IDI Internal Control System

Size: px
Start display at page:

Download "IDI Internal Control System"

Transcription

1 Risk Assessment Monitoring Control Environment Information & Communication Control Activities IDI Internal Control System 2014

2 Contents Preface Introduction Context and Background Purpose of the Roles and Responsibility Structure of Review of the Internal Control System Components and Principles of the Component 1: Control Environment Component 2: Risk Assessment Component 3: Control Activities Component 4: Information and Communication Component 5: Monitoring Preface The INTOSAI Development Initiative (IDI) is the capacity development body of the International Organisation of Supreme Audit Institutions(INTOSAI). Its operations focus on the regional bodies of the INTOSAI and around 200 Supreme Audit Institutions(SAIs) across the world. The IDI strives to follow best practices in pursuit of its objectives through the international operations across a wide canvas. It assumes greater significance owing to the small staff complement of less than thirty operating out of Oslo, Norway and some regional centers. The IDI is conscious of the challenges to its operations and has over the years established robust internal controls to support its operations. Risk assessment, monitoring and follow up has been integral to all its activities. This document is an effort to formalise these controls in a single reference point so as to enable better monitoring of IDI s operations during the implementation of its Strategic Plan This will help the IDI to maintain and improve its standing as a trustworthy partner of SAIs for providing high quality capacity development support as brought out in its external evaluation report in Dated: 30 June 2014 Einar Gørrissen Director General 1

3 1. Introduction Internal control is broadly defined 1 as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reliability of financial reporting, and compliance with laws and regulations. 2. Context and Background The IDI is implementing its Strategic Plan The IDI strategy (Table 1 below) defined in the Strategic Plan forms the basis of its operations which are mainly directed towards the international Supreme Audit Institutions (SAI) community. The IDI secretariat is based in Oslo, Norway and also has some staff complement in the INTOSAI regions. IDI programme events are conducted in different locations around the world in association with different stakeholders like INTOSAI regions, SAIs and international organisations. As the IDI s operations involve Norwegian and international stakeholders, the is based on the COSO Internal Control Integrated Framework 2013, INTOSAI GOV Guidelines for Internal Control Standards for the Public Sector and the Guidelines on Internal Control issued by the Directorate of Financial Management, Government of Norway. Table 1: IDI Strategy as per Strategic Plan Strategic Priorities: What value creation of SAIs will the IDI contribute to? SP1. Contribute to strengthening the accountability, integrity and transparency of government and public entities SP2. Demonstrating ongoing relevance to citizens and other stakeholders SP3. Leading by example IDI Outcomes: What outcomes will the IDI aim for in creating value for SAIs? IO1. Effective SAI capacity development programmes IO2. Global Public Goods used by stakeholders IO3. Stronger regional bodies, networks and communities IO4.Scaled up and more effective support to SAIs IDI Service Delivery Model: How will the IDI achieve its outcomes? Partnership Model, Approaches to service delivery, resourcing and funding, core principles IDI Capacity Development Model IDI Capacity: What capacity does IDI need to achieve excellence in service delivery? IC1. Good Governance IC2. Effective resource management IC3. Professional team IC4. Strong stakeholder relations and partnerships 1 Defined as per the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO is a joint initiative of the American Accounting Association, American Institute of CPAs, Financial Executives International, Association of Accountants and Financial Professionals in Business and Institute of Internal Auditors. The COSO Internal Control-Integrated Framework 2013 is one of the internationally best recognized and most used internal control frameworks since the release of its previous version in

4 3. Purpose of the 3.1 IDI s Internal Control System will help in achieving its performance targets as per strategic plan It will ensure reliable reporting. It will also ensure compliance to the Norwegian laws and regulations as also various international laws wherever applicable. This will prevent any damage to IDI s reputation and guard against other consequences. 3.2 The system will serve as an assurance tool for IDI s operations to various stakeholders like donors, IDI Board, INTOSAI and the SAI community. 3.3 The system will provide inter linkage between different internal control issues covered in different IDI policies and documents like IDI Corporate Risk Register, IDI Handbook, IDI Code of Ethics, IDI Programme Handbook, IDI Communication Policy, IDI Gender Policy, IDI Procurement Policy and IDI Environmental Policy. This will facilitate better administration and monitoring of the IDI s operations. 4. Roles and Responsibility 4.1 The Director General, IDI is the owner of the and is responsible for its efficient and effective operation. The Director General will be assisted by the Heads of Administration, Programmes and INTOSAI-Donor Secretariat, Knowledge Manager and Evaluations Manager. 4.2 The Director General is accountable to the IDI Board which will provide the governance, guidance and oversight to the operation of the internal control system. 4.3 Evaluations Manager has the responsibility of first hand evaluation of the variety of internal controls operating in the IDI and will be the most important functionary in reporting about issues in the internal control system to the Director General. 4.4 All other IDI staff shall be implicitly and explicitly responsible for operation of the controls in their respective areas of responsibility and shall be responsible for indicating issues if any to their immediate manager. 4.5 The procedures making up the system will be integrated in the IDI job profiles, the IDI Handbook and the IDI Employee Handbook. 5. Structure of The is organised under the five components of internal control as per the COSO framework. All the components and principles have been considered. These are: 5.1 Control Environment 5.2 Risk Assessment 5.3 Control Activities 3

