal control. This would be an entirely new feature for most countries changing from traditional systems of public administration and for some countries that have already adopted PFM/IC.

The statement of internal control should normally be published along with the annual financial statements or if separate financial statements are not published for each public organisation (e.g., for each ministry), then the statement should be published either separately or it may be published in a consolidated form covering particular types of organisations, such as all ministries. However, as an objective is to achieve greater transparency and accountability, the greater the degree of consolidation the less the level of these characteristics, unless the consolidated statement addresses separately each public organisation. Transparency and accountability are important in generating pressure for improvements and to develop effective parliamentary scrutiny. Ideally statements of internal control should be published in such a manner that makes them also available to the taxpayer, the user of public services, suppliers and others who have dealings with public organisations. Some governments may resist this seeing publication as only necessary to a more limited group of users, namely, the minister of finance, the cabinet of ministers and in some form to the parliament. But this does not create transparency and accountability in the ‘open government’ sense and this limited form of publication should either be discouraged or at best seen as a step towards wider publication as experience and confidence in the PFM/IC reform become established. At the least an aim should be to ensure that parliament has access to the information and if necessary to any statement of the actions to be taken by the ministry of finance and/or the cabinet of ministers to correct weaknesses or to develop new policies to address emerging issues.

Statements of internal control are most effective where a distinction exists between political and civil service (or local government service) management (i.e., between the development of policy and the strategy for implementing that policy and day-to-day operational management). If that distinction does not exist, there is a possibility that what should be an annual assessment of the effectiveness of operational management internal control arrangements of an organisation could become a political criticism, both of policy and of operational management. Where this occurs, the risk then is that the conflation of the two quite separate issues will lead to a focus on policy rather than the quality of the operational management internal control arrangements. This will then cause those with political responsibilities to be cautious about publishing any material that could potentially lead on to political as opposed to operational management criticism. This then is another reason why with the implementation of PFM/IC delegation of operational management should occur.

The statement will be an important source of information about the development of internal control to the ‘driver’ department responsible for the implementation of PFM/IC.

13.1.2 The Responsibilities of the Official Preparing This Statement

The most senior operational manager, that is, state secretary or equivalent, who should also be responsible for the implementation of PFM/IC, should be required to prepare this statement each year. This official should take personal responsibility for the quality of the financial management and internal control systems.² In those countries where there is no such single official with individual heads of departments reporting directly to ministers, such a statement could not be effectively prepared. This is another reason why that arrangement would be inappropriate with the implementation of PFM/IC. The other key official who should be involved in the preparation of this statement should be the head of finance (see Chap. 8). The reason for the involvement of this official is the role that he/she has in ensuring that the organisation is financially well managed, that it has a focus on delivering efficiency and effectiveness and using its resources efficiently and effectively as well as economically. This head should also ensure that the organisation is managed in such a manner as will maintain its financial resilience over time.

In addition to provide confidence in the statement of internal control, the head of internal audit should also be asked to review the content of the statement.

Although the official responsible for the implementation of PFM/IC should have a personal responsibility for preparing this statement and signing it, the content of the statement also should be agreed with and approved by the political head of the organisation, such as a minister or mayor where that political head has an overall responsibility for the quality of the management of the organisation. Where an audit committee exists, it should also be approved by that committee. Approval requires the political head to acknowledge how well the organisation is being managed (or not!) and to understand how emerging problems and weaknesses in the internal control arrangements have been addressed as well as the corrective actions that have been taken. Where significant problems and weakness have been reported in this statement, the day-to-day managerial accountability arrangements should have ensured that the political head of the organisation was well aware of them before the statement of internal control was prepared. The political head should be fully informed about any significant weaknesses and be able to ensure that corrective actions have been taken. Ideally this should occur before external criticism emerges, whether from the ministry of finance or the external auditor.

13.1.3 The Benefits of This Statement

This statement, along with the results of any separate reports required by the ‘driver’ department of the ministry of finance, will help establish how successful the reform is being implemented. It will enable the ‘driver’ department prepare an assessment of what still needs to be achieved which could include training and the development of new systems. New systems could include management accounting and performance information systems.

Ideally, the statement should be a by-product of day-to-day internal control processes. This statement may also include a statement about the risk management arrangements. If it does not include the risk management arrangements, then a separate risk management/appetite statement should be prepared and be available as part of the transparency and accountability arrangements. (See Chap. 11 for a detailed discussion on risk management.)

The effectiveness of internal controls (and bear in mind that they are as much about the achievement of objectives and performance standards efficiently and effectively, as well as about ensuring that rules and regulations governing ‘inputs’ are complied with and that assets and other resources are not misused) should be under constant review. The information about the quality of those controls and the achievement of objectives and performance should flow up and down the management structure of the organisation to allow appropriate management action to be taken.

In preparing the statement of internal control the official responsible will need to rely on information provided by others such as heads of second-level organisations and heads of ministry or local government departments. The information required should largely be derived from the day-to-day implementation of the internal controls, especially identifying what has been shown to be weak or has revealed errors or risks or the reasons for a failure to achieve objectives or deliver specified performance standards or a failure to achieve improved efficiency and effectiveness.

13.1.4 The Issues That Should Be Covered in the Statement

The head of operational management in preparing the statement of internal control should set out his/her responsibilities for the internal control arrangements. The head should explain the purpose and provide a description of the system of internal control, that is, that it is designed to ensure that financial and budgetary controls are effective and that the objectives and performance standards can be delivered efficiently and effectively and to time and that they are being delivered within the relevant legal and regulatory framework. The statement should explain the arrangements for the management of public resources, including a description of how the top and senior operational management provide leadership to ensure that the internal control and risk management policies are embedded in the management processes of the organisation. It should also explain the training provided to staff to embed an appreciation of the internal control arrangements. This should also include how the internal control arrangements have been adapted to meet changing circumstances.

The statement should also include the following:

1. 1.

   An explanation of the responsibilities of the head of operational management for the systematic oversight of the effectiveness of the system of internal control. This should include information about the extent to which the review is informed by the work of internal audit.

2. 2.

   A review of the effectiveness of the internal control arrangements during the year.

3. 3.

   The key elements in the risk management strategy, including how risk is identified, evaluated and controlled, how risk appetite is determined, including the roles of both operational and political management, and how risk management is embedded into management at all levels in the organisation. Any changes in the risk management strategy during the year should be disclosed along with the reasons for change.

4. 4.

   A recognition that the system of internal control cannot eliminate all risk and therefore can only provide a reasonable and not absolute assurance.

5. 5.

   Material changes to the internal control arrangements that may have occurred compared to the previous year should be disclosed.

6. 6.

   A disclosure of weaknesses found to have occurred during the year, not just in the management of expenditure and income, including tax income, but also weaknesses, including those of risk management, which have resulted in the non-achievement of objectives and performance standards efficiently and effectively, to time and within budget. (The starting point for this review of effectiveness should be the evidence as to whether the organisation has achieved its objectives and performance standards.)

7. 7.

