 Corporate Governance Statement on Internal Control_files/merlin_logo.gif){kind=logo}
 Corporate Governance Statement on Internal Control_files/blank.gif){kind=spacer}
 Corporate Governance Statement on Internal Control_files/whats.gif){kind=small}  Corporate Governance Statement on Internal Control_files/vfm.gif){kind=small}  Corporate Governance Statement on Internal Control_files/fin.gif){kind=small}  Corporate Governance Statement on Internal Control_files/bullet.gif){kind=small}  Corporate Governance Statement on Internal Control_files/dir.gif){kind=small}  Corporate Governance Statement on Internal Control_files/quest.gif){kind=small}  Corporate Governance Statement on Internal Control_files/help.gif){kind=small} |
| |
DAO Letter
| HM
Treasury
Brian Glicksman |
Room 507 |
| DAO (GEN) 13/00 22 December 2000 | |
| Dear Accounting Officer | |
 Corporate Governance Statement on Internal Control_files/black.gif){kind=small} | |
CORPORATE GOVERNANCE: STATEMENT ON INTERNAL CONTROL | |
Purpose of this DAO letter
The purpose of this letter is to
• introduce the requirement for a Statement on Internal Control (SIC) to be included in the accounts of
o departments
o executive agencies
o trading funds
o executive Non-Departmental Public Bodies
o white paper accounts
o accounts produced by departments relating to transactions with public corporations and the National Loans Fund (NLF)• introduce "Policy Principles for Audit Committees".
Timing
2. The requirements of this letter are effective from the first day of the first financial period beginning on or after 1 January 2001. On the relevant date for each organisation to which this letter is applicable this letter will supersede the requirements of DAO(GEN)13/97 DAO(GEN)4/99 and DAO (GEN)7/00.
Background
3. DAO(GEN)13/97 introduced a Statement on Internal Financial Control (SIFC) to the accounts requirements in central government. Since then best practice in the private sector has developed with the introduction of the Stock Exchange's "Combined Code" of requirements for listed companies and publication of "Internal Control: Guidance for Directors on the Combined Code" (the "Turnbull Report")* which examines how specific requirements within the Combined Code should be implemented. These requirements are:
* Internal Control: Guidance for Directors on the Combined Code can also be found at http://www.icaew.co.uk/internalcontrol
Principle D.2 "The Board should maintain a sound system of internal control to safeguard shareholders' investment and the company's assets" Provision D2.1 "The directors should at least annually conduct a review of the effectiveness of the group's system of internal control and should report to shareholders that they have done so. The review should cover all controls including financial operational and compliance controls and risk management." Provision D2.2 "Companies which do not have an internal audit function should from time to time review the need for one"
4. Following the general principle that best practice in accounting requirements in the private sector should be reflected in central government* consideration has been given to how the provisions of the Turnbull Report can be adapted to the sector. Following consultations with Principal Finance Officers this letter promulgates the requirements.
* Foreword to Accounting Standards (Accounting Standards Board)
Format of the Statement of Internal Control
5. The SIC should be developed in accordance with the pro-forma format at Annex A1 to this letter. The detail of the parts of the pro-forma that are in bold italic text should be drafted to provide a brief but comprehensive summary of the actual processes in place in the body including a description of how current initiatives (whether centrally or locally driven) are being taken forward. In particular the narrative description of the processes in place should be used for reporting on progress or compliance with particular central initiatives which have a reporting requirement*.
* An example of such a requirement at the time of production of this letter would be reporting on compliance with the principal recommendations in the Cabinet Office report "Successful IT: Modernising Government in Action"
6. Accounting Officers may need to amend the opening paragraph of the pro-forma SIC to give a meaningful description of the boundaries of their accountabilities. In particular Agencies may need to reflect more fully the relationship with their department and NDPBs may need to reflect the relationship with the sponsoring department and the role of the NDPB's Board. Whilst all SICs must encompass at least the responsibilities of the Accounting Officer those bodies which have governance arrangements involving a wider base may consider preparing an SIC which encompasses those wider arrangements. The inter-relationship between the SIC for a sponsoring department and those of related bodies and the manner of their presentation in the departmental resource account will be for the departmental Accounting Officer to determine in the context of the actual structures of control.
