The International Standards of Supreme Audit Institutions, ISSAI, are issued by the International Organization of Supreme Audit

Institutions, INTOSAI. For more information visit www.issai.org

INT OSAI Internal Control and

Accounting Standards:
INTOSAI GOV
9100 - 9230
 The International Standards of Supreme Audit Institutions, ISSAI, are
INTOSAI GOV 9100 issued by the International Organization of Supreme Audit Institutions,
INTOSAI. For more information visit www.issai.org

Guidelines for
INT OSAI
Internal Control
Standards for the
Public Sector
 INTO S AI Pr o f e s si o n a l S t an d ar ds Co m mitt e e
PSC-Secretariat
Rigsrevisionen • Landgreven 4 • P.O. Box 9009 • 1022 Copenhagen K • Denmark
Tel.:+45 3392 8400 • Fax:+45 3311 0415 •E-mail: [email protected]

IN TO S AI

EXPERIENTIA MUTUA
EXP ERIENTIA M UTUA

OMNIBUS PRODEST
OMNIBUS
P RODEST

INTOSAI General Secretariat - RECHNUNGSHOF

(Austrian Court of Audit)
DAMPFSCHIFFSTRASSE 2
A-1033 VIENNA
AUSTRIA
Tel.: ++43 (1) 711 71 • Fax: ++43 (1) 718 09 69

E-MAIL: [email protected];
WORLD WIDE WEB: http://www.intosai.org
Contents
Preface  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1 Internal Control  . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.1 Definition  . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2 Limitations on Internal Control Effectiveness  . . . . . . . . 12

2 Components of Internal Control  . . . . . . . . . . . . . . . . . 13

2.1 Control Environment  . . . . . . . . . . . . . . . . . . . . . 17
2.2 Risk Assessment  . . . . . . . . . . . . . . . . . . . . . . . 22
2.3 Control Activities  . . . . . . . . . . . . . . . . . . . . . . . 28
2.4 Information and Communication  . . . . . . . . . . . . . . . 36
2.5 Monitoring  . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3 Roles and Responsibilities  . . . . . . . . . . . . . . . . . . . . 43

Annex 1 Examples  . . . . . . . . . . . . . . . . . . . . . . . . . 49

Annex 2 Glossary  . . . . . . . . . . . . . . . . . . . . . . . . . 57

v
G uidelines for
Internal Control Standards
for the Public Sector
Preface
The 1992 INTOSAI guidelines for internal control standards were con-
ceived as a living document reflecting the vision that standards should
be promoted for the design, implementation, and evaluation of internal
control. This vision involves a continuing effort to keep these guidelines
up-to-date.

The 17th INCOSAI (Seoul, 2001) recognized a strong need for updating
the 1992 guidelines and agreed that the Committee on Sponsoring
Organisations of the Treadway Commission’s (COSO) integrated
framework for internal control should be relied upon. Subsequent out-
reach efforts resulted in additional recommendations that the guidelines
address ethical values and provide more information on the general
principles of control activities related to information processing. The
revised guidelines take these recommendations into account and should
facilitate the understanding of new concepts with respect to internal
control.

These revised guidelines should also be viewed as a living document

which over time will need to be further developed and refined to
embrace the impact of new developments such as COSO’s Enterprise
Risk Management Framework1.

This update is the result of the joint effort of the members of the INTO-
SAI Internal Control Standards Committee. This update has been coor-
dinated by a task force set up among the committee members with rep-
resentatives of the SAIs of Bolivia, France, Hungary, Lithuania, the
Netherlands, Romania, the United Kingdom, the United States of Amer-
ica and Belgium (chair).

1
COSO, Enterprise Risk Management - Integrated Framework, www.coso.org, 2004.

1
An action plan for updating the guidelines was submitted to and
approved by the Governing Board at its 50th meeting (Vienna, October
2002). The Governing Board was informed of the progress of the work
at its 51st meeting (Budapest, October 2003). The draft was discussed at
and generally accepted by a committee meeting in Brussels in February
2004. After the committee meeting it was sent to all INTOSAI members
for final comment.

The comments that were received, have been analyzed and subsequent
changes have been made as deemed appropriate.

I would like to thank all the members of the INTOSAI Internal Control
Standards Committee for their dedication and cooperation in completing
this project. Special thanks is given to the members of the task force.

The guidelines for internal control standards fot the public sector are
presented for approval by the XVIII INCOSAI in Budapest 2004.

Franki VANSTAPEL
Senior President of the Belgian Court of Audit
Chairman of the INTOSAI Internal Control Standards Committee

2
Introduction
In 2001, INCOSAI decided to update the 1992 INTOSAI guidelines on
internal control standards to take into account all relevant and recent
evolutions in internal control and to incorporate the concept of the
COSO report titled Internal Control – Integrated Framework in the
INTOSAI document.

By implementing the COSO model in the guidelines, the Committee not

only aims at updating the concept of internal control, but also attempts
to contribute to a common understanding of internal control among
SAIs. It is self-evident that this document takes into account the charac-
teristics of the public sector. This prompted the Committee to consider
some additional topics and changes.