   The arrangements for regularly reviewing the system of internal control and how identified weaknesses are being addressed.

8. 8.

   An explanation of the remedies that have been adopted to overcome such weaknesses and to prevent such weaknesses recurring. (In reality, weaknesses will almost inevitably occur no matter how good management is and how resilient systems may appear to be. This is because of changes of circumstances and personal as well as events occurring beyond the control of management.)

9. 9.

   The actions taken or proposed to deal with any ‘significant’ internal control issues. Examples of ‘significant’ internal control issues would include those that:

   • might prejudice or prevent the achievement of the objective(s) and performance standards;

   • could have an impact upon budgetary and financial controls and financial reports to the ministry of finance;

   • would be regarded by internal or external audit as significant;

   • might attract adverse public comment and/or could result in a breach of the law and regulations;

   • indicate departures from established practices including over the arrangements for procurement: the reasons for such departures should be clearly identified;

   • would indicate weaknesses in the arrangements for the collection of revenues, including increasing levels of losses on revenue collection;

   • show any significant lapses in data security such as data losses or breaches of IT security;

   • have identified fraudulent or corrupt activity occurring which affects the organisation, analysed between fraudulent or corrupt activity occurring within the management and staff of the organisation and that effected by third parties upon the organisation.

The disclosure of significant internal control issues should be explicit and should include how the issue arose and the remedial actions taken and planned. Subsequent statements of internal control may also need to include progress in subsequent years in addressing identified problems.

1. 10.

   A commentary on the extent to which responsibility for operational management had been delegated to civil or local government service officials and the corresponding accountability arrangements:

   • A statement about improvements in value for money in the delivery of the services for which the organisation is responsible and in the management of the organisation:

2. 11.

   The extent to which second-level organisations (non-market and market based) have established effective management and internal control structures.

3. 12.

   An explanation of how the first-level organisation manages its relationships with second-level organisations (i.e., both non-market and market based) and ensures that the objectives, policies and activities are consistent with those determined by the first-level organisation. This would include for market based, whether they have achieved the expected financial returns and any other key factors such as the impact of their activities upon the private sector marketplace.

4. 13.

   Any wider public interest issues that have emerged during the year and how they have been dealt with, such as environmental issues including those arising from climate change.

5. 14.

   The main challenges that are likely to face the organisation in the next year, including emerging risks and how the organisation envisages responding to them.

6. 15.

   A commentary on the long-run financial resilience of the organisation.³

The exact content will vary over time with the developing maturity of the internal control arrangements.

The statement could cover the management of the relationships with all controlled second-level organisations, and whether in exercising this supervisory role, any difficulties have emerged during the period. The statement should disclose how they have been dealt with by the controlling organisation.

This represents a potential schedule of the issues that should be covered, but each country will decide what it wishes to see included within the statement and therefore may wish to amend this list.

13.1.5 The Role of Audit and This Statement and the Publicity Which Should Be Given

The head of internal audit should give an opinion on the overall adequacy and effectiveness of the organisation’s internal control environment, providing any details of weaknesses. The head should bring to the attention of the official responsible for the implementation of PFM/IC (i.e., the state secretary or equivalent) any issues particularly relevant to the preparation of the statement. In some countries the head of internal audit may also be asked to sign the statement of internal control as well as the head of operational management.

The state external auditor should also review the statement of internal control and provide observations on the quality of the internal control arrangements including whether the external auditor agrees with the remarks in the statement of internal control. The external auditor (as well as the internal auditor) should have a concern for improvements in public value through value for money audits and the auditor’s ability to undertake such audits will be affected by the quality of the financial and performance information available to management and hence to the auditor.

13.1.6 Consequential Changes to Facilitate the Development of a Statement of Internal Control

In Chap. 4, reference was made to the need to modify the sanction arrangements which could be applied against civil and local government officials with the introduction of PFM/IC to reflect the change to a managerial culture. Unless such modifications occur, their existence may also cause civil and local government officials to be cautious about identifying weaknesses which may result in criticisms of them and which may, in turn, cause the application of penalties (because of a penalty culture which may exist). The implementation of PFM/IC which has a focus on the delivery of objectives efficiently and effectively should also cause, as indicated in Chap. 4 (Test 8), a review of that penalty culture. This is because the risk of penalty may prevent the disclosure of information about failings in the internal control system. Yet disclosure of failings is central to improving the quality of public financial management and internal control. A process which discourages disclosure ultimately is not in the interests of top and senior management or in the interests of the ministry of finance.

Quite separately the budget law in some countries may contain penalty arrangements which would fall upon any official who breaches the conditions set out in the budget law.⁴ Such conditions may also require modification on the change from an administrative to a management culture.

13.1.7 Signs of Weaknesses in the Internal Control Arrangements

Indicators of evidence of weaknesses in internal controls are:

1. 1.

   Failure to achieve objectives and performance standards and objectives (e.g., to keep error and fraud in the tax collection system to, say, no more than 5%).

2. 2.

   Poor quality of managerial supervision of staff evidenced by:

   • Managers not effectively supervising the work and outputs of the staff they are responsible for?

   • No training in leadership, organisation management and particularly in staff management has been provided.

   • Delegation may exist but the delegation arrangements are unclear about what is expected of the staff and the limits of any discretion.

   • In practice staff are left to effectively ‘manage themselves’. The accountability arrangements are weak with superior managers not effectively supervising staff, not being concerned with outputs and not ensuring staff act in conformity with the delegation arrangements including any limitations on the exercise of discretion.

3. 3.

   Staff management policies (HR policies) are inappropriate to the business of the organisation:

   Is there evidence that the organisation’s HR policies and practices are consistent with the organisation’s ethical values and facilitate the achievement of its objectives including the management’s ability to manage their staff effectively? Do those HR policies recognise that to achieve objectives managers will need to take decisions and this involves risk? Do those policies facilitate risk taking (and this may link up with the existence and application of the penalty policies referred to above)? Do staff have the necessary training to give them the knowledge, skills and tools to support the achievement of the organisation’s objectives? Is there an effective incentive and reward policy including promotional policy? Does top operational management aim to establish an atmosphere of trust and mutual support within the organisation to encourage the flow of information between members of the staff and in this manner prevent to development of ‘silo’ mentalities and facilitate effective performance towards achieving the organisation’s objectives. Does a culture of honesty and ethical behaviour exist? In some countries HR policies are not the responsibility of the employing organisation and may not reflect the individual needs of particular organisations or are of low priority to top management. This can lead to managers seeking ways to circumvent externally imposed controls or a failure of the coordination of policies and activities within the organisation.

4. 4.

   The types of control that exist are inappropriate or do not cover the business of the organisation:

   Looking at ‘control’ from the limited perspective of financial and budgetary control there are two types of control, preventative and detective. Preventive controls are designed to deter or prevent undesirable events from occurring. Detective controls are designed to detect undesirable acts. The latter provide evidence that a loss has occurred but do not prevent a loss from occurring. A good internal control system not only has detective controls, but also has preventative controls. If both types of control do not exist, this is a signal of internal control weakness. However, with PFM/IC other controls should exist designed to ensure that intended performance is achieved. Do such controls exist and if not, why not?