7. An illustrative example of an SIC for an organisation which has all the risk management and review processes it considers necessary in place is at Annex A2. Organisations are strongly encouraged and should aim to prepare that statement for 2001/02 wherever possible. However it is recognised that some bodies may need to do further work before all relevant risk management and review processes are fully in place. In such cases the statement should include a description of planned work. An illustrative example is at Annex A3. The facility to produce an SIC which is indicative of further work to be done may be adopted for each of the financial periods which begin on dates on or after 1 January 2001 up to 31 December 2001 and on or after 1 January 2002 up to 31 December 2002. Bodies which anticipate having to prepare such a statement for the second of these years will be asked to verify that they will be able to produce a statement in accordance with Annex Al in respect of the financial period beginning on or after 1 January 2003. That will mean that by the beginning of that financial period all development work should be complete and all the required processes should be in place.
Status and auditability of Statements of
Internal Control
8. The SIC is an integral part of the annual
reporting of the body to be presented alongside the accounts. It should be
prepared by the Accounting Officer along with the accounts and passed to the
external auditors for review. A summary of the NAO's approach to the review of
Statements on Internal Control is at Annex
B. Risk management 9. The Turnbull
report states that a sound system of internal control "depends on a thorough
and regular evaluation of the nature and extent of the risks to which the
company is exposed". It further states that the purpose of internal control "is
to help manage and control risk rather than to eliminate it". The SIC should
therefore be the end result of a process of management that is embedded in the
planning operational monitoring and review activities of the body* these
activities being the critical elements of the statement. Production of the SIC
should not be conducted as an "add-on" end of year activity. The Statement on
Internal Control should explain the nature of control and any material changes
in control exercised through the whole of the accounting period. * '' Draft guidance on risk management was produced by
Treasury in February 2000 in "Management of Risk-A
Strategic Overview" Internal Audit and Audit Committees 10. The Turnbull
Report referred to the need for internal audit or other monitoring processes
to assure management and the board that the system of internal control is
functioning as intended. Accounting Officers are already required to make
provision for internal audit under the provisions of Government Accounting.
Accounting Officers should as part of their annual review of the system of
internal control ensure that their internal audit provision is adequately
resourced to deliver a service in accordance with the standards in the
Government Internal Audit Manual. 11. To assist in supporting the contribution of audit to
risk management and governance "Policy Principles for Audit Committees" have
been developed in consultation with both Principal Finance Officers and Heads of
Internal Audit. These are attached at Annex
C. Enquiries 12. Any enquiries on the content and application of this
letter should be addressed in the first instance to Gordon Adam in the Treasury
(Room 505 Allington Towers 19 Allington Corporate Governance Statement on Internal Control_files/pdf.gif){kind=small}
(The "Orange Book"). The final version of this will be
issued shortly after this letter. A version of this guidance developed to be
especially appropriate to smaller organisations ("Management of Risk - Guide for
Smaller Bodies") has been produced. These documents are advisory and each body
should identify for itself the methodology for embedded risk management that is
most appropriate for its business and circumstances.
Further Action
13. Departments should ensure that their executive agencies trading funds and executive Non-Departmental Public Bodies are aware of the requirements of this letter.
Yours sincerely
BRIAN GLICKSMAN
Treasury Officer of Accounts
Statement on Internal Control - PROFORMA
As Accounting Officer I have responsibility for maintaining a sound system of internal control that supports the achievement of departmental policies aims and objectives set by the department's Ministers whilst safeguarding the public funds and departmental assets for which I am personally responsible in accordance with the responsibilities assigned to me in Government Accounting. (Accounting Officers may wish to amend this paragraph to provide a comprehensive explanation of the accountability arrangements surrounding their organisation)
The system of internal control is designed to manage rather than eliminate the risk of failure to achieve policies aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness.