5 5.4 Information and Communication 5.5 Monitoring Activities Each of these components has constituent principles of internal control under them. The controls in operation against these principles are described as also the level of maturity of these controls. Maturity levels of the controls provide an estimate of the reliability of the controls in place. The maturity attributes considered for evaluating the IDI internal control system follows in table 2 below: Table 2 Maturity level 0 - Nonexistent Maturity matrix of Maturity attributes The organisation lacks procedures to monitor the effectiveness of internal controls. Management internal control reporting methods are absent. There is a general unawareness of internal control assurance. Management and employees have an overall lack of awareness of internal controls. 1 - Initial/Ad Hoc - Unreliable Unpredictable environment for which controls have not been designed or implemented. Controls are fragmented and ad hoc. Controls are generally managed in silos and reactive. Lack of formal policies and procedures. Dependent on the heroics of individuals to get things done. Higher potential for errors and higher costs due to inefficiencies. Controls are not sustainable. Individual expertise in assessing internal control adequacy is applied on an ad hoc basis. Management has not formally assigned responsibility for monitoring the effectiveness of internal controls. 2 - Repeatable - Informal Controls are present but inadequately documented and largely dependent on manual intervention. There are no formal communications or training programs related to the controls. Controls are established with some policy structure. Methodologies and tools for monitoring internal controls are starting to be used, but not based on a plan. Formal process documentation is still lacking. Some clarity on roles and responsibilities, but not on accountability. Increased discipline and guidelines support repeatability. High reliance on existing personnel creates exposure to change. Internal control assessment is dependent on the skill sets of key individuals. 3 - Defined - Controls are in place and documented, and employees have received formal communications about them. Undetected deviations from controls may occur. 4 Controls are well-defined and documented, thus there is consistency even in times of change. Overall control awareness exists. Policies and procedures are developed for assessing and reporting on internal

6 control monitoring activities. A process is defined for self-assessments and internal control assurance reviews, with roles for responsible business and IT managers. Control gaps are detected and remediated timely. Performance monitoring is informal, placing great reliance on the diligence of people and independent audits Management supports and institutes internal control monitoring. An education and training programme for internal control monitoring is defined. Tools are being utilised but are not necessarily integrated into all processes. 4 - Managed - Monitored Standardized controls are in place and undergo periodic testing to evaluate their design and operation; test results are communicated to management. Limited use of automated tools may support controls. Key Performance Indicators (KPIs) and monitoring techniques are employed to measure success. Greater reliance on prevention versus detection controls. Strong self-assessment of operating effectiveness by process owners. Chain of accountability exists and is well-understood. Management implements a framework for internal control monitoring. A formal internal control function is established, with specialised and certified professionals utilising a formal control framework endorsed by senior management. Skilled staff members are routinely participating in internal control assessments. A metrics knowledge base for historical information on internal control monitoring is established. Peer reviews for internal control monitoring are established. Tools are implemented to standardise assessments and automatically detect control exceptions. 5 - Optimised An integrated internal controls framework with real-time monitoring by management is in place to implement continuous improvement. Automated processes and tools support the controls and enable the organization to quickly change the controls as necessary. Controls are considered world class, based on benchmarking and continuous improvement. The control infrastructure is highly automated and self-updating, thus creating a competitive advantage. Extensive use of real-time monitoring and executive dashboards Management establishes an organisation wide continuous improvement programme that takes into account lessons learned and industry good practices for internal control monitoring. The organisation uses integrated and updated tools, where appropriate, that allow effective assessment of critical controls and rapid detection of control monitoring incidents. Benchmarking against industry standards and good practices is formalised. The Maturity Model s applicability to the IDI s Internal Controls The IDI is a small organisation of 27 employees based in Oslo. It primarily caters to capacity development support to Supreme Audit Institutions of the developing countries. It also hosts the secretariat for the 5

7 INTOSAI-Donor Cooperation. Based on the nature and scale of the IDI s operations and also the need for controls at appropriate levels, the IDI considers Maturity Level 3 of Defined and controls as appropriate for IDI s operations. While some of the attributes of Maturity level 4 are desirable and IDI will strive to achieve those, the controls at Maturity Level 5 are beyond the need or cost benefit appropriateness for the scale and nature of the IDI s operations. The following colour scheme has been used as a ready reflection of the maturity of the respective controls: Maturity level 0 - Non-existent 1 - Initial/Ad Hoc - Unreliable 2 - Repeatable - Informal 3 - Defined Managed - Monitored 5 - Optimised NA 6. Review of the Internal Control System The IDI s Internal Control System will be reviewed every year and presented to the IDI Board for approval at the annual meeting in March. The review will be undertaken during January-February every year. The review will cover the components and principles of the internal control system, the controls and their maturity levels and these will be updated as necessary. The Manager Evaluations will be responsible for this review. The Director General and Deputy Directors General will follow up on the findings and recommendations from the review. 7. Components and Principles of the 7.1 Component 1: Control Environment The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the IDI. The IDI Board and management team establish the tone at the top regarding the importance of internal control and expected standards of conduct. S. No Principle Control in Place Level of Maturity The organisation demonstrates a commitment to integrity and ethical values. 1. IDI Code of Ethics 2. Regulations for Norwegian Civil Services The organisation Board demonstrates 1. Independent IDI Board 6