Compared to the COSO definition and the 1992 guidelines, the ethical
aspect of operations has been added. Its inclusion in the internal control
objectives is justified, as the importance of ethical behavior as well as
prevention and detection of fraud and corruption in the public sector has
become more emphasized since the nineties.2 General expectations are
that public servants should serve the public interest with fairness and
manage public resources properly. Citizens should receive impartial
treatment on the basis of legality and justice. Therefore public ethics are
a prerequisite to, and underpin, public trust and are a keystone of good
governance.

Since resources in the public sector generally embody public money and
their use in the public interest generally requires special care, the signif-
icance of safeguarding resources in the public sector needs to be
stressed. Moreover budgetary accounting on a cash basis is still a wide-
spread practice in the public sector but it does not provide sufficient
assurance related to the acquisition, use, and disposition of resources. As
a result, organisations in the public sector do not always have an up-to-
date record of all their assets, which makes them more vulnerable.
Therefore, safeguarding resources was judged to be an important inter-
nal control objective.

Just as internal control in 1992 was not limited to the traditional view of
financial and related administrative control and included the broader

2
XVI INCOSAI, Montevideo, Uruguay, 1998.

3
concept of management control, this document also stresses the impor-
tance of non-financial information.

Because of the extensive use of information systems in all public organ-

isations, information technology (IT) controls have become increasingly
important, which justified a separate paragraph in these guidelines.
Information technology controls relate to each of the components of an
entity’s internal control process including the control environment, risk
assessment, control activities, information and communication, as well
as monitoring. However, for presentation purposes, they are discussed
under “Control Activities”.

The goal of the Committee is to develop guidance for establishing and

maintaining effective internal control in the public sector. Government
management is therefore an important addressee of the guidelines. Gov-
ernment management can use these guidelines as a basis for the imple-
mentation and execution of internal control in their organisations.

Since evaluating internal control is a generally accepted field standard in

government auditing3, auditors can use the guidelines as an audit tool.
The guidelines for internal control standards comprising the COSO
model can therefore be used both by government management4 as an
example of a solid internal control framework for their organisation, and
by auditors as a tool to assess internal control. However, these guide-
lines are not intended as a substitute for INTOSAI Auditing Standards or
other relevant auditing standards.

This document defines a recommended framework for internal control in

the public sector and provides a basis against which internal control can
be evaluated. The approach applies to all aspects of an organisation’s
operation. However, it is not intended to limit or interfere with duly
granted authority related to developing legislation, rule-making, or other
discretionary policy-making in an organisation.

Internal control in public sector organisations should be understood

within the context of the specific characteristics of these organisations,

3
INTOSAI Auditing Standards
4
Operative personnel are not specifically mentioned as a target group. Although they are
affected by internal control and take actions that play an important role in effecting con-
trol, they, unlike management, are not ultimately responsible for all activities of an organ-
isation, related to the internal control system. Chapter 3 of the guidelines describes indi-
vidual roles and responsibilities.

4
i.e. their focus on meeting social or political objectives; their use of pub-
lic funds; the importance of the budget cycle; the complexity of their
performance (that calls for a balance between traditional values like
legality, integrity and transparency and modern, managerial values like
efficiency and effectiveness); and the correspondingly broad scope of
their public accountability.

In conclusion, it should be clearly stated that this document includes

guidelines for standards. These guidelines do not provide detailed poli-
cies, procedures and practices for implementing internal control, but
rather provide a broad framework within which entities can develop
such detailed controls. The Committee is obviously not in a position to
enforce standards.

How is this document structured?

In the first chapter, the concept of internal control is defined and its
scope is delineated. Attention is also given to the limitations of internal
control. In the second chapter, the components of internal control are
presented and discussed. The document ends with a third chapter on
roles and responsibilities.

In every section, the main principles are first presented succinctly in a

blue-shaded text box, followed by further background. Reference is also
made to concrete examples, which can be found in the annexes. Also
attached to the document is a glossary containing the most important
technical terms.

5
1 Internal Control
1.1 Definition

Internal control is an integral process that is effected by an entity’s

management and personnel and is designed to address risks and to pro-
vide reasonable assurance that in pursuit of the entity’s mission, the
following general objectives are being achieved:
• executing orderly, ethical, economical, efficient and effective
operations;
• fulfilling accountability obligations;
• complying with applicable laws and regulations;
• safeguarding resources against loss, misuse and damage.

Internal control is a dynamic integral process that is continuously adapt-

ing to the changes an organisation is facing. Management and personnel
at all levels have to be involved in this process to address risks and to
provide reasonable assurance of the achievement of the entity’s mission
and general objectives.

An integral process

Internal control is not one event or circumstance, but a series of actions

that permeate an entity's activities. These actions occur throughout an
entity’s operations on an ongoing basis. They are pervasive and inherent
in the way management runs the organisation. Internal control is there-
fore different from the perspective of some observers who view it as
something added on to an entity's activities, or as a necessary burden.
The internal control system is intertwined with an entity's activities and
is most effective when it is built into the entity's infrastructure and is an
integral part of the essence of the organisation.