5. 5.

   The objectives and/or performance targets set for managers are unrealistic or not compatible with budgetary and other resource availability:

   A temptation can exist for top managers to set unrealistic targets for managers to achieve, targets which are not compatible with available resources. This situation can arise where top managers themselves feel under pressure, perhaps because of political pressure or reasons external to the organisation (such as civil society pressure). The consequential risk then is that individual managers will seek to avoid the rules or take short-cuts in order to meet those targets, for example, to avoid competitive tendering because it takes time or to ignore health and safety requirements or to reduce the quality of services. Opportunities should exist for managers to express their concerns where they regard targets as unrealistic.

6. 6.

   Risk management is not taken seriously by both top operational and political management:

   Is risk management a serious or token responsibility of top operational management? What are the arrangements to involve the political level of management in the risk management process? Have measurable objectives been defined and linked with budgetary availability? Have the significant or strategic internal and external risks to the achievement of the organisation’s objectives been identified and assessed? Is there a focus of top management on those significant or strategic risks? There can be a real possibility that the importance of risk management is not well appreciated by top and senior management, and where this is the situation, this in turn affects confidence in the ability of the management to achieve its objectives efficiently and effectively.

7. 7.

   Reports and supporting documentation and other significant documents are missing:

   Reports and original documents provide ‘hard’ evidence of business transactions and especially of sensitive decisions. They also provide the evidence that both the internal financial reports are reliable and the external financial reports. Missing reports and original documentation should raise uncertainty about the quality of the internal controls. This is a weakness that managers and staff would be able to take advantage of, particularly those that are under pressure to perform.

8. 8.

   The arrangements for the separation of duties are inadequate:

   Not only is this relevant for the purposes of financial control but where performance and budgetary information is linked and managers are expected to achieve performance targets within specific budgetary limitations the manager should have no opportunity to determine or control that performance information. In other words, it should be independently derived. Unless this is the situation confidence in that performance information can only be limited and therefore managerial claims of meeting performance objectives within budgets can also only be of limited value.

9. 9.

   The finance department capability to support managers in the search for efficiency is inadequate:

   Has the head of finance a programme to improve the financial awareness of managers and staff? Has the head of finance ensured that each manager has the budgetary and financial and cost accounting information that individual managers require? Has the head of finance the authority and status to assess and challenge managerial claims for improvements in efficiency? Does this in fact occur?

10. 10.

    Written procedures to explain how the different processes and activities of the organisation are to be undertaken and their current relevance:

    Do such procedures exist and are such procedures regularly reviewed by managers to reflect changing circumstances? Without current written procedures, employees may not be aware of the proper processes and this may lead to errors in decision making and recording.

11. 11.

    Customer complaints procedures and the recording of such complaints:

    Does a ‘customer complaints’ procedure exist? Is there a process for reviewing customer complaints? Levels of complaint should provide evidence of compliance with standards of performance as well as evidence of the quality and relevance of the service and activities being provided. If a high number of complaints is made or in some circumstances an increase in complaints occurs, this would be an indicator of weak internal controls.

12. 12.

    Arrangements for the systematic review of controls:

    Is there a process which allows for a regular and systematic review of internal controls? Operational changes, procurement requirements, personnel changes, environmental changes, changes in financial constraints, changes in systems, changes in security requirements, especially for IT systems, all impact on internal controls or how those internal controls should be applied. Have such reviews occurred?

13. 13.

    Managerial ‘override’ of controls:

    Is there any evidence of managerial ‘override’ of controls? Management is responsible for the design, implementation and maintenance of the internal controls and therefore could override these controls should it so wish. This is an especial risk in those organisations where lower level staff have difficulty in challenging a superior manager (e.g., as instanced above over unrealistic targets). This may lead on to fraudulent activity in one form or another. Examples would include the misappropriation of assets as well as financial resources or the favouring of certain suppliers or the entry into types of contracts which potentially could increase the fiscal risks to the organisation, such as public/private partnerships. An important factor in discouraging this type of action is the quality of the ‘tone at the top’. Therefore, in any review to determine whether weaknesses exist in the internal control system regard should be had to the approach of the top management, both political and operational, of the organisation.

14. 14.

    ‘Whistle blowing arrangements’:

    Does a ‘whistle blowing’ process exists which allows staff to expose inappropriate behaviours or actions? There are both advantages and disadvantages to the existence of such a policy which can be implemented in different ways. Sometime the ‘whistle blower’ can remain anonymous and sometimes not. Where such a policy exists, it can be a useful method of exposing weaknesses in the internal control systems sometimes resulting in fraud or the misuse of a public organisation’s resources.

15. 15.

    Effectiveness of internal audit:

    Internal audit should be “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” (IIA)

Is this the actual situation?

In assessing the effectiveness of internal audit, a series of questions for consideration has been suggested by a commentator who was a chief risk officer at major global corporations.⁵ Such questions should be asked annually and they include:

• Do you believe internal audit has provided you with the assurance you need, in a useful way, when you need it, on what matters?

• Do you have the assurance you need that management has effective and efficient processes and systems to manage the more significant risks to the success of the organisation and the achievement of its goals and strategies?

• Has internal audit been sufficiently responsive to changes in risk, ensuring it remains relevant and on point?

• Has internal audit been an effective agent for change, improving business efficiency and effectiveness?

• Are you satisfied that the cost of internal audit is less than the value of the assurance and consulting services it provides?

• Are there activities that internal audit should stop performing? Have there been activities you would have preferred not to pay for?

• How can internal audit improve its services to the audit committee, management and the organisation as a whole?

13.1.8 Examples of Statements of Internal Control

Examples of statements of internal control are included at Annex 1. They are from the UK and Croatia. They illustrate different approaches to the development of statements of internal control (which in Croatia is entitled ‘Financial Responsibility Statement’ and is accompanied by a detailed questionnaire to be completed by all public organisations). In Croatia, first-level budget users (ministries, counties, cities, municipalities) must submit a ‘Fiscal Responsibility Statement’ to the department in the ministry of finance responsible for the oversight of the implementation of PFM/IC. Second-level bodies must prepare and submit a ‘Fiscal Responsibility Statement’ to their supervising or controlling ministry or if subordinate to a local government, to the supervising or controlling city or municipality.

These examples reflect the different political, managerial and financial management arrangements which exist in these two countries. However, the Croatia model reflects the careful thought that the ministry of finance in that country has put into the development of PFM/IC making it a leader amongst its peer countries.

In the UK each public organisation publishes its own financial statements and the statement of internal control forms part of that publication package. A managerial culture exists and there is a clear separation of operational management by civil servants and local government officials from the political level of management responsible for policy and strategy.

