The Treasury

Global Navigation

Personal tools


Making Use of the CIPFA TICK Scores: Guidance for Departments

7  Do internal controls get communicated regularly?

Management should ensure that regular communication regarding the internal control system, as well as the outcomes, takes place at all levels within the department to make sure that the internal control principles are fully understood and correctly applied by all.

Internal controls can only work effectively when they, together with the risks they are supposed to modify, are clearly understood by those involved. Therefore, controls should not be documented and communicated in isolation but integrated through formal and informal channels into the elements of the management system in which they are intended to operate, including the related objectives, activities, processes, systems, risks, and responsibilities.

Proper documentation and communication are vital for effective internal control. Attention should be paid to the usability and understandability of the various policies, procedures, etc. when documenting and communicating controls. The use of plain language supports effective internal control. This language should meet professional and technical standards but also be understandable for non-professionals in this area, such as budget holders.

Documentation is only the beginning; risk management and internal control should also be embedded into the way people work. Therefore, management should ensure, through active communication and discussion, that what is written in a policy document or handbook is understood widely across the organisation and applied in practice by employees. A natural way of internalising risk management and internal control is to actively engage people, through training and team meetings, in the treatment of the risks they "own" and the development, implementation, operation, and evaluation of the related controls. This is especially important when people change roles—the risk profile, the relevant limits for risk taking, the controls in place, and the residual risk should be fully passed on to incoming staff.

Changes in the internal control system should be reflected in updated documentation and additional communications. This requires identifying, documenting, and communicating who makes the decisions; assigning responsibility for various processes; and determining how changes in the internal control system are to be approved, implemented, and monitored. It is crucial to test the design of newly implemented and documented controls, followed by monitoring their operating effectiveness.

The common use of online systems both facilitates and challenges the effective documentation, communication, and monitoring of internal control. This reality must be considered in ensuring effective dissemination and use of the organisation's internal control policies and procedures, including updates.

Suggested Response

Leadership that is concerned about the CIPFA TICK survey assessment of this principle may seek to engage their internal auditors in the improvement of documentation and communication of internal control systems. In addition, these staff, with risk owners and control owners, can support the organisation, for example, by organising internal control training sessions and establishing an understandable, common internal control language that meets professional and technical standards.

Page top