Internal control should be built in rather than built on. By building in

internal control, it becomes part of and integrated with the basic man-
agement processes of planning, executing and monitoring.

6
Built in internal control also has important implications for cost contain-
ment. Adding new control procedures that are separate from existing
procedures adds costs. By focusing on existing operations and their con-
tribution to effective internal control, and by integrating controls into
basic operating activities, an organisation often can avoid unnecessary
procedures and costs.

Effected by management and other personnel

People are what make internal control work. It is accomplished by indi-

viduals within an organisation, by what they do and say. Consequently,
internal control is effected by people. People must know their roles and
responsibilities, and limits of authority. Because of the importance of
this concept, a separate chapter (3) is devoted to it.

An organisation’s people include management and other personnel.

Although management primarily provides oversight, it also sets the
entity's objectives and has overall responsibility for the internal control
system. As internal control provides the mechanisms needed to help
understand risk in the context of the entity’s objectives, the management
will put internal control activities in place and monitor and evaluate
them. The implementation of internal control requires significant man-
agement initiative and intensive communication by management with
other personnel. Therefore internal control is a tool used by manage-
ment and directly related to the entity’s objectives. As such, manage-
ment is an important element of internal control. However, all personnel
in the organisation play important roles in making it happen.

Similarly, internal control is affected by human nature. Internal control

guidelines recognize that people do not always understand, communi-
cate or perform consistently. Each individual brings to the workplace a
unique background and technical ability, and has different needs and pri-
orities. These realities affect, and are affected by, internal control.

In pursuit of the entity’s mission

Any organisation is primarily concerned with the achievement of its

mission. Entities exist for a purpose – the public sector is generally con-
cerned with the delivery of a service and a beneficial outcome in the
public interest.

7
To address risks

Whatever the mission may be, its achievement will face all kinds of
risks. The task of management is to identify and respond to these risks
in order to maximize the likelihood of achieving the entity’s mission.
Internal control can help to address these risks, however it can only pro-
vide reasonable assurance about the achievement of the mission and the
general objectives.

Provides reasonable assurance

No matter how well designed and operated, internal control cannot pro-
vide management absolute assurance regarding the achievement of the
general objectives. Instead, the guidelines acknowledge that only a “rea-
sonable” level of assurance is attainable.

Reasonable assurance equates to a satisfactory level of confidence under

given considerations of costs, benefits, and risks. Determining how
much assurance is reasonable requires judgment. In exercising that judg-
ment, managers should identify the risks inherent in their operations and
the acceptable levels of risk under varying circumstances, and assess risk
both quantitatively and qualitatively.

Reasonable assurance reflects the notion that uncertainty and risk relate
to the future, which no one can predict with certainty. Also factors out-
side the control or influence of the organisation can affect the ability to
achieve its objectives. Limitations also result from the following reali-
ties: human judgment in decision making can be faulty; breakdowns can
occur because of simple errors or mistakes; controls can be circum-
vented by collusion of two or more people; or management can override
the internal control system. In addition, compromises in the internal con-
trol system reflect the fact that controls have a cost. These limitations
preclude management from having absolute assurance that objectives
will be achieved.

Reasonable assurance recognizes that the cost of internal control should

not exceed the benefit derived. Decisions on risk responses and estab-
lishing controls need to consider the relative costs and benefits. Cost
refers to the financial measure of resources consumed in accomplishing
a specified purpose and to the economic measure of a lost opportunity,
such as a delay in operations, a decline in service levels or productivity,

8
or low employee morale. A benefit is measured by the degree to which
the risk of failing to achieve a stated objective is reduced. Examples
include increasing the probability of detecting fraud, waste, abuse, or
error; preventing an improper activity; or enhancing regulatory compli-
ance.

Designing internal controls that are cost beneficial while reducing risk to
an acceptable level requires that managers clearly understand the overall
objectives to be achieved. Otherwise, government managers may design
systems with excessive controls in one area of their operations that
adversely affect other operations. For example, employees may try to
circumvent burdensome procedures, inefficient operations may cause
delays, excessive procedures may stifle employee creativity and problem
solving or impair the timeliness, cost or quality of services provided to
beneficiaries. Thus, benefits derived from excessive controls in one area
may be outweighed by increased costs in other activities.

However qualitative considerations should also be made.

For example, it may be important to have proper controls over high
risk/low monetary unit transactions such as salaries, travel and hospital-
ity expenses. The costs of appropriate controls might seem excessive for
the amounts of money involved relative to overall government expendi-
tures, but they may be critical to maintaining public confidence in gov-
ernments and related organization.

Achievement of objectives

Internal control is geared to the achievement of a separate but interre-

lated series of general objectives. These general objectives are imple-
mented through numerous specific sub-objectives, functions, processes,
and activities.

The general objectives are:

• executing orderly, ethical, economical, efficient and effective opera-
tions
The entity’s operations should be orderly, ethical, economical, efficient
and effective. They have to be consistent with the organisation’s mis-
sion.

