The Treasury

Global Navigation

Personal tools

Summary

Principle of Concern Leadership Response
Do internal controls support the department's objectives?

Challenge for improvements within the department by asking and following up on the following questions: 

Are the various divisions that are dealing with a particular risk or are responsible for associated controls actually working together?

Does the department have an accurate and comprehensive understanding of its current risks?

Does the department understand how various risks might have common causes or mutually reinforcing consequences?

Are the department's risks within the limits for risk taking as determined by its risk appetite and tolerance levels in articulated risk management strategy and policies on internal control?

Are risks only treated on an individual basis or does the department understand the overall effect of uncertainty on its objectives?

Does the department sufficiently know the effectiveness of its controls and how they could be further improved?

How can the department be certain it knows the correct answers to the preceding questions? What are its processes for monitoring and evaluation and are they effective?

Do internal controls reflect roles and responsibilities? Clarify how risks are “owned” within the department.  The department should explicitly designate and communicate the various risk and control owners.
Do internal controls link to individual performance? Improve the department's performance management system so that it recognises the crucial importance of internal control to sustainable departmental success, based on people who create opportunities and properly control their operations.
Do internal controls get applied with sufficient competency? Look to internal assurance staff to support the department as coaches and provide on-the-job training on risk management and internal control. Provide them with senior-level management sponsorship and financial support to serve in these roles.
Are internal controls supported by a suitable "tone at the top"? Look to ways to instil a broader culture of responsibility within an organisation. Accord high priority to governance, risk management, and internal control topics at regular governing body, management, and employee meetings. Other steps may include more positive recognition of a “hands-on” approach in the operation of controls, effective whistle-blowing procedures, and appropriate and diligent follow-up on control weaknesses or failures.
Do internal controls respond to risk?

A number of avenues may need to be explored: 

What is the context the department is working in?

How does the department identify the risks it faces?

How does the department assess its risks?

Which risks need the most attention?

How does the department manage its risks?

How does the department know its risk management process is working?

How does the department keep the key people informed about the risks and their management?

Do internal controls get communicated regularly? Engage internal auditors in the improvement of documentation and communication of internal control systems. Support the organisation, for example, by organising internal control training sessions and establishing an understandable, common internal control language that meets professional and technical standards.
Do internal controls get monitored and evaluated?

If the concern is over the monitoring and evaluating of individual controls, recognise the value of direct evidence of effectiveness, such as error rates, customer complaints, and numbers and amounts of unmatched cash items, and ensure action is taken on this evidence.

If the concern is over the monitoring and evaluating of the internal control system, then undertake structured review to ensure that the internal control system is being thoroughly evaluated on a timely basis. 

Do internal controls provide for transparency and accountability? Update the scrutiny processes that support the statements of responsibility.  Consider the value to be obtained from the trust and the reassurance to its stakeholders of a better understanding as to how a department manages its risks.
Page top