Countries with a less developed managerial approach may feel that the Croatia model, where there is not the same managerial history as in the UK, may be a more appropriate model for them to follow. However, that model is not entirely consistent with the approach to PFM/IC set out in this guide. The Croatia approach focuses heavily upon the implementation of the procedures (i.e., bureaucracy) involved in adhering to the five COSO standards (see Chap. 11). The approach adopted in this guide is to focus much more heavily on the impact upon management of the introduction of PFM/IC. (The effectiveness of procedures anyway depends almost entirely upon the quality of the management responsible for the implementation of those procedures.)

The UK approach emphasises two aspects of control. First, that a manager needs to be able to assure the ministry of finance that budgetary control is being observed in terms which meet the requirements of the ministry of finance. Secondly, the manager is also required to deliver efficiency and effectiveness and to explain how this is being done.

Therefore, if the Croatia model is to be adopted, countries doing so should consider expanding the content of the ‘Financial Responsibility Statement’ to cover the matters indicated above. For example, a particular reference should be made to whether objectives, performance standards and performance objectives, (i.e. the outputs), have been achieved and therefore whether the internal controls that should be designed to secure their achievement are effective. If the outputs have not been achieved, the reasons should be explained by developing the statement, including reference to any weaknesses in the control arrangements and/or managerial capabilities. Reference should also be made to the organisation’s ability to achieve improvements in efficiency and effectiveness in its operational activities (not just in the control arrangements). Therefore the ‘Financial Responsibility Statement’ should seek information about the steps being taken to improve efficiency and effectiveness. Secondly, the content of the statement also needs to focus upon the quality of the management arrangements and the achievement of the outputs of the organisation as well as on how improvements in efficiency and effectiveness are being achieved. This would mean identifying:

• The extent to which reform of the traditional administrative approach to the delivery of public services has occurred and therefore how a managerial approach to delivery is being or has been developed.

• The extent to which delegation of operational and administrative decision making from the political level of management to the civil and local government level of management exists and if it does not, what are the problems preventing this occurring (which could include, for example, quality of staffing, need for further training, lack of managerial information but may also be a consequence of other deeper factors such as lack of trust between political and appointed officials which can be very hard to identify and to counter).

• The role of the head of civil service operational management (i.e., the state secretary or equivalent) in the development and oversight of the implementation of PFM/IC within each public organisation.

• Whether an effective managerial structure exists focussed upon the delivery of objectives.

• Whether the finance/economics department has a capacity to apply wider financial management skills such as cost analyses to facilitate assessments of efficiency and effectiveness and provide long-run financial forecasting so that managers making decisions are aware of the long-run financial impacts of those decisions and that they also can take into account possible changes in operational, legal, demographic and environmental circumstances.

• Whether there has been a development of the financial information analytical capacity of the organisation (i.e., the introduction of more elaborate coding structures) so that managers have available to them financial information analysed in any form that a manager needs (and this may require a willingness on the part of the budget department and the treasury in the ministry of finance to accept the necessity for developments to the budgeting and financial accounting arrangements and also to the budgetary control arrangements to give operational managers more scope to make decisions).

• How far performance information has been developed to allow managers to link financial and operational performance and also with budgets.

• Whether managers have clear objectives, performance standards and operational targets they are to meet.

• The extent to which accountability arrangements exist and the effectiveness of those arrangements.

• The extent to which there is transparency to the service user and civil society more broadly and to parliament.

However, what is also important to note about Croatia, which is an important message to countries following the Croatia model, is that the department responsible for the oversight of the implementation of PFM/IC should be regularly reviewing and developing its approach. This demonstrates as a model how important it is to regard PFM/IC as an evolutionary process. Politicians as well as managers and auditors should encourage this.

13.2 Summary

For most developing and transition economy countries a requirement to prepare a statement of internal control (or an equivalent statement) would be a totally new requirement. That such a statement should be published as part of the development of the transparency and accountability arrangements would be a further requirement. However, as the introduction of PFM/IC requires a significant managerial reform, the statement of internal control should focus upon the development of the managerial arrangements including the arrangement for delegation and accountability. Accountability, as has been pointed out previously, is not simply internal accountability but also external. External accountability is to several different parties. There is accountability to the ministry of finance about how public money has been used and whether the objectives for which it was allocated have been achieved. There is accountability to parliament and also to the user of public services, to the taxpayer and to other interested parties.

The statement of internal control represents a formal mechanism for establishing transparency and external accountability about the use of public money, the delivery of objectives and performance standards and the actions that have been taken where weaknesses have occurred. It should include information about controlled second-level organisations.

The person responsible for preparing this statement should be the official responsible for the implementation of PFM/IC within an organisation. In a ministry that would be the state secretary or equivalent. The statement should show how the implementation of PFM/IC has improved the utilisation of public resources. The statement should not simply be directed at the effectiveness of financial and budgetary controls but should explain, if this is the situation, why objectives and performance standards have not been achieved. It should also include information to demonstrate actual improvements in efficiency and effectiveness. An important feature of the statement should be a discussion on the arrangements for risk management and how risks are managed. If it does not do that a separate statement on risk management should be published.

For this statement to be a successful element in the development of PFM/IC it must contain full and frank disclosures. Such an approach should not be discouraged or even prevented by a sanctions system upon officials which imposes penalties and other forms of discipline if objectives or other elements of public administration are not achieved. The overall aim is to improve the quality of management and as management involves making judgements and taking risks inevitably different views may exist and some decisions will produce the anticipated results and others not.

Other officials who should be involved in the preparation of this statement should include the head of finance and the head of internal audit. The statement should be subject to review by the external auditor, the auditor general.

The statement should be prepared annually and published along with the financial statements of the organisation. Where only consolidated financial statements are published either the statement of internal control should be published separately or in a consolidated form but identifying the key issues that the statements have revealed.

Annex: Example Statements of Internal Control

13.1.1 Example 1: United Kingdom

13.1.1.1 A Central Government Ministry

The first UK example is taken from the Education Ministry. In the UK a ministry is called a ‘department’ and is headed by a ‘permanent secretary’ who is also titled the ‘accounting officer’. This official is a civil servant and is responsible for the quality of operational management implementing policies set by the politically appointed ministers. Accounting is on an accrual basis but the basis of the accounting is irrelevant for the purposes of drawing up the statement of internal control. Although the permanent secretary is responsible, a board is appointed which provides advice to that official. The board provides leadership for the department’s business, helping it to operate in a business-like manner. The board should operate collectively, concentrating on advising on strategic and operational issues affecting the department’s performance as well as scrutinising and challenging departmental policies and performance, with a view to the long-term health and success of the department.

Advice on the content of the statement of internal control is provided by the Ministry of Finance. The title of the Ministry of Finance in the UK is His Majesty’s Treasury or HM Treasury.

For the financial year 2011–2012 and onwards, the annual Statement on Internal Control has been replaced by a requirement for departments, their executive agencies and arm’s-length bodies to produce a Governance Statement in their annual report and accounts. By uniting disclosures formerly required to be made in the Statement on Internal Control with other existing requirements to publish a comprehensive explanation of organisational governance, the Governance Statement brings together in one place all disclosures about matters relating to an organisation’s governance, risk and control.