Orderly means in a well-organised way, methodical.

9
Ethical relates to moral principles. The importance of ethical behaviour
and prevention and detection of fraud and corruption in the public sector
has become more emphasized since the nineties. General expectations
are that public servants should serve the public interest with fairness and
manage public resources properly. Citizens should receive impartial
treatment on the basis of legality and justice. Therefore public ethics are
a prerequisite to, and underpin public trust and are a keystone of good
governance.

Economical means not wasteful or extravagant. It means getting the

right amount of resources, of the right quality, delivered at the right time
and place, at the lowest cost.

Efficient refers to the relationship between the resources used and the
outputs produced to achieve the objectives. It means the minimum
resource inputs to achieve a given quantity and quality of output, or a
maximum output with a given quantity and quality of resource inputs.

Effective refers to the accomplishment of objectives or to the extent to

which the outcomes of an activity match the objective or the intended
effects of that activity.
• fulfilling accountability obligations
Accountability is the process whereby public service organisations and
individuals within them are held responsible for their decisions and
actions, including their stewardship of public funds, fairness, and all
aspects of performance.

This will be realized by developing, maintaining and making available

reliable and relevant financial and non-financial information and by
means of a fair disclosure of that information in timely reports to inter-
nal as well as external stakeholders.

Non-financial information may relate to the economy, efficiency and

effectiveness of policies and operations (performance information), and
to internal control and its effectiveness.
• complying with laws and regulations
Organisations are required to follow many laws and regulations. In pub-
lic organisations laws and regulations mandate the collection and spend-
ing of public money and the way of operating. Examples include the
Budget Act, international treaties, laws on proper administration,

10
accounting law/standards, environmental protection and civil rights law,
income tax regulations and anti-fraud and corruption acts.
• safeguarding resources against loss, misuse and damage due to
waste, abuse, mismanagement, errors, fraud and irregularities
Although the fourth general objective can be viewed as a subcategory of
the first one (orderly, ethical, economical, efficient and effective opera-
tions), the significance of safeguarding resources in the public sector
needs to be stressed. This is due to the fact that resources in the public
sector generally embody public money and their use in the public inter-
est generally requires special care. Moreover budgetary accounting on a
cash basis, which is still widespread in the public sector, does not pro-
vide sufficient assurance related to the acquisition, use, and disposition
of the resources. As a result, organisations in the public sector do not
always have an up-to-date record of all their assets, which makes them
more vulnerable. Therefore, controls should be embedded in each of the
activities related to managing the entity’s resources from acquisition to
disposal.

Other resources such as information, source documents and accounting

records are the key to achieving transparency and accountability of gov-
ernment operations, and should be preserved. However they are also in
danger of being stolen, misused or destroyed.
Safeguarding certain resources and records has even become increas-
ingly important since the arrival of computer systems. Sensitive infor-
mation stored on computer media can be destroyed or copied, distributed
and abused, if care is not taken to protect it.

11
1.2 Limitations on Internal Control Effectiveness5

Internal control cannot by itself ensure the achievement of the general

objectives defined earlier.

An effective internal control system, no matter how well conceived and

operated, can provide only reasonable – not absolute – assurance to
management about the achievement of an entity's objectives or its sur-
vival. It can give management information about the entity's progress, or
lack of it, toward achievement of the objectives. But internal control
cannot change an inherently poor manager into a good one. Moreover,
shifts in government policy or programs, demographic or economic con-
ditions are typically beyond management's control and may require
managers to re-design controls or adjust the level of acceptable risk.

An effective system of internal control reduces the probability of not

achieving the objectives. However, there will always be the risk that
internal control will be poorly designed or fail to operate as intended.

Because internal control depends on the human factor, it is subject to

flaws in design, errors of judgment or interpretation, misunderstanding,
carelessness, fatigue, distraction, collusion, abuse or override.

Another limiting factor is that the design of an internal control system

faces resource constraints. The benefits of controls must consequently
be considered in relation to their costs. Maintaining an internal control
system that eliminates the risk of loss is not realistic and would probably
cost more than is warranted by the benefit derived. In determining
whether a particular control should be established, the likelihood of the
risk occurring and the potential effect on the entity are considered along
with the related costs of establishing a new control.

Organisational changes and management attitude can have a profound

impact on the effectiveness of internal control and the personnel operat-
ing the system. Thus, management needs to continually review and
update controls, communicate changes to personnel, and set an example
by adhering to those controls.

5
The limitations on internal control effectiveness need to be stressed to avoid exagger-
ated expectations due to a misunderstanding of its effective scope.

12
2 CControl
omponents of Internal

Internal control consists of five interrelated components:

• control environment
• risk assessment
• control activities
• information and communication
• monitoring

Internal control is designed to provide reasonable assurance that the

entity’s general objectives are being achieved. Therefore clear objectives
are a prerequisite for an effective internal control process.

The control environment is the foundation for the entire internal control
system. It provides the discipline and structure as well as the climate
which influences the overall quality of internal control. It has overall
influences on how strategy and objectives are established, and control
activities are structured.