The system of internal control is based on an ongoing process designed to identify the principal risks to the achievement of departmental policies aims and objectives to evaluate the nature and extent of those risks and to manage them efficiently effectively and economically. This process has been in place [for the year ended 31 March 200x/since XX] and up to the date of approval of the annual report and accounts and accords with Treasury guidance.
As Accounting Officer I also have responsibility for reviewing the effectiveness of the system of internal control.
Summarise here the process that has been applied in reviewing the effectiveness of the system of internal control as appropriate to the circumstances of the reporting body
Examples of some of the types of processes are:
o procedures for identifying the body's objectives and key risks;
o the development of the control strategy and risk management policy;
o the allocation of risk ownership;
o the role of the Audit Committee or other relevant committee;
o involvement and role of internal audit;
o procedures for ensuring that aspects of risk management and internal control are regularly reviewed and reported on;
o systems used to ensure compliance with specific regulations or procedures laid down by central departments
o details of monitoring procedures for subsidiary bodies
o monitoring of progress with current initiatives and compliance with extant external requirements
My review of the effectiveness of the system of internal control is informed by the work of the internal auditors and the executive managers within the department who have responsibility for the development and maintenance of the internal control framework and comments made by the external auditors in their management letter and other reports.
Record here details of actions taken or proposed to deal with material internal control aspects of any significant problems disclosed in the annual report and accounts. The wording should be tailored to refect the circumstances of the case.
Statement on Internal Control - EXAMPLE 1
Example 1 provides an illustration of a statement on internal control for a body that is satisfied that it has a sound system of internal control that has been in place throughout the year.
As Accounting Officer I have responsibility for maintaining a sound system of internal control that supports the achievement of departmental policies aims and objectives set by the department's Ministers whilst safeguarding the public funds and departmental assets for which I am personally responsible in accordance with the responsibilities assigned to me in Government Accounting.
The system of internal control is designed to manage rather than eliminate the risk of failure to achieve policies aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness.
The system of internal control is based on an ongoing process designed to identify the principal risks to the achievement of departmental policies aims and objectives to evaluate the nature and extent of those risks and to manage them efficiently effectively and economically. This process has been in place for the year ended 31 March 2002 and up to the date of approval of the annual report and accounts and accords with Treasury guidance.
As Accounting Officer I also have responsibility for reviewing the effectiveness of the system of internal control. The department has established the following processes:
• a management board which meets monthly to consider the plans and strategic direction of the
department (the board comprises the senior members of the department and two external independent members):• periodic reports from the chairman of the audit committee to the board concerning internal control;
• regular reports by internal audit to standards defined in the Government Internal Audit Manual which include the Head of Internal Audit's independent opinion on the adequacy and effectiveness of the department's system of internal control together with recommendations for improvement;
• regular reports from managers on the steps they are taking to manage risks in their areas of responsibility including progress reports on key projects;
• a regular programme of facilitated workshops to identify and keep up to date the record of risks facing the organisation;
• a programme of risk awareness training;
• implementation of a robust prioritisation methodology based on risk ranking and cost-benefit analysis;
• establishment of key performance and risk indicators;
• maintenance of an organisation-wide risk register
• reports from the chief executives of the department's agencies on internal control activities
• reports on compliance with the principal recommendations in the Cabinet Office report Successful IT: Modernising Government in Action.
My review of the effectiveness of the system of internal control is informed by the work of the internal auditors and the executive managers within the department who have responsibility for the development and maintenance of the internal control framework and comments made by the external auditors in their management letter and other reports.