However, for the purpose of these examples the more focussed statement of internal control has been used. This explains why examples are drawn from earlier years.

Department for Education and Skills Resource Accounts 2006–2007

Statement of Accounting Officer’s Responsibilities

Under Section 5 of the Government Resources and Accounts Act 2000, the HM Treasury has directed the Department for Education and Skills to prepare, for each financial year, Resource Accounts detailing the resources acquired, held or disposed of during the year and the use of resources by the Department during the year. The accounts are prepared on an accruals basis and must give a true and fair view of the state of affairs of the Department, and of its net resource outturn, resources applied to the objectives, recognised gains and losses and cash flows for the financial year.

In preparing the accounts the Accounting Officer is required to comply with the requirements of the Government Financial Reporting Manual and in particular to:

• observe the Accounts Direction issued by HM Treasury, relevant accounting and disclosure requirements and apply suitable accounting policies on a consistent basis;

• make judgements and estimates on a reasonable basis;

• state whether applicable accounting standards, as set out in the Government Financial Reporting Manual, have been followed, and disclose and explain any material departures in the accounts; and

• prepare the accounts on an ongoing basis.

HM Treasury has appointed the Permanent Head of the Department as Accounting Officer of the Department. The responsibilities of an Accounting Officer include responsibility for the propriety and regularity of the public finances for which an Accounting Officer is answerable, for keeping proper records and safeguarding the Department’s assets, are set out in the Accounting Officers’ Memorandum issued by HM Treasury and published in Government Accounting.

Statement on Internal Control

Scope of Responsibility

As Accounting Officer, I have personal responsibility for maintaining a sound system of internal control that supports the achievement of Departmental policies, aims and objectives, set by the Department’s Ministers, whilst safeguarding the public funds and Departmental assets, in accordance with the responsibilities assigned to me in Government Accounting. Within the Department I require each Director General, and the heads of certain other units which report directly to me, to sign an annual statement covering risk management and the operation of related controls in their areas of responsibility, to supplement the regular reporting to the Board on their stewardship of risks. Similarly, the Chief Executives of the Non-Departmental Public Bodies (NDPBs), which are part of the Departmental Group, are responsible for the maintenance and operation of the system of internal control in their individual NDPBs⁶ and have signed a statement relating to those systems which are reproduced in the accounts of each body.

The statements from directorates and NDPBs have been scrutinised and further information sought when necessary. Internal audit has examined the internal control systems and reported upon their effectiveness and the Audit and Risk Committee (ARAC) has made an independent assessment of the contents of the Statement and are satisfied that it is consistent with their knowledge of the Department.

The Departmental Board includes two non-executive members and regularly meets to discuss all strategic policy management issues. This includes providing direction on major policy, delivery and operational issues, reviewing performance and ensuring that the Department is working economically, efficiently and effectively.

The Purpose of the System of Internal Control

The system of internal control is designed to manage risk to a reasonable level, rather than to eliminate all risk of failure to achieve policies, aims and objectives. It can therefore only provide a reasonable, rather than an absolute, assurance of effectiveness.

The system of internal control is based on an ongoing process designed to identify and prioritise the risks to the achievement of Departmental policies, aims and objectives; to evaluate the likelihood of those risks being realised and the impact should they be realised; and to manage them efficiently, effectively and economically. The system of internal control has been in place in the Department for the year ended 31 March 2007 and up to the date of approval of the annual report and accounts and accords with HM Treasury guidance.

Capacity and Capability to Manage Risk

The Board recognises the importance of leadership to create an environment where risk management is effective and a Departmental Risk Improvement Manager is in place. Two department-wide reviews of our risk management practice have been conducted to assess the progress made over the year regarding the improvement of the Department’s risk management capacity and capability. These reviews found that we continue to make sound progress regarding the way in which we manage our risk. They also identified several areas of risk management in the Department and its NDPBs which require further improvement.

These issues are now being addressed as part of the actions set out in the Department’s Risk Improvement Plan.

Risk management continues to be embedded into the Department’s finance and programme and project management training which is widely available and achieves high take-up. Guidance on the identification, assessment and active management of risk in the Department is available to all staff. The Department’s Risk Improvement Manager has continued to work with corporate policy colleagues to ensure that risk management is further embedded into the Department’s corporate governance, finance management, business planning and assurance and performance management arrangements and improvement activities.

The Department met the Corporate Governance Code of Good Practice criteria requiring a professional Finance Director to be on the Board by December 2006.

The Risk and Control Framework

The Department’s approach is to assign risks to those best placed to manage them. Therefore, individual managers are responsible to the risk owners (Directors General) for managing risk as they have knowledge of the issues involved and can best manage risk and mitigate the potential impact. All managers are expected to systematically identify, assess and manage risk and document the underlying assumptions. Risk management guiding principles have been developed for NDPB sponsor teams for use with their sponsor bodies.

The risk management process is built into the Department’s business planning and reporting processes. With most of the Department’s expenditure being on specific programmes, the main risk management arrangements focus on the delivery of this work and the risks associated with changing the way public services are delivered. These are managed through a strong programme and project management framework. There is clear accountability and ownership of risk to ensure that risk is managed at the appropriate level and there are frameworks in place to escalate risks to ensure that significant risks are reported to senior management and, if required, the Board.

Improvements have been made over the year as to the way the Department manages its key risks via the Department’s Risk Committee, which is separate from the Board and is chaired by the Director General of Corporate Services. In May 2006 the ARAC conducted a review of the Risk Committee. Sixteen recommendations for improvement were made and all of these have been implemented.

The key risks facing the Department have been identified and agreed by the Risk Committee. The Board regularly reviews these risks and also considers new and emerging threats, ensuring that all are effectively managed. Every quarter I discuss and review key Departmental risks with the Secretary of State [The Secretary of State is the equivalent of a minister].

The Department judged that although it had all the necessary guidance and instructions required for effective control, they were dispersed and there was no effective check that they had been read and understood. A review of corporate governance led to the Board identifying ten key areas of compliance—‘the Basics’—that required particular emphasis. This led in turn to all members of the senior civil service receiving a corporate governance handbook, including a checklist covering these ten key areas. As part of the internal control framework, all members of the senior civil service will reaffirm their personal responsibility for their and their staff’s compliance with the Basics.

To support improvement in the risk and control framework management a proactive approach to fraud awareness, prevention, detection and investigation is taken by the Department. This has been demonstrated by development of a Fraud Risk Assessment Tool (FRAT) which provides guidance to managers on assessing fraud risks and is part of enhanced risk assessment arrangements that have been put in place in year. Its use will be evaluated in 2007–2008 and reviewed by the Fraud Sub-Committee.

During the year the National Audit Office (NAO)⁷ produced a number of reports which reviewed the value for money of operations involving the Department and its delivery agents. No serious issues were identified.

The recommendations in reports by the NAO and the Public Accounts Committee have been carefully considered during the year.