Having set clear objectives and established an effective control environ-

ment, an assessment of the risks facing the entity as it seeks to achieve
its mission and objectives provides the basis for developing an appropri-
ate response to risk.

The major strategy for mitigating risk is through internal control activi-
ties. Control activities can be preventive and/or detective. Corrective
actions are a necessary complement to internal control activities in order
to achieve the objectives. Control activities and corrective actions should
provide value for money. Their cost should not exceed the benefit result-
ing from them (cost effectiveness).

Effective information and communication is vital for an entity to run and

control its operations. Entity management needs access to relevant, com-
plete, reliable, correct and timely communication related to internal as

13
well as external events. Information is needed throughout the entity to
achieve its objectives.

Finally, since internal control is a dynamic process that has to be

adapted continuously to the risks and changes an organisation faces,
monitoring of the internal control system is necessary to help ensure that
internal control remains tuned to the changed objectives, environment,
resources and risks.

These components define a recommended approach for internal control

in government and provide a basis against which internal control can be
evaluated. These components apply to all aspects of an organisation’s
operation.

These guidelines provide a general framework. When implementing

them, management is responsible for developing the detailed policies,
procedures, and practices to fit their organisation’s operations and to
ensure that they are built into and are an integral part of those opera-
tions.

Relationship of objectives and components

There is a direct relationship between the general objectives, which rep-

resent what an entity strives to achieve, and the internal control compo-
nents, which represent what is needed to achieve the general objectives.
The relationship is depicted in a three-dimensional matrix, in the shape
of a cube.

The four general objectives – accountability (and reporting), compliance

(with laws and regulations), (orderly, ethical, economical, efficient and
effective) operations and safeguarding resources – are represented by the
vertical columns, the five components are represented by horizontal
rows, and the organisation or entity and its departments are depicted by
the third dimension of the matrix.

Each component row “cuts across'' and applies to all four general
objectives. For example, financial and non-financial data generated
from internal and external sources, which belong to the information
and communication component, are needed to manage operations,
report and fulfill accountability purposes, and comply with applicable
laws.

14
Similarly, looking at the general objectives, all five components are rel-
evant to each objective. Taking one objective, such as effectiveness and
efficiency of operations, it is clear that all five components are applica-
ble and important to its achievement.

Internal control is not only relevant to an entire organisation but also to

an individual department. This relationship is depicted by the third
dimension, which represents entire organisations, entities and depart-
ments. Thus, one can focus on any of the matrix's cells.

While the internal control framework is relevant and applicable to all

organisations, the manner in which management applies it will vary
widely with the nature of the entity and depends on a number of entity-
specific factors. These factors include the organisational structure, risk
profile, operating environment, size, complexity, activities and degree of

15
regulation, among others. As it considers the entity’s specific situation,
management will make a series of choices regarding the complexity of
processes and methodologies deployed to apply the internal control
framework components.

In the following text, each of the abovementioned components is pre-

sented concisely with additional comments.

16
2.1 Control Environment

The control environment sets the tone of an organisation, influencing

the control consciousness of its staff. It is the foundation for all other
components of internal control, providing discipline and structure.

Elements of the control environment are:

(1) the personal and professional integrity and ethical values of man-
agement and staff, including a supportive attitude toward internal
control at all times throughout the organisation;
(2) commitment to competence;
(3) the “tone at the top” (i.e. management’s philosophy and operating
style);
(4) organisational structure;
(5) human resource policies and practices.

The personal and professional integrity and ethical values of man-

agement and staff

The personal and professional integrity and ethical values of manage-

ment and staff determine their preferences and value judgments, which
are translated into standards of behaviour. They should exhibit a sup-
portive attitude toward internal control at all times throughout the organ-
isation.

Every person involved in the organisation—among managers and

employees—has to maintain and demonstrate personal and professional
integrity and ethical values and has to comply with the applicable codes

17
of conduct at all times. For example, this can include the disclosure of
personal financial interests, outside positions and gifts (e.g. by elected
officials and senior public servants), and reporting conflicts of interest.

Also, public organisations have to maintain and demonstrate integrity

and ethical values, and they should make those visible to the public in
their mission and core values. In addition, their operations have to be
ethical, orderly, economical, efficient and effective. They have to be
consistent with their mission.

Commitment to competence

Commitment to competence includes the level of knowledge and skill

needed to help ensure orderly, ethical, economical, efficient and effec-
tive performance, as well as a good understanding of individual respon-
sibilities with respect to internal control.

Managers and employees are to maintain a level of competence that

allows them to understand the importance of developing, implementing,
and maintaining good internal control and to perform their duties in
order to accomplish the general internal control objectives and the
entity’s mission. Everyone in an organisation is involved in internal con-
trol with his own specific responsibilities.

Managers and their staffs must therefore maintain and demonstrate a

level of skill necessary to assess risk and help ensure effective and effi-
cient performance, and an understanding of internal control sufficient to
effectively discharge their responsibilities.