8 independence from management and exercises oversight of the development and performance of internal control The organisation Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. drawn from SAI community 2. IDI Board approves operational plans, performance and accountability reports, budgets, financial statements and audit reports 1. IDI Board provides oversight on IDI activities through biannual meetings where the reporting is done by the IDI Director General and the management team. 2. The Working Committee of the IDI Board meets during the Board meetings to discuss pressing issues which cannot wait till the Board meetings. 3. Reporting lines for IDI staff 2 are clearly established with well defined authorities and responsibilities in case of IDI management. Authorities and responsibilities of some IDI staff is being updated as part of the updating of their job profiles. 1. IDI follows a process of fair and transparent recruitment, clearly laying down the requirements of every new position. 2. The job responsibilities of all the positions are 2-Repeatable, Informal 2-Repeatable, Informal 2 The IDI Staff includes the IDI management, staff at the IDI secretariat and regional staff. 7

9 7.1.5 The organisation holds individuals accountable for their internal control responsibilities in the pursuit of objectives. yet to be defined. 3. IDI draws on secondment of competent staff from Supreme Audit Institutions. 4. IDI s staff appraisal system has been revised in 2014 and will contribute towards staff development in future. 1. Strategic plans 2. Operational plans 3. Performance and accountability reports 4. Budget 5. Financial statements 6. Project accounts 7. Project plans 8. Annual independent audit 9. Policies like IDI Procurement Policy, IDI Code of Ethics, IDI Environmental Policy, IDI Gender Policy and IDI Communication Policy. 10. Performance of the individual staff members are monitored against the above documents during their annual performance appraisal. 7.2 Component 2: Risk Assessment Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity s objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives. S. No Principle Control in Place Level of Maturity 8

10 7.2.1 The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 1. IDI Strategic plan 2. Operational plans 3. Programme plans The organisation identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed The organisation considers the potential for fraud in assessing risks to the achievement of objectives The organisation identifies and assesses changes that could significantly impact the system of internal control. 1. Corporate Risk Register 3-Defined, 1. This has been incorporated in the Code of Ethics and other policies including the IDI Procurement Policy(draft). 2. This is considered in monitoring and updating the IDI Corporate Risk Register. 1. Quarterly review of Corporate Risk Register 3-Defined, 7.3 Component 3: Control Activities. Control activities are the actions established by the policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities. S. No Principle Control in Place Level of Maturity The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels Risks and risk mitigation strategy are discussed in Strategic Plan, Operational Plan, Programme Plan and Corporate Risk Register. 2. The Corporate Risk

11 7.3.2 The organization selects and develops general control activities over technology to support the achievement of objectives The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action. Register is monitored and updated on a quarterly basis. 1. Professional support provided by outsourced company. 2. Best available accounting system is used with regular updates. 3. Service level agreement has been established with the outsourced company and the service deliverables are monitored. 1. Controls are built in the planning process for all activities 7.4. Component 4: Information and Communication Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day internal control activities. Communication enables personnel to understand internal control responsibilities and their importance to the achievement of objectives. S. No Principle Control in Place Level of Maturity The organisation obtains or generates and uses relevant, quality information to support the functioning of internal control The organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 1. Activities are monitored through well defined results frameworks. 2. Outcomes and outputs are defined and monitored against baselines and targets 1. Elaborate planning and reporting processes take care of this. 2. Objectives and responsibilites for 2-Repeatable, Informal 10

12 7.4.3 The organisation communicates with external parties about matters affecting the functioning of internal control. internal controls need better and more explicit definition. 3. Communication protocols are supported by the IDI Communication Policy. 1. Stakeholder reporting is elaborate and well defined following results framework and based on outputs and outcomes. 2. Protocols are supported by the IDI Communication Policy. 3. Internal controls are also reviewed from time to time by developmental partners. 7.5 Component 5: Monitoring Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, are present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board. S. No Principle Control in Place Level of Maturity The organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning The organisation evaluates and communicates internal control 1. Regular evaluations are conducted by external evaluators as also by peers of the IDI Strategic Plan and different IDI programmes 2. An Evaluations Manager is being recruited for facilitating monitoring in a better manner. 1. Results and recommendations of 2-Repeatable, Informal 2-Repeatable, Informal 11

13 deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. evaluations are duly followed up. 2. An Evaluations Manager is being recruited for facilitating monitoring in a better manner. 12