Public Finance Management Act, 1999 (Act No. 1 of 1999)Understanding and Using this ActGuide for Accounting Officers6. Corporate management and internal controls |
This section of the Guide deals with the organisational matters internal to the department. The appointment of a CFO and the establishment of an effective internal audit function whose work is overseen by an audit committee are measures that – provided the decisions are appropriate – will add value to departmental performance and efficiency in expenditure.
Financial staff
Government increasingly recognises the importance of financial staff. While the accounting officer (and indeed every line manager) is accountable for financial management, he or she must be able to rely on independent, professional advice to improve the quality of decision-making. Most private companies and a growing number of public entities appoint a CFO for this purpose.
In the United States of America, the authority and functions of CFOs in the public sector have been legislated in the Chief Financial Officers Act, 1990, which defines their functions to include:
• | Reporting directly to the head of the agency on financial management matters, and overseeing all financial management activities of the agency |
• | Developing and maintaining an integrated accounting and financial management system, including financial reporting and internal controls |
• | Systematically measuring performance |
Appointing a suitable CFO
While the PFMA assigns these responsibilities to accounting officers, they may be delegated to a suitably competent CFO. Accounting officers should appoint (probably on a performance-based contract) a CFO with relevant experience at a senior management level and a demonstrated capacity to interpret, analyse and present complex information. While the size and nature of the department will determine the specific qualities required, it is likely that the CFO will be a high-calibre individual, with:
• | Credibility with all the senior managers in the department |
• | The capacity to bring independent and impartial advice into departmental decision-making |
• | Membership of a professional body |
• | Direct access to the accounting officer |
The CFO must combine timely, materially accurate, relevant, complete and suitably presented financial results and trends, with interpretative professional advice. In addition, he or she must play a major role in preparing strategic plans and in ensuring that best practice (as set out in the Regulations) is followed. The CFO must be given the appropriate infrastructure and staff to minimise number crunching, allowing him or her sufficient opportunity to provide analysis, interpretations and appraisals that assist and improve decision-making in the department.
Role of CFO
Within a department, the role of the CFO will be to:
• | Maintain a close liaison with the accounting officer and all managers |
• | Respond to changing needs for financial information and advice |
• | Make a major contribution to the financial aspects of the strategic planning process |
• | Ensure that internal financial targets and budgets are fully consistent with the strategic plan and any associated agreement with Government |
• | Manage working capital, assets and liabilities |
• | Manage the accounting and finance staff |
• | Pay accounts and collect receipts |
• | Meet reporting requirements (for example, monthly reports under the PFMA and DoRA, and annual financial statements) |
• | Maintain systems of internal control, which comply with internal audit requirements |
• | Undertake product and service costing tasks |
Internal control
Internal control is nothing new – it exists in all organisations. It can be defined as the processes put in place by management and other stakeholders, which are designed to:
• | Provide reasonable assurances that the organisation’s objectives are achieved effectively and efficiently, in compliance with applicable laws and regulations |
• | Ensure reliable financial reporting |
Internal controls are the systems (manual or electronic), procedures and processes that are implemented to minimise the risk (and any financial consequences) to which the department might otherwise be exposed as a result of fraud, negligence, error, incapacity or other cause.
Appropriate internal control
The Exchequer Act prescribed detailed internal control processes for all entities in the Treasury Instructions and in other centrally defined regulations. The PFMA makes it clear that accounting officers must actively ensure that internal controls are appropriate for their specific circumstances and, most importantly, are operating as intended.
Controls must be designed to provide reasonable assurance that:
• | Goals are met with economical and efficient use of resources |
• | Financial and operational information is reliable and useful |
• | Assets are accounted for and protected from losses |
• | Policies, procedures, laws and regulations are complied with |
In a rapidly changing environment, internal control becomes significantly more important. Changes in management personnel and culture may well result in a fundamental redesign of internal controls, but must never expose the organisation or its management to the risks that would arise should these controls be eliminated.
Responsibilities for internal control
The responsibilities of different stakeholders for internal control can be summarised as follows:
• | Management has the ultimate responsibility for the operation and ownership of the system of internal control. |
• | The members of legislative bodies, in their capacity as representatives of the taxpayers, are to exercise governance, guidance and oversight. |
• | The Auditor-General will play an important role in making recommendations should any weaknesses in internal control be identified. |
• | The audit committee should be able to identify and act on instances where management may override internal control or otherwise seek to misrepresent reported financial results. Hence, the independence of the audit committee from management, the extent of the committee’s involvement with and scrutiny of activities, and the appropriateness of its actions will strongly influence the control environment in an organisation. |
Is internal control effective?