Review of Effectiveness

As Accounting Officer, I also have responsibility for reviewing the effectiveness of the system of internal control. My review is informed by the Directors General within the Department who have responsibility for the development and maintenance of the internal control framework, Internal Audit and comments made by the external auditors in their management letter and other reports. I have been advised by the Board, ARAC, the Risk Committee and the Departmental Risk Improvement Manager.

The Department’s internal auditors undertake a work programme approved by me to review risk management, internal control and governance. The Head of Internal Audit produces periodic reports on Internal Audit’s findings, their assessment of risk management, corporate governance and control standards in the key corporate risks and delivery areas, and areas where action is required to address shortcomings. I meet with the Head of Internal Audit quarterly to discuss her report and consider progress in addressing major concerns. She also prepares an annual report which includes her professional opinion on the effectiveness of the overall systems of internal control and risk management within the Department. In addition, this year, Internal Audit have offered advice to Directorates within the Department to ensure issues identified through the audit work programme have been appropriately reflected in the preparation of the Directorates’ annual statements.

For 2006–2007 ARAC supported the Accounting Officer by offering objective advice on issues concerning the control and governance of the Department. ARAC was chaired by a non-executive Board member and its role and composition was in line with the Treasury’s best practice guidance. During the course of the year, ARAC also reviewed its own effectiveness. Again, a number of recommendations for improvement were made and all of these have been implemented.

The Department takes seriously the potential impact that fraud can have on financial control and achievement of objectives, and the Fraud Sub-Committee meets on a regular basis. Their role is to give assurance to ARAC that the risks to the Department’s business from fraud and financial irregularity are being managed and monitored effectively and is another aspect of good governance.

Internal Control

General

From April 2006 the Department became responsible for payment of the Dedicated Schools Grant (DSG).

This involved the processing of additional £26 billion payments compared to previous years. Internal Audit have reviewed the DSG procedures and concluded that good control systems are in place over the payment process. This being the first year of the grant, assurance has been derived from certification of Section 52 Budget Returns by local authority Chief Finance Officers when they set their budget in spring 2006. This provides assurance that the authority has budgeted to deploy the grant in support of the Schools Budget. Assurance on regularity of expenditure will be from the Chief Finance Officer certification of the Section 52 Outturn Statements around November 2007. This is in line with DSG operational guidance and with the assurance framework outlined in the Accounting Officer’s letters of February 2006 to the Comptroller and Auditor General and March 2006 to Local Authority Chief Finance Officers.

2006–2007 has seen the second phase of Local Area Agreements. The pooling of budgets across Government departments brings with it questions of how to ensure regularity, and this year’s control regime rests heavily on the Department for Communities and Local Government’s Accounting Officer with whom I have agreed a Memorandum of Understanding. I am satisfied that the arrangements provide a reasonable level of assurance.

The efficiency programme has now delivered £2.46 billion, some 56% of our overall target and despite significant movement in a number of profiles we have maintained a contingency position of over £800 million through over attainment in the Technology Programme. We have also significantly reduced the risk associated with what were our two highest risk initiatives through substantial downwards re-profiling.

Issues

Our internal control regime has highlighted several policy areas where we have traditionally made direct grant awards to an organisation but where we now need to introduce an element of competition into the funding process. Transitional arrangements to review new grant proposals for 2007–2008 have been agreed and reviewed by Internal Audit. The review confirms that action has been taken in accordance with the transitional arrangements agreed by the Accounting Officer. Further work is to be undertaken in 2007–2008 which will both enhance value for money and further mitigate potential risks of the payments being regarded as state aid.

There have been some significant under-spends in 2006–2007. Some major capital programmes, notably Building Schools for the Future, have experienced slippage. The budget reporting regime did not always identify under-spends sufficiently early for them to be deployed elsewhere to the Department’s maximum benefit. The Department is strengthening its management accounting function to improve the scope and ability for redeploying resources.

Internal Audit and National Audit Office work identified some problems remained in the procurement and management of consultants by some users within the Department. We have continued to tighten the control regime and management information as part of our ongoing activity to improve further in this area.

There has been ongoing work by the Student Loans Company and the Department’s Special Investigation Unit investigating Student Loan frauds. A Fraud project was set up in 2006–2007 to ascertain the fraud risks and to recommend and implement suitable treatments for these risks. A fraud risk exercise was commissioned and the initial estimate is that the fraud rate is around 0.6% of applications. Improvements have been made to fraud detection and prevention procedures throughout the student finance process to mitigate this risk.

Two other NDPBs have also notified us of frauds that could represent a reputational risk to their sectors. Both Accounting Officers have assured us that these do not represent a material threat to the operational effectiveness of the NDPBs and we are satisfied that appropriate remedial action is in train in both cases.

There have been some examples of NDPBs operating outside their delegated authority. None have been major in their own right, but they highlight the critical relationship between the Department and its key delivery partners, particularly its NDPBs. The actions within the Capability Review Implementation Plan will further strengthen these relationships. The monthly meetings between the Departmental Board and senior officials from our NDPBs and the various resulting working groups of functional leads from the DfES Group (including Finance Directors) will further strengthen the ongoing dialogue and foster a better shared understanding of areas of common concern.

Whilst recognising the above issues, good progress has been made in resolving them and there are plans in place to further enhance financial control systems and improve practice. As Accounting Officer, I am satisfied the above issues do not represent a material threat to operational effectiveness and that the Department and its NDPBs comply with the Treasury requirements on risk management, internal control and governance.

Signed by:

Accounting Officer/Permanent Secretary

13.1.1.2 A Local Government

The second example is drawn from local government which is subject to a different set of detailed rules, although the principles are the same, as for central government. A local authority in the UK is managed by an elected council with the controlling political majority appointing a ‘leader’ who is in effect the top political official of the local authority. The mayor or, for some types of local authority, the chairperson generally has largely ceremonial responsibilities but also acts as the chairperson at formal meetings of the local authority. Operational management is undertaken by appointed officials (chief officers) working under the overall leadership of a chief executive but reporting formally to the relevant committees and ultimately to the council. A recent reform though has introduced the idea of ‘executive mayors’ who take over the role of leader with the chief officers reporting directly to that person or designated politically appointed deputies.

London Borough of Bromley

Statement on the System of Internal Control

Statement on Internal Control 2006/2007

This statement is provided for the use of Bromley Council in support of its Statement on Internal Control (required under Regulation 4(2) of the Accounts and Audit Regulations 2003, as amended during 2006).

Scope of Responsibility

Bromley is responsible for ensuring its business is conducted in accordance with the law and proper standards and that public money is safeguarded and properly accounted for and used economically, efficiently and effectively. Bromley also has a duty under the Local Government Act 1999 to make arrangements to secure continuous improvement in the way in which functions are exercised, having regard to a combination of economy, efficiency and effectiveness.

In discharging this overall responsibility, Bromley is also responsible for ensuring that there is a sound system of internal control which facilitates the effective exercise of Bromley’s functions and which includes arrangements for the management of risk.