Providing training, for example, can raise the awareness of public ser-
vants of the internal control objectives and, in particular, the objective of
ethical operations, and helps them to understand the internal control
objectives and to develop skills to handle ethical dilemmas.

Tone at the top

The “tone at the top” (i.e. management’s philosophy and operating

style) reflects:
• a supportive attitude toward internal control at all times, inde-
pendence, competence and leading by example;

18
 • a code of conduct set out by management, and counselling and
performance appraisals that support the internal control objectives
and, in particular, that of ethical operations.
The attitude established by top management is reflected in all aspects of
management's actions. The commitment, the involvement and support
of top government officials and legislators in setting "the tone at the
top" foster a positive attitude and are critical to maintaining a positive
and supportive attitude towards internal control in an organisation.

If top management believes that internal control is important, others in

the organisation will sense that and will respond by conscientiously
observing the controls established. For example, the creation of an inter-
nal audit unit as part of the internal control system is a strong signal by
management that internal control is important.

On the other hand, if the members of the organisation feel that control is
not an important concern to the top management and control is given lip
service rather than meaningful support, it is almost certain that the
organisation’s control objectives will not be effectively achieved.

Consequently, demonstration of and insistence on ethical conduct by man-

agement is of vital importance to the internal control objectives and, in par-
ticular the objective of “ethical operations”. In carrying out its role, man-
agement should set a good example through its own actions and its conduct
should reflect what is proper rather than what is acceptable or expedient. In
particular, management’s policies, procedures and practices should pro-
mote orderly, ethical, economical, efficient and effective conduct.

The integrity of managers and their staffs is, however, influenced by many
elements. Therefore, personnel should periodically be reminded of their
obligations under an operative code of conduct issued by the top manage-
ment. Counselling and performance appraisals are also important. Overall
performance appraisals should be based on an assessment of many critical
factors, including the employees’s role in effecting internal control.

Organisational structure

The organisational structure of an entity provides:

• assignment of authority and responsibility;
• empowerment and accountability;
• appropriate lines of reporting.

19
The organisational structure defines the entity’s key areas of authority
and responsibility. Empowerment and accountability relate to the man-
ner in which this authority and responsibility are delegated throughout
the organisation. There can be no empowerment or accountability with-
out a form of reporting. Therefore, appropriate lines of reporting need to
be defined. In exceptional circumstances, other lines of reporting have to
be possible in addition to the normal ones, such as in cases where man-
agement is involved in irregularities.

The organisational structure can include an internal audit unit that

should be independent from management, and reports directly to the
highest level of authority within the organisation.

Organisational structure is also dealt with in chapter 3 on roles and

responsibilities.

Human resource policies and practices

Human resource policies and practices include hiring and staffing,

orientation, training (formal and on-the-job) and education, evaluat-
ing and counselling, promoting and compensating, and remedial
actions.

An important aspect of internal control is personnel. Competent, trust-

worthy personnel are necessary to provide effective control. Therefore,
the methods by which persons are hired, trained, evaluated, compen-
sated, and promoted, are an important part of the control environment.
Hiring and staffing decisions should therefore include assurance that
individuals have the integrity and the proper education and experience to
carry out their jobs and that the necessary formal, on-the-job, and ethics
training is provided. Managers and employees who have a good under-
standing of internal control and are willing to take responsibility, are
vital to effective internal control.

Human resource management also has an essential role in promoting an

ethical environment by developing professionalism and enforcing trans-
parency in daily practice. This becomes visible in recruitment, perform-
ance appraisal and promotion processes, which should be based on mer-
its. Securing the openness of selection processes by publishing both the
recruitment rules and vacant positions also helps to realise ethical human
resource management.

20
Examples

We refer the reader to the annexes for integrated examples on each of

the objectives and the components of internal control.

21
2.2 Risk Assessment

Risk assessment is the process of identifying and analysing relevant

risks to the achievement of the entity’s objectives and determining the
appropriate response.
It implies:
(1) risk identification:
• related to the objectives of the entity;
• comprehensive;
• includes risks due to external and internal factors, at both the
entity and the activity levels;
(2) risk evaluation:
• estimating the significance of a risk;
• assessing the likelihood of the risk occurrence;
(3) assessment of the risk appetite of the organisation;
(4) development of responses:
• four types of responses to risk must be considered: transfer, tol-
erance, treatment or termination; of these, risk treatment is the
most relevant to these guidelines because effective internal con-
trol is the major mechanism to treat risk;
• the appropriate controls involved can be either detective or pre-
ventive.
As governmental, economic, industry, regulatory and operating condi-
tions are in constant change, risk assessment should be an ongoing iter-
ative process. It implies identifying and analysing altered conditions
and opportunities and risks (risk assessment cycle) and modifying
internal control to address changing risk.

22
As stressed in the definition, internal control can provide only reason-
able assurance that the objectives of the organisation are being
achieved. Risk assessment as a component of internal control, plays a
key role in the selection of the appropriate control activities to under-
take. It is the process of identifying and analysing relevant risks to the
achievement of the entity’s objectives and determining the appropriate
response.