Accounting officers are required to ensure that the internal controls within their departments are operating effectively. To do this, they will need to examine the five elements of internal control, which are:
• | The control environment |
• | Risk assessment |
• | Control activities |
• | Information and communication |
• | Monitoring arrangements |
While the last three points are well understood, the first two may not be and are considered in the paragraphs below.
Control environment
The control environment includes:
• | The governance structures and functions of the department |
• | Management’s philosophy towards risk, and its style of operation |
• | The approach to assigning authority and responsibility in the department |
• | The nature and extent of the risks involved |
• | Systems for controlling expenditure |
• | The control systems in place, including internal audit |
• | Personnel policies and procedures |
• | Segregation of duties |
• | Access to computer-based systems (both physical and in terms of network security) |
• | Physical protection of cash and securities (the need to hold cash and securities should first be assessed), etc. |
• | The management information system |
Despite the previous centrally prescribed and procedurally focused Treasury Instructions, the present weaknesses in the control environment in the public sector are significant. These weaknesses arise when, for example, newly appointed staff do not appreciate the reasons why duties are separated.
Risk assessment
Because the Treasury Instructions prescribed detailed procedures to be applied to all entities, regardless of specific circumstances, the notion of departmental managers undertaking a ‘risk assessment’ for themselves will be an innovation in most parts of the public sector.
Risk management acknowledges that all the activities of an organisation involve some element of risk. Management must decide what is an acceptable level of risk (given the cost and other social factors) by objectively assessing the factors (risks) that may prevent a particular activity from meeting its objective. For example, the risk of delay in constructing a new clinic may be offset or managed by ensuring that the stock level of building material is adequately monitored; or, the risk of an asset such as a photocopier breaking down will be reduced by ensuring that it not misused.
Elements of risk management include:
• | Assessing the nature and extent of the risks associated with the department’s operations |
• | Deciding on an acceptable level of loss or degree of failure |
• | Deciding how to manage or minimise the risk |
• | Monitoring, reporting and, from time to time, reassessing the level and implications of the risk exposure |
Need to review internal control
The Regulations assign responsibilities for aspects of risk management to the internal audit unit and the audit committee, each of which reports to the accounting officer. Hence, each accounting officer will need to review the operation of the internal controls within his or her department, in accordance with the following basic principles:
• | Internal control systems should be of high quality, but at reasonable cost. |
• | Managers must ensure that the controls over the operations and resources entrusted to them are adequate, and should continuously determine whether controls are effective. |
• | The design and extent of control measures and procedures must match the risk and exposure in the particular area. Before implementing a control, management should be satisfied that the benefits outweigh the cost of operating the control. |
Remedial actions
After such a review, the accounting officer may need to implement some or all of the following measures:
• | Produce guidelines and standards to reflect the organisation’s values for conducting business |
• | Train managers in risk management and control techniques |
• | Establish self-assessment programmes for managers to measure the adequacy of controls on a routine basis |
• | Establish information flows that will indicate unfavourable trends and trigger corrective actions |
It is impossible to avoid all risk through internal control measures; attempts to do so may come at a cost higher than that of the potential risk. This was often the case with the procedures implemented in previous years. Before further internal control measures are implemented, the cost of these must be assessed against cost of the risk.
Internal audit
Internal audit is not new to Government, but the Act formalises the requirement for departments to operate effective internal audit units, except where the relevant treasury agrees that two or more – perhaps smaller – departments may share this resource.
Internal audit serves management
Traditionally, internal audit was seen as part of the finance function. However, the current view defines internal audit as ‘an independent appraisal function, established within an organisation to examine and evaluate its activities’. In other words, internal audit exists to assist management in carrying out its responsibilities effectively, by providing analyses, appraisals, recommendations and advice concerning the activities under review. Internal audit must examine and objectively appraise the adequacy and effectiveness of internal control in the organisation. An effective internal audit will highlight potential problems during the financial year, and possibly allow management the opportunity to remedy deficiencies before they receive adverse comment from the Auditor-General in the (annual) audit report.
Structure of internal audit
Over the last few years, most departments have established an internal audit function in one of the following ways:
• | Full in-house internal audit section – this has been the exception rather than the rule in the light of scarce technical skills |
• | Co-source the function with the private sector, i.e. some of the work is contracted out |
• | Outsource the function to the private sector, i.e. the entire function is contracted out |
• | Share the function with another department, subject to approval by the relevant treasury (heads of provincial departments must consider the resource constraints and consult with the relevant treasury) |
The decision on the structure of internal audit is less important than the responsibility of the accounting officer under the Act to ensure that internal audit is effective. Adequate resources must be made available for performing the duties specified in the audit plan.