Statement on Internal Control - EXAMPLE 2
Example 2 provides an illustration for a body that is developing its internal control processes but considers that further elements are required to be introduced together with a continued period of trial and assessment prior- to the preparation of a full statement on the system of internal control as illustrated in example 1.
As Accounting Officer I have responsibility for maintaining a sound system of internal control that supports the achievement of departmental policies aims and objectives set by the department's Ministers whilst safeguarding the public funds and departmental assets for which I am personally responsible in accordance with the responsibilities assigned to me in Government Accounting.
The system of internal control is designed to manage rather than eliminate the risk of failure to achieve policies aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness.
The system of internal control is based on an ongoing process designed to identify the principal risks to the achievement of departmental policies aims and objectives to evaluate the nature and extent of those risks and to manage them efficiently effectively and economically. I expect to have the procedures in place in March 2002 necessary to implement Treasury guidance. This takes account of the time needed to fully embed the processes which the department has agreed should be established and improve their robustness.
We have held a risk management workshop attended by representatives of all grades of staff throughout the department during which we identified the department's objectives and risks and determined a control strategy for each of the significant risks. As a result of this workshop a risk management policy document has been sent to all staff setting out the department's attitude to risk to the achievement of the departmental objectives.
The management board has changed its meeting calendar and agenda so that risk management and internal control will be considered on a regular basis during the year and there will be a full risk and control assessment before reporting on the year ending 31 March 2003. Risk management has been incorporated more fully into the corporate planning and decision making processes of the department.
The board receives periodic reports from the chairman of the audit committee concerning internal control and we require regular reports from managers on the steps they are taking to manage risks in their areas of responsibility including progress reports on key projects.
Following the publication in September 2000 of the department's risk framework further work has been done to widen the basis of the framework and to bring about more consistency in the way in which the department treats risks.
In addition to the actions mentioned above in the coming year the department plans to:
arrange a regular programme of facilitated workshops to identify and keep up to date the record of risks facing the organisation;
introduce a programme of risk awareness training;
establish a system of key performance and risk indicators;
develop and maintain an organisation-wide risk register; and
arrange for reports from the chief executives of the department's agencies on internal control activities.
The department has an Internal Audit Unit which operates to standards defined in the Government Internal Audit Manual. They submit regular reports which include the HIA's independent opinion on the adequacy and effectiveness of the department's system of internal control together with recommendations for improvement.
My review of the effectiveness of the system of internal control is informed by the work of the internal auditors and the executive managers within the department who have responsibility for the development and maintenance of the internal control framework and comments made by the external auditors in their management letter and other reports.
NAO's APPROACH TO THE REVIEW OF STATEMENTS ON INTERNAL CONTROL
Review procedures
1. The NAO's approach to the review of internal control statements will in essence be the same as that for
statements on the system of internal financial controls. The relevant part of the Comptroller and Auditor General's certificate will read along the following lines:-'I review whether the statement on page - reflects the [name of audited body]'s compliance with Treasury's guidance "Corporate Governance: Statement of Internal Control". I report if it does not meet the requirements for disclosure specified by Treasury or if the statement is misleading or inconsistent with other information I am aware of from my audit of the financial statements'.
2. The NAO review procedures draw on the relevant section of the Auditing Practices Board's guidance
Bulletin 5/99 `The Combined Code: Requirements of Auditors Under the Listing Rules of the London Stock Exchange' tailored as appropriate for a central government context. The objective of the review is to assess whether the audited body's description of the processes adopted in reviewing the effectiveness of the system of internal control appropriately reflects that process. This involves:Consideration of whether the disclosures are consistent with the NAO's review of board and committee minutes and their knowledge of the audited body obtained during the audit of the financial statements;
NAO attendance at audit committee meetings at which corporate governance internal control and risk management matters are considered;
Consideration of the process adopted by the Accounting Officer for his/her effectiveness review and of the documentation prepared to support the statement.
