The Treasury

Global Navigation

Personal tools

Treasury
Publication

Making Use of the CIPFA TICK Scores: Guidance for Departments

1  Do internal controls support the department's objectives?

Internal control should be used to support the department in achieving its objectives by managing its risks, while complying with rules, regulations, and organisational policies. The department should therefore make internal control part of risk management and integrate both in its overall governance system.

Departments always face uncertainty in achieving their strategic, operational, and other objectives. However, they can decide the level of risk they wish to be exposed to in the pursuit of those objectives. Proper risk assessment and internal control assist organisations in making informed decisions about the level of risk that they want to take, and implementing the necessary controls, in pursuit of the organisations' objectives. However, risks should not be taken without an explicit understanding of their potential consequences for achieving an organisation's objectives. Therefore, decision makers require relevant and reliable information, produced through the internal control system, to effectively implement and execute their strategic and operational plans.

In recent years, focus has shifted from internal control as a separate concept to internal control as an integrated part of risk management and governance. For example, corporate governance codes worldwide now generally put greater emphasis on effective risk management than just on internal control. Internal control can be most effective when it is integrated with risk management and both are embedded in all the governance processes of a department. Risk management and internal control can therefore be viewed as two sides of the same coin, in that risk management focuses on the identification of threats and opportunities, while controls are designed to effectively counter threats and take advantage of opportunities.

Sustainable success depends on how well a department can integrate risk management and internal control into a wider governance system as an integral part of its overall activities and decision-making processes. A strong, integrated governance system is an integral part of managing a disciplined and controlled department. Effective integration can result in an enterprise-wide governance, risk management, and internal control system that:

  • supports management in moving an organisation forward in a cohesive, integrated, and aligned manner to improve performance, while operating effectively, efficiently, ethically, and legally within established limits for risk-taking, and
  • integrates and aligns activities and processes related to objective setting, planning, policies and procedures, culture, competence, implementation, performance measurement, monitoring, continuous improvement, and reporting.

Conversely, an excessive and exclusive focus on financial internal controls can distract management from ensuring that its operations or strategy are functioning as intended. Analyses of major failures frequently identify insufficiently controlled risks at the operational level that caused significant problems before any accountability documents could even be prepared. The challenge is to recognise that key financial controls might be able to pass a validation test, while underlying ineffective controls still expose the department to unacceptable levels of risk. For example, ensuring the effectiveness of financial reporting controls on property plant and equipment does not necessarily lead to reduction of risks such as underutilised surplus capacity, inappropriate gold plating, private misuse or theft. Departments should, therefore, take an approach that manages all types of risk in line with the guidance under the principle, Responding to Risk.

Suggested Response

If the leadership is concerned about the CIPFA TICK survey assessment of this principle, leaders within the department can challenge for improvements within the department include asking and following up on the following questions:

  • Do the various divisions that are dealing with a particular risk or are responsible for associated controls actually work together?
  • Does the department have an accurate and comprehensive understanding of its current risks?
  • Does the department understand how various risks might have common causes or mutually reinforcing consequences?
  • Are the department's risks within the limits for risk taking as determined by its risk appetite and tolerance levels in articulated risk management strategy and policies on internal control?
  • Are risks only treated on an individual basis or does the department understand the overall effect of uncertainty on its objectives?
  • Does the department sufficiently know the effectiveness of its controls and how they could be further improved?
  • How can the department be certain it knows the correct answers to the preceding questions? What are its processes for monitoring and evaluation and are they effective?
Page top