The Purpose of the System of Internal Control

The system of internal control is designed to manage rather than to eliminate risk of failure to achieve policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control is based on an ongoing process which is designed to identify and prioritise the risks to the achievement of Bromley’s policies, aims and objectives. It also evaluates the likelihood of those risks being realised and the impact should they be realised as well as managing them efficiently, effectively and economically.

The system of internal control has been in place at Bromley for the year ended 31 March 2007 and up to the date of approval of the annual report and accounts.

The Internal Control Environment

The internal control environment encompasses all the organisation’s policies, procedures and operations in place. At Bromley the system of control is based on a framework of regular management information, financial regulations, administrative procedures (including segregation of duties), management supervision and a system of delegation and accountability.

Corporate Framework

Bromley’s plans outline how we will deliver our services and include specific targets that allow us to measure our level of success. Some plans are produced in partnership with other agencies, which help us to focus our resources. The planning framework is arranged under portfolio headings. We operate with a Leader and an Executive. The Council maintains the policy and budgetary framework and appoints the Executive. In 2006/2007 this contained the Leader and eight Executive members.

Seven majority members of the Executive were responsible for their portfolios. Each portfolio holder annually outlines their aims over the coming three years, what they will be doing towards achieving their goals and their performance targets.

Formulation of Policies and Decision Making

Policy and decision making are managed and controlled within a strong well-established framework. The Council’s written constitution sets out in detail how the council operates, how decisions are made and the procedures to be followed to ensure efficiency, transparency and accountability. Political and management control is exercised through the Executive who work to defined and established processes.

Compliance with Policies, Laws and Regulations

Compliance with policies, laws and regulations is dealt with through a range of written rules and procedures which are regularly reviewed and updated. These include the Constitution, Financial Regulations, Codes of Conduct and the Anti-Fraud and Corruption Strategy.

Performance Management

Performance management at Bromley is considered through a range of review arrangements including external inspection bodies, external/internal audit reviews and the detailed reporting of national and local performance indicators.

Financial Management

The financial management of the Authority is organised through a wide range of well-established processes and procedures which delivers strong financial control arrangements. Bromley has in place a strategic budget planning process which includes detailed written procedures and which is supported by comprehensive Financial Regulations and procedures. Members and Chief Officers receive and consider detailed financial information on a regular basis and this facilitates the political decision making process.

Review of Effectiveness

Bromley has responsibility for conducting, at least annually, a review of the effectiveness of the system of internal control. The review of the effectiveness of the system of internal control is informed by:

• The work of internal auditors;

• Comments made by the external auditors;

• Senior managers within the authority with responsibility for the internal control environment;

• The work of the Risk Management Group;

• Other review agencies and inspectorates.

The Audit Sub-Committee

The Audit Sub-Committee has the responsibility for developing and keeping under review all aspects of the Council’s arrangements for audit and probity specifically including

• Financial regulations;

• Fraud prevention;

• Internal and external audit.

Internal audit reports all significant weaknesses to management and Members in the form of prioritised recommendations. All such recommendations are followed up for implementation or appropriate management action.

Internal Audit

Internal audit is an independent appraisal function that acts as a control that measures, evaluates and reports upon the effectiveness of internal controls, financial and others, as a contribution to the efficient use of resources within the Authority.

Internal audit’s service aims are to:

• Independently review and appraise systems of control throughout the Authority and its activities;

• Ascertain the extent of compliance with procedures, policies, regulations and legislation;

• Provide reassurance to management and Members that their agreed policies are being carried out effectively;

• Facilitate good practice in managing risks;

• Recommend improvements in control, performance and productivity in achieving corporate objectives;

• Work in partnership with the external auditors;

• Identify fraud as a consequence of its reviews and to deter crime.

Strategic and Annual Audit Plans are used to map out the cyclical coverage of fundamental financial systems and other audits. These plans are based on the identification of the Council’s systems and activities to be audited, each assessed for risk. Work relating to prevention and detection of fraud and corruption is integrated into this audit planning process. Internal Audit operates to defined standards as set out in the Chartered Institute of Public Finance (CIPFA) Code of Practice for Internal Audit in Local Government. The effectiveness of the system of Internal Audit is measured by compliance with this code.

Internal Audit provides an independent opinion on the adequacy and effectiveness of the system of internal financial control. Each audit is reported to the appropriate level of management together with agreed action plans where appropriate. The supporting summaries of audit reports help inform the overall assessment of internal financial controls. The Chief Internal Auditor is empowered to report any matter of concern directly and independently, to the Chief Executive, the Chairman of Audit Sub-Committee or the Leader of the Council, if necessary.

External Audit

Last year the external auditors in their assessment of Bromley’s use of resources scored the Council 3 out of 4 for each of the five aspects that go to make up the overall judgement detailed below:

• Element of the audit Latest score

• Financial reporting 3 out of 4

• Financial Management 3 out of 4

• Financial Standing 3 out of 4

• Internal Control 3 out of 4

• Value for Money 3 out of 4

• 3 = consistently above minimum requirements—performing well

External Inspections

There have been no Audit Commission inspections published during 2006/2007 although their overall judgement, under the 2006 Comprehensive Performance Assessment, is that the Council has robust internal control and governance arrangements.

During the last year the Council has received the following assessments from other inspectorates:

Commission for Social Care Inspection—Adult Social Care Services

Rated as two stars out of three and ‘serving most adults well with promising capacity to improve’.

The Benefit Fraud Inspectorate—Comprehensive Performance Assessment of the Benefits Service

Rated as Good (level 3), with the Council meeting 5 of the 12 performance measures where the Department had set a Standard and 52 of the 65 enablers.

Action plans to address the issues identified within these services are in place or under development.

Ethical Governance Audit

This audit was carried out by external audit and the results have been reported to the Standards Committee.

Significant Internal Control Issues

In 2006/2007 a number of control issues have been identified as a result of the Internal Audit work undertaken in the year. Improvement points and action plans have been agreed for all these areas and scrutiny will be maintained to ensure that all priority control weaknesses are fully addressed by management.

In addition, as part of the assessment of controls each Chief Officer has signed a statement giving assurance on the level of controls with areas of improvement. This process was based on an assessment of key controls within Departments.

Although no new significant control weakness has been identified for 2006/2007, the issues in previous years remain as those which will require ongoing monitoring, namely:

1. 1)

   Embedding a risk management process throughout the Council

2. 2)

   Full implementation of the procurement strategy

3. 3)

   Greater and consistent use of sound programme and project management disciplines for large-scale projects

4. 4)

   Business continuity plans

Although continuing progress has been made on all of the above, further work remains before these control issues can be reported as fully implemented. Arrangements for managing significant business risks need further work. Specifically, a detailed review of partnership/contractual risks needs to be completed and management training made available to all elected members targeted to relevant members initially. The procurement strategy is being implemented. Project and Programme management are still areas for further development; however, the approved standards are being implemented across the Council. There is an approved continuity plan in place as required by civil contingencies legislation, and work continues on developing service continuity plans.