3. The NAO's work on internal control will not be sufficient to enable them to express any assurance on
whether the audited body's controls are effective. In addition the financial statement audit should not be relied upon to draw to the Accounting Officer's attention all matters that may be relevant to their consideration as to whether or not the system of internal control is effective. Auditors are not expected actively to search for mis-statements or inconsistencies but if they become aware of such a matter they will discuss it with senior management to establish the significance of the lack of proper disclosure.
The NAO's work on
understanding the business and controls
4. As noted above the auditor's work on the financial statements audit is not driven by the requirement for an internal control statement and cannot be relied upon to indicate that controls are effective. Nevertheless the NAO audit approach `Audit 21' is a risk based approach based upon obtaining a good understanding of the business the risks that it faces and how those risks are managed. Although the ernphasis remains to an extent on financial risks and controls this work should provide a sound base for the auditor's consideration of the Accounting Officer's internal control statement. It should also provide opportunities to make recommendations for improvements to internal controls.
5. Risk management and internal control issues are often a feature of the NAO's wider Value-for-Money audit role. The NAO recognise that risk-taking is essential if public bodies are to innovate and improve and as a member of the Public Audit Forum have stated that they will support well thought through risk taking and innovation.
POLICY PRINCIPLES FOR AUDIT COMMITTEES IN CENTRAL GOVERNMENT
The purpose of an Audit Committee is to give advice to the Accounting Officer on the adequacy of audit arrangements (internal and external) and on the implications of assurances provided in respect of risk and control in the organisation. The following principles are provided to facilitate the establishment of Audit Committees that will be well equipped to meet that purpose.
Some bodies particularly NDPBs are already required by Cabinet Office or by sponsoring bodies to have an Audit Committee in accordance with other guidance. This document does not amend or supersede such requirements; rather it provides for a minimum position in tile absence of any other applicable guidance. In particular the Board structures of some NDPBs will tend to favour particular approaches to the establishment and membership of the Audit Committee
1. Audit Committees are strongly encouraged as best practice in all central government
bodies (Departments Executive Agencies and Non-Departmental Public Bodies). If it is decided not to have an Audit Committee there should be clearly identified circumstances justifying the decision.2. In bodies that have a Management Board structure the Audit Committee should be a
committee or a sub-committee of the Board. In some bodies that have numerically small Boards the Board may sit separately as the Audit Committee.3. In bodies that have non-executive or independent members on the Management Board
these non-executive or independent members should form at least part of the membership of the Audit Committee (subject to appropriateness of numbers)4. In bodies that have no non-executive or independent Management Board members
appropriate individuals should be sought for appointment as external members of the Audit Committee. Ideally two or three independent members should be sought.5. In medium and large organisations the Audit Committee should ideally have no fewer
than five and no more than ten members. For smaller bodies a minimum membership of three may be more practicable.6. The Audit Committee is appointed to give advice to the Accounting Officer. Although the Accounting Officer may chair the Audit Committee the objectivity of the advice given can be enhanced if another member (particularly a non-executive) is the Chair of the Audit Committee.
7. Members of the Audit Committee who have executive responsibility in the body (in those organisations which have a sufficiently large number of senior executive staff) should be rotated on an appropriate cycle (three years will generally be appropriate) to provide for objectivity in the long term and to avoid over or under representation of particular aspects of the body's business and administrative interests.
8. Audit Committees should have documented terms of reference from the Accounting Officer/Board which should include a remit to consider the adequacy of risk management and internal control through reviewing (inter alia):
the mechanisms for the assessment and management of risk
the planned activity of internal audit
the results of internal audit activity
the planned activity of external audit
the results of external audit activity
adequacy of management response to issues identified by audit activity
assurances relating to the corporate governance requirements for the organisation
9. The Head of Internal Audit and the senior member of the external audit team should have the right of access to the Audit Committee and should normally be present at meetings (as attendees rather than members)
10. The Audit Committee should meet regularly and at least three times a year.