Consequently, setting objectives is a precondition to risk assessment.

Objectives must be defined before management can identify the risks
to their achievement and take the necessary actions to manage those
risks. That means having in place an ongoing process for evaluating
and addressing the impact of risks in a cost effective way and having
staff with the appropriate skills to identify and assess the potential
risks. Internal control activities are a response to risk in that they
are designed to contain the uncertainty of outcome that has been iden-
tified.

Government entities have to manage the risks that are likely to have an
impact on service delivery and the achievement of desired outcomes.

Risk identification

A strategic approach to risk assessment depends on identifying risks

against key organisational objectives. Risks relevant to those objectives
are then considered and evaluated, resulting in a small number of key
risks.

Identifying key risks is not only important in order to identify the most
important areas to which resources in risk assessment should be allo-
cated, but also in order to allocate responsibility for management of
these risks.

An entity’s performance can be at risk due to internal or external factors

at both the entity and activity levels. The risk assessment should con-
sider all risks that might occur (including the risk of fraud and corrup-
tion). It is therefore important that risk identification is comprehensive.
Risk identification should be an ongoing, iterative process and is often
integrated with the planning process. It is often useful to consider risk
from a ‘clean sheet of paper’ approach, and not merely relate it to the
previous review. Such an approach facilitates the identification of

23
changes in the risk profile6 of an organisation arising from changes in
the economic and regulatory environments, internal and external operat-
ing conditions and from the introduction of new or modified objectives.

It is necessary to adopt appropriate tools for the identification of risk.

Two of the most commonly used tools are commissioning a risk review
and a risk self assessment.7

Risk evaluation

In order to decide how to handle risk, it is essential not only to identify in

principle that a certain type of risk exists, but also to evaluate its signifi-
cance and assess the likelihood of the risk event occurring. The method-
ology for analysing risks can vary, largely because many risks are diffi-
cult to quantify (e.g. reputation risks) while others lend themselves to a
numerical diagnosis (particularly financial risks). For the former, a much
more subjective view is the only possibility. In this sense, risk evaluation
is more of an art than a science. However, the use of systematic risk
rating criteria will mitigate the subjectivity of the process by providing a
framework for judgements to be made in a consistent manner.

One of the key purposes of risk evaluation is to inform management

about areas of risk where action needs to be taken and their relative pri-

6
An overview or matrix of the key risks facing an entity or sub-unit that includes the
level of impact (e.g. high, medium, low) along with the probability or likelihood of the
event occurring.
7
Commissioning a risk review
This is a top down procedure. A team is established to consider all the operations and
activities of the organisation in relation to its objectives and to identify the associated
risks. The team conducts a series of interviews with key members of staff at all levels of
the organisation to build a risk profile for the whole range of activities thereby identify-
ing the policy fields, activities and functions which may be particularly vulnerable to risk
(including the risk of fraud and corruption).

Risk self assessment

This is a bottom up approach. Each level and part of the organisation is invited to review
its activities and feed diagnosis of the risks faced upwards. This may be done through a
documentation approach (with a framework for diagnosis set out through questionnaires)
or through a facilitated workshop approach.

These two approaches are not mutually exclusive and a combination of top down and bot-
tom up inputs to the risk assessment process is desirable to facilitate the identification of
both entitywide and activity level risks.

24
ority. Therefore, it will usually be necessary to develop some framework
for categorising all risks, for example, as high, medium, or low. Gener-
ally, it is better to minimize the categories, as over refinement may lead
to spurious separation of levels which in reality cannot be separated
clearly.

By means of such evaluation, risks can be ranked in order to set

management priorities and present information for management deci-
sions about the risks that need to be addressed (for example those
with a major potential impact and a high likelihood of the risks occur-
ring).

Assessment of the “risk appetite” of the organisation

An important issue in considering response to risk is the identification of

the “risk appetite” of the entity. Risk appetite is the amount of risk to
which the entity is prepared to be exposed before it judges action to be
necessary. Decisions about responses to risk have to be taken in con-
junction with an identification of the amount of risk that can be toler-
ated.

Both inherent and residual risks need to be considered to determine the

risk appetite. Inherent risk is the risk to an entity in the absence of any
actions management might take to alter either the risk’s likelihood or
impact. Residual risk is the risk that remains after management responds
to the risk.

The risk appetite of an organisation will vary according to the per-

ceived importance of the risks. For example, tolerable financial loss
may vary in accordance with a range of features, including the size of
the relevant budget, the source of the loss, or associated other risks
such as adverse publicity. Identification of risk appetite is a subjective
issue, but it is nevertheless an important stage in formulating the over-
all risk strategy.

Development of responses

The result of the actions outlined above will be a risk profile for the
organisation. Having developed a risk profile, the organisation can then
consider an appropriate response.

25
Responses to risk can be divided into four categories. In some instances,
risk can be transferred, tolerated, or terminated.8 However, in most
instances the risk will have to be treated and the entity will need to
implement and maintain an effective internal control system to keep risk
at an acceptable level.

