The Treasury

Global Navigation

Personal tools

Treasury
Publication

Making Use of the CIPFA TICK Scores: Guidance for Departments

8  Do internal controls get monitored and evaluated?

Monitoring and evaluation of the internal control system is often confused with the monitoring and evaluation of the individual controls themselves. At first glance, an individual control might seem to be effective, but it should also be evaluated in the context of how the overall internal control system is intended to work. Conversely, an effective internal control system should be able to detect and remediate, in a timely manner, individual controls that have become deficient or redundant. Therefore, both the individual controls and the overall internal control system should be regularly monitored and evaluated in conjunction with each other.

Individual controls that have previously been proven to be effective can weaken over time, fail, or become redundant. Required controls could also be non-existent.

Even after remediation of deficient controls, the residual risk can still be outside the organisation's limits for risk taking, which might necessitate the implementation of additional or different controls. For example, hacking of corporate and government computer systems has become much more sophisticated, and, therefore, what was good internal control practice only a year or two ago may be inadequate today.

Poorly designed or implemented controls are a major source of risk and the design of controls themselves, as well as their implementation, should be subjected to risk assessment. In particular where the controls are in the form of written instructions or a procedure, then a suitable form of risk assessment should be used to test and optimise the controls and the process whereby they are implemented through training and communications.

The regularity of such evaluations depends on factors such as: volatility of the environment, the importance of the control, the nature of the control (eg, routine or non-routine controls), the stability of the control, the history of failures of the control, the existence of compensating controls, and cost-benefit considerations. Monitoring should include the investigation of events and other incidents to determine how controls have performed and how they could be improved. Existing controls are also to be evaluated as part of every risk assessment and reassessment.

Good quality monitoring and evaluation of individual controls occurs at a number of levels:

  • Those directly involved in the execution of the control activity check the effective operation of the control as part of their control routine (ie, self-control).
  • Managers who “own” the underlying risk and are responsible for the continued suitability and effective operation of the related controls may undertake ongoing monitoring, for example via their supervision of those involved in the execution of the control activity.
  • Independent monitoring and evaluation, for example, via internal and external audit, can provide additional, and more objective, assurance on maintaining the effectiveness of individual controls, for example as part of monitoring and evaluation of the internal control system.

Even where internal control systems were previously effective, over time they can deteriorate and lose their effectiveness to the point where significant weaknesses or failures can start occurring. Therefore, departments need a structured process to ensure that the internal control system is being thoroughly evaluated on a timely basis.

Suggested Response

Leadership that is concerned about the CIPFA TICK survey assessment of this principle therefore need to consider whether their concern is associated over individual risks and controls or the monitoring of the overall risk management and internal control system.

If the concern is over the monitoring and evaluating of individual controls, a first step is to recognise the value of direct evidence of effectiveness, such as error rates, customer complaints, and numbers and amounts of unmatched cash items. In fact, these are among the best sources of information on control failure.

Actions arising from individual control evaluations that leaders could then stress include:

  • determining whether the control is working the way it is intended to work
  • correcting failures or mistakes, understanding why the failure happened or the mistake was made, and ensuring that it will not happen again, all of which should be part of the continuous-improvement cycle
  • decommissioning outdated controls—while making sure that they are truly obsolete—to keep the internal control system effective
  • properly documenting the corrections of the controls and communicating them to all those involved, and
  • summarising the various individual control failures as input for the evaluation of the internal control system, as many failures of individual controls may indicate weaknesses in the overall internal control system.

If the concern is over the monitoring and evaluating of the internal control system, then leaders need to consider a structured review to ensure that the internal control system is being thoroughly evaluated on a timely basis. The timing of such reviews will depend on the pace of internal and external change. For example, monitoring can take place periodically in tandem with the yearly business planning and evaluation cycle, or when there are indications of reduced effectiveness, such as several failures of individual controls.

The internal control system should be monitored and evaluated against the risk management strategy and policies on internal control, taking into account strategic, financial, and operational performance and the risks associated with achieving objectives for these areas. Elements should include re-examining the underlying choices, principles, and assessments made in arriving at the current system; review of reported incidences of control failures since the last evaluation; review of external and internal developments that, taken together, could suggest that overall choices may need to be re-considered.

Actions arising from the evaluation of the internal control system should include combining the results of the previous “Plan-Do-Check-Act Cycle” with new input, so that the organisation can quickly and effectively react to departures from its plan and adapt to environmental changes that impact its ability to achieve its objectives within its limits for risk taking.

Page top