Role and mandate of internal audit
Most internal audit units have developed a ‘Charter’, which specifies:
• | The purpose of the internal audit unit |
• | The scope of its authority, including provisions guaranteeing access to people, documents, assets and the operations of the organisation |
• | Internal audit’s responsibility for examining and reporting on financial and non-financial matters, including the effectiveness, efficiency and economy of operations |
• | The role of the audit committee |
• | The reporting arrangements, which must be designed to enhance the independence of internal audit |
Operation of internal audit
Internal audit must be conducted in accordance with the standards set by the Institute of Internal Auditors (to be available via a link on the national Treasury’s web site), and the internal audit unit must prepare, in consultation with and for approval by the audit committee:
• | A modus operandi, with management inputs, to guide the audit relationship |
• | A rolling three-year strategic internal audit plan based on its assessment of key areas of risk for the department |
• | A plan for the first year of the rolling plan, which indicates the proposed scope of each audit |
• | A quarterly report to the audit committee detailing performance against the plan |
Fraud prevention plans
Fraud prevention plans aim to manage the risk of fraud through cost effective use of the control environment, information systems, control procedures and an ethical culture within the department. Each accounting officer must ensure that the fraud prevention plan is completed no later than 31 March 2001.
Audit committee
An effective audit committee can assist management in discharging its accountability responsibilities to safeguard assets, operate adequate systems and controls, and prepare annual financial statements, by:
• | Improving communication and increasing contact, understanding and confidence between management and internal and external auditors (which may result in a more cost-effective external audit, to benefit both the organisation and the auditors) |
• | Scrutinising the performance of internal and external auditors, thus increasing accountability |
• | Facilitating the imposition of discipline and control, thus reducing the opportunity for fraud |
• | Strengthening the objectivity and credibility of financial reporting |
In principle, an audit committee should be advisory and not executive, and will probably only meet quarterly. The committee should not perform any management functions or assume any managerial responsibilities, as this would prejudice objectivity.
Composition of the audit committee
The Act specifies that each department must establish an audit committee unless the relevant treasury has agreed that two or more departments may share a committee (this may well be appropriate in provinces, and the onus is on each department to consult with the relevant treasury). The audit committee must consist of at least three people – three to five is the norm in the private sector. One of the members must be from outside the public service, and the chairperson may not be employed by the department. Similarly, departmental staff members may not be in the majority, and political office-bearers may not be appointed to the committee.
Proactive role
An audit committee is expected to play a proactive role; hence those appointed as members must have enquiring minds, a sound understanding of the complexities involved, and an appreciation of the department’s activities. Common sense and objectivity are essential criteria. Ideally, the committee should have a mix of skills and experience, and at least one member should have the necessary financial and auditing expertise to advise the committee in the execution of its duties and responsibilities. Members should rotate on a regular basis, to ensure a mix of experience and new members. A minimum of two to three years’ service is advisable.
Duties of audit committee
The audit committee should perform the following duties:
• | Make recommendations on the appointment or retention of auditors, if applicable |
• | Review and discuss the scope of the audit |
• | Satisfy itself that the audit plan sufficiently addresses the critical risk areas in the organisation |
• | Review the effectiveness of the organisation’s systems of internal control |
• | Monitor management’s response to reported weaknesses in controls (particularly those raised as audit queries), deficiencies in systems and recommendations for improvement |
• | Consider differences of opinion between management and auditors |
• | Evaluate the performance of auditors and of management |
• | Consider the quality of financial information produced |
• | Review the financial statements prior to approval by the accounting officer, including the accounting policies adopted, before submission to the Auditor-General |
• | Communicate to stakeholders regarding its activities |
Terms of reference
The terms of reference of an audit committee should cover the following matters:
• | The objectives and responsibilities of the committee |
• | The committee’s authority in requesting information and in obliging management to attend meetings and submit reports |
• | The resources available to the committee |
• | The minimum number of annual meetings (the Act requires at least two meetings a year) |
• | Who is required to attend meetings |
• | Minutes of meetings |
Timing of meetings
The audit committee should meet before the annual external audit to consider its scope and approximate timing, as well as the audit fee. It should also meet on completion of the audit to review the audit and all significant matters arising from it, in addition to the performance of the auditors.
The audit committee and the accounting officer must facilitate a risk assessment to determine the material risks to which the department may be exposed and to evaluate the strategy for managing those risks.
The strategy must be used to direct audit effort and priority, and to determine the skills required for managing these risks.
The audit committee must report and make recommendations to the accounting officer, but the accounting officer retains responsibility for implementing such recommendations. The committee may communicate any concerns it deems necessary to the executive authority, the relevant treasury and/or the Auditor-General.