The Treasury

Global Navigation

Personal tools


Making Use of the CIPFA TICK Scores: Guidance for Departments

2  Do internal controls reflect roles and responsibilities?

Departments should determine the various roles and responsibilities with respect to internal control, including the management at all levels, employees, and internal and external assurance providers, as well as coordinating participants.

Responsibilities for internal control are usually distributed among numerous groups:

  • Senior Management should assume overall responsibility for the department's internal control strategy, policies, and system, and act accordingly. This group should define the risk management strategy, approve the criteria for internal control, and ensure that management has effectively undertaken its internal control responsibilities (ie, the oversight function).
  • Finance staff, should design, implement, maintain, monitor, evaluate, and report on the organisation's internal control system in accordance with risk strategy and policies on internal control as approved by the governing body.
  • Budget holders should be held accountable for proper understanding and execution of risk management and internal control within their span of authority.
  • Internal auditors play an important role in monitoring and evaluating the effectiveness of the internal control system and conveying—independent of management—reassurance to the governing body. However, they should not assume responsibility for managing specific risks or for the effectiveness of controls.

A medium to large department should have an audit or risk management subcommittee, to which some of the primary oversight tasks with respect to internal control may be entrusted. However, the chief executive and senior management should retain overall responsibility for overseeing risk management and internal control.

In some departments, separate risk management functions exist. This function should enable broad risk management and internal control awareness across the organisation, rather than be an enforcer of compliance. Risk management staff can strengthen the risk management and control competence of governing bodies, management, and employees, but should not take over risk management and internal control responsibilities from line managers.

Suggested Response

If the leadership is concerned about the CIPFA TICK survey assessment of this principle, leaders within the department should work to clarify how risks are “owned” within the department. Note that controls should be owned by someone who is responsible for their operation. The control owner or operator would normally be the person who executes the control on a day-to-day basis and can be someone other than the risk owner. The department should explicitly designate and communicate the various risk and control owners.

Qualified finance staff with their specific training and mindset, are in a good position to support management in determining, as well as implementing and monitoring, the various roles and responsibilities with respect to internal control.

Page top