Key Features of Internal Financial Control and Audit
Financial Management Specialist
Governance Global Practice/MENA The World Bank
Internal Control Systems
Organizations, be they public or private, apply a variety of measures in their operations to ensure that their objectives are met, that financial reporting is of required quality, and that rules and legislation are followed. Such measures include: expenditure controls to ensure compliance with the budget; segregation of responsabilities to lower the risk of error and fraud; procedures to ensure quality and timeliness of accounting and financial reporting; as well as information technology (IT) security procedures. These measures comprise “internal control” in accordance with the definition in the COSO1 framework. Internal control is the responsibility of the management of the organization, and is carried out by staff throughout the organization as part of their everyday work. It can also be automated through IT systems. For example, when an employee in the Ministry of Water Resources checks whether works on irrigation systems are proceeding according to the agreed specifications and quality, it is considered part of the internal control framework of the ministry. A subset of internal control measures are related to the financial management of the organization.Management is responsible for designing an internal control framework which is appropriate for the specific organization, although this may also include certain mandatory measures prescribed by the legal framework. In designing the internal control framework, it is important to take into account the specific characteristics, operations and risks of the organization. Assessing risk entails considering the likelihood of events occurring that may hamper the operations of an organization and the achievement of its objectives. In addition, risk assessment entails examining what and how severe the consequences of such events would be. The internal control measures are designed to mitigate the identified risks. Embedded in this concept is the notion that there is no “one size fits all” solution. For example, a bank will have different risks than a ministry that spends significant amounts on the procurement of goods. The type of budget system chosen also has implications for internal control measures (see figure). In public sector contexts where budgeting is characterized by a strong focus on inputs, annual orientation and centralization, the main focus of the internal control system is often on assuring compliance with rules and regulations and annual budget appropriations. In organizations or countries where the budget is more concerned with the expected results of the use of the funds, it will often be relevant to include measures aimed at increasing the chances of goal achievement and effectiveness. It is important to note that a higher number of controls and checks does not necessarily equal better control. In some countries with poor governance, multiple layers of controls may in fact increase corruption.2
An important component of the internal control framework is to monitor how the different internal control measures are functioning and whether they are having the intended effect. Internal audit plays a vital part in this monitoring process. It can have different organizational set-ups, but certain common principles apply.
The main objective of internal audit is to carry out independent and objective reviews and provide reasonable assurance that an organization’s operations are in compliance with rules and regulations, that financial reporting reflects the actual financial position, and increasingly, that the organization is achieving its objectives both efficiently and effectively.3 It also provides recommendations to management on corrective actions and improvement measures.
Internal audit can be distinguished from other internal control measures in that it mainly reviews after- the-fact, and that it is independent, — in other words that it is not involved in the operations itself. It should report directly to organizational management to ensure that important issues receive top-level attention—without reports first having to be approved by the people who have been audited.
The potential scope of internal audit is wide, but an important task is to evaluate the internal control system. This entails a systematic analysis of the different measures put in place and their effectiveness. It is less concerned with testing individual transactions.
The Institute of Internal Auditors (IIA) has developed internationally-recognized standards for internal audit. They foresee an internal audit function which evolves from the testing of transactions to becoming management’s trusted advisor. This requires strong audit teams with a variety of skills.
Internal audit is distinct from external audit, which in the public sector is carried out by the supreme audit institution (SAI). Internal audit is carried out by staff within the organization that is being audited (or in the public sector, sometimes by the Ministry of Finance). It reports to the management of the same organization. By contrast, the SAI is a separate organization with its own staff which reports to the Parliament and the public in addition to the audited entity. Therefore, it fulfills an important role in holding public officials accountable in the use of public funds. Internal audit is also distinct from financial inspectors in the public sector in that it does not solely carry out investigations into alleged mismanagement or violation of rules. Rather, it uses sampling and testing of the internal control systems to give overall statements to management about compliance and financial reporting.
1 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an independent private sector initiative formed in 1985 to study the factors that can lead to fraudulent financial reporting. COSO’s Internal Control – Integrated Framework from 1992 has gained wide acceptance, and was updated in 2013.
2 Daniel Tommasi: “The Budget Execution Process”, in Allen, R., Hemming, R. and Potter, B. H. (2013): The International Handbook of Public Financial Management.
3 Jack Diamond: “Internal Control and Internal Audit”, in Allen, R., Hemming, R. and Potter, B. H. (2013): The International Handbook of Public Financial Management.