Signed by:

Chief Executive (the top appointed official, and by the Leader of the Council (the top political official) [equivalent to an executive mayor in some countries]

13.1.2 Example 2: Croatia

A Central Government Ministry—Fiscal Responsibility Statement

In Croatia the requirement is that all public organisations are to prepare annually a Fiscal Responsibility Statement (FRS) which is designed to certify that:

• public funds have been spent for the purposes intended and that the spending has conformed with legal requirements and with the approved budget;

• the financial management and control system has operated efficiently and effectively.

The FRS is supported by a fiscal responsibility questionnaire and by an internal audit opinion on the system of financial management and internal control based on the internal audits performed in the previous year. These documents are to be sent to the department of the State Treasury [the Ministry of Finance] responsible for the implementation of PFM/IC.

In the period from 2011 to 2015, the arrangements for reporting on the implementation of financial management and internal control occurred in the following manner:

• All budget users (first, second and third level) have been obliged to prepare a Fiscal Responsibility Statement (FRS) responding to a questionnaire prepared by the State Treasury (the Ministry of Finance). Through this statement budget users have reported on the internal control arrangements in the budget cycle processes, that is, on budget planning, execution, accounting, public procurement and financial reporting.

• The reporting arrangements are that first-level budget organisations (line ministries, counties, cities, municipalities) were required to submit their FRS to the PFM/IC department of the State Treasury. Second-level budget organisations had to submit their FRS to their controlling or supervisory first-level budget organisation (e.g., schools had to submit their FRS to the appropriate county, universities had to submit theirs to the Ministry of Education and Science). The State Treasury PFM/IC department did not collect FRS’s from second- and third-level budget organisations. The PFM/IC department analysed only the FRS of the first-level budget organisations.

• In addition the first-level budget organisations and the larger second-level organisations were also required to report additionally on the implementation of the five COSO components—control environment, risk management, control activities, information and communication and monitoring.

Under the control environment component, heads of organisations reported on ethics and integrity; the way in which management operates (how regular top management meetings are being held, involvement of the second-level budget user heads in the top management meetings about their budgets and other factors); the level of development of a planned approach to the operations (definition of strategic objectives, programme objectives, the objectives contained in the organisational units’ annual plans, including linkages between these objectives); delegation of authorities and responsibilities for the objectives/programmes/activities and budget resources; alignment between the reporting lines (on programme/project implementation and the associated budget resources); cooperation between budget holders within the organisation.

Under the risk management component, heads of organisations reported on the appointment of persons responsible for risk management coordination; the identification of risks versus the objectives; assessment of risk likelihood and impact; documenting risk data (risk registers):

• risk reporting;

• the extent to which budget holders are informed of risks.

Under the control activities component, heads of organisations reported on:

• the existence of internal rules (ordinances, instructions, guidelines) covering the budget cycle processes, strategic planning, financial plan production and execution, business event and transaction records, procurement and contracting, asset management, own revenue collection, recovery of improperly spent or wrongly paid budget amounts; manner in which the segregation of duties principle provided for in the Budget Act is applied; how ex-post controls of the utilisation of budget resources are to be undertaken;

• information on how the control activities within the budget user are organised.

Under the information and communication component, heads of organisations reported on:

• the achievement of objectives, programmes, projects; arrangements for financial plan monitoring and analysis; the level of development of the accounting systems (monitoring cost/revenue by programmes, projects, activities, organisational units);

• the existence of the records of contracted commitments;

• internal reports for the financial reporting purposes;

• computerisation of the systems and the integration of IT systems;

• the documentation of the business processes;

• IT connectivity with the budget users in their structure.

Under the monitoring and assessment component, heads of organisations reported on:

• monitoring the functioning of the financial management and control system;

• how the head of the organisation ensures that internal regulations (ordinances, instructions, guidelines) are being implemented in practice and updated;

• the implementation of external and internal audit recommendations;

• the existence of reporting system within the first-level budget user which demonstrates how the financial management and control system is applied by budget holders within the organisation.

Where weaknesses and irregularities are identified, a weaknesses and irregularities removal plan is required to be completed which covers the following:

• A description of the weaknesses and irregularities with an analysis of the causes;

• A weaknesses and irregularities removal action plan with a list of the actions to be taken and by when;

• The person responsible for taking action.

Comment:

In 2015, Croatia adopted a new Public Internal Control (PIC) Law. This introduced a single form of reporting on financial management and internal control which was through a developed Fiscal Responsibility Statement (FRS). To facilitate this the questionnaire was expanded and the likelihood is that this questionnaire will be further developed in the future.

Budget user managers are expected to utilise the FRS as a ‘self assessment’ management tool. The department responsible for PFM/IC in analysing the FRSs takes into account the State Auditor reports and internal audit reports. This department prepares an annual report on public internal control.

All of this activity involves extensive work but it enables the PFM/IC department of the State Treasury to establish what has to be improved in the PFM/IC methodology, where training should be directed, whether there is a need for additional guidelines and what are the priority areas for further development.

The Financial Responsibility Statement takes the following forms:

Where no weaknesses have been identified:

FISCAL RESPONSIBILITY STATEMENT*

I, (name, surname, title and function), the Head of (name of a local and regional self-government unit/state budget user/state extra-budgetary user/local and regional self-government unit’s budget user/local and regional self-government unit’s extra-budgetary user), on the basis of a completed Fiscal Responsibility Questionnaire covering the areas of planning, execution, public procurement, accounting and reporting, the available information, the internal and external audit work results and my own judgment, hereby verify that:

• funds have been used legally, in an earmarked and purposeful manner;

• the financial management and control system functions efficiently and effectively within the framework of the resources defined by the budget, i.e., the financial plan.

(date and place of issuance)

Head’s signature

(name, surname, title and function)

Where weaknesses have been identified:

FISCAL RESPONSIBILITY STATEMENT*

I, (name, surname, title and function), the Head of (name of a local and regional self-government unit/state budget user/state extra-budgetary user/local and regional self-government unit’s budget user/local and regional self-government unit’s extra-budgetary user), on the basis of a completed Fiscal Responsibility Questionnaire covering the areas of planning, execution, public procurement, accounting and reporting, the available information, the internal and external audit work results and my own judgment, hereby state that I have detected weaknesses and irregularities in the areas of:

(Please indicate the areas and questions from the Fiscal Responsibility Questionnaire with partially affirmative and negative replies provided), which will be removed in compliance with the Weaknesses and Irregularities Removal Plan.

I hereby state that the said weaknesses and irregularities bear no influence on the legal, earmarked and purposeful use of the funds and the efficient and effective functioning of the financial management and control system within the framework of the resources defined by the budget, i.e., the financial plan.

On the basis of the aforesaid, I hereby verify that:

• funds have been used legally, in an earmarked and purposeful manner;

• the financial management and control system functions efficiently and effectively within the framework of the resources defined by the budget, i.e., the financial plan.

(Date and place of issuance)

Head’s signature

(Name, surname, title and function)

Comment:

Croatia regards financial management and internal control as an evolving activity and therefore the form of these documents will change over time. A recent development, for example, has been to increase the emphasis upon risk management.