The purpose of treatment is not necessarily to obviate the risk, but more
likely to contain it. The procedures that an organisation establishes to
treat risk are called internal control activities. Risk assessment should
play a key role in the selection of appropriate control activities to under-
take. Again, it is important to repeat that it is not possible to eliminate
all risk and that internal control can only provide reasonable assurance
that the objectives of the organisation are being achieved. However,
entities that actively identify and manage risks are more likely to be bet-
ter prepared to respond quickly when things go wrong and to respond to
change in general.

In designing an internal control system, it is important that the control

activity established is proportionate to the risk. Apart from the most
extreme undesirable outcome, it is normally sufficient to design a con-
trol that provides a reasonable assurance of confining loss within the risk
appetite of the organisation. Every control has an associated cost and the
control activity must offer value for its cost in relation to the risk that it
is addressing.

Because governmental, economic, industry, regulatory and operating

conditions continually change, the risk environment of any organisa-
tion is constantly changing, and priorities of objectives and the conse-
quent importance of risks will shift and change. Fundamental to risk

8
For some risks the best response may be to transfer them. This might be done by con-
ventional insurance, by paying a third party to take the risk in another way, or it might be
done by contractual stipulations.

The ability to do anything about some risks may be limited, or the cost of taking any
action may be disproportionate to the potential benefit gained. In these cases the response
may be to tolerate the risks.

Some risks will only be treatable or containable to acceptable levels, by terminating the
activity. In the public sector, the option to terminate activities may be severely limited
when compared to the private sector. A number of activities are conducted in the govern-
ment sector because the associated risks are so great that there is no other way in which
the output or outcome, which is required for the public benefit, can be achieved.

26
assessment is an ongoing, iterative process to identify changed condi-
tions (risk assessment cycle) and take actions as necessary. Risk pro-
files and related controls have to be regularly revisited and reconsid-
ered in order to have assurance that the risk profile continues to be
valid, that responses to risk remain appropriately targeted and propor-
tionate, and mitigating controls remain effective as risks change over
time.

Examples

We refer the reader to the annexes for integrated examples on each of

the objectives and the components of internal control.

27
2.3 Control Activities

Control activities are the policies and procedures established to address

risks and to achieve the entity’s objectives.

To be effective, control activities must be appropriate, function con-

sistently according to plan throughout the period, and be cost effec-
tive, comprehensive, reasonable and directly relate to the control
objectives.

Control activities occur throughout the organisation, at all levels and in

all functions. They include a range of detective and preventive control
activities as diverse, for example, as:
(1) authorization and approval procedures;
(2) segregation of duties (authorizing, processing, recording, review-
ing);
(3) controls over access to resources and records;
(4) verifications;
(5) reconciliations;
(6) reviews of operating performance;
(7) reviews of operations, processes and activities;
(8) supervision (assigning, reviewing and approving, guidance and
training).
Entities should reach an adequate balance between detective and pre-
ventive control activities.
Corrective actions are a necessary complement to control activities in
order to achieve the objectives.

28
Control activities are the policies and procedures established and exe-
cuted to address risks and to achieve the entity’s objectives.

To be effective, control activities need to:

• be appropriate (that is, the right control in the right place and com-
mensurate to the risk involved);
• function consistently according to plan throughout the period (that is,
be complied with carefully by all employees involved and not
bypassed when key personnel are away or the workload is heavy);
• be cost effective (that is, the cost of implementing the control should
not exceed the benefits derived);
• be comprehensive, reasonable and directly relate to the control objec-
tives.
Control activities include a range of policies and procedures as diverse
as:

1. Authorization and approval procedures

Authorizing and executing transactions and events are only done by per-
sons acting within the scope of their authority. Authorization is the prin-
cipal means of ensuring that only valid transactions and events are initi-
ated as intended by management. Authorization procedures, which
should be documented and clearly communicated to managers and
employees, should include the specific conditions and terms under
which authorizations are to be made. Conforming to the terms of an
authorization means that employees act in accordance with directives
and within the limitations established by management or legislation.

2. Segregation of duties (authorizing, processing, recording, reviewing)

To reduce the risk of error, waste, or wrongful acts and the risk of not
detecting such problems, no single individual or team should control all
key stages of a transaction or event. Rather, duties and responsibilities
should be assigned systematically to a number of individuals to ensure
that effective checks and balances exist. Key duties include authorizing
and recording transactions, processing, and reviewing or auditing trans-
actions. Collusion, however, can reduce or destroy the effectiveness of
this internal control activity. A small organisation may have too few
employees to fully implement this control. In such cases, management
must be aware of the risks and compensate with other controls. Rotation
of employees may help ensure that one person does not deal with all the
key aspects of transactions or events for an undue length of time. Also,

29
encouraging or requiring annual holidays may help reduce risk by bring-
ing about a temporary rotation of duties.

3. Controls over access to resources and records

Access to resources and records is limited to authorized individuals who
are accountable for the custody and/or use of the resources. Account-
ability for custody is evidenced by the existence of receipts, inventories,
or other records assigning custody and recording the transfer of custody.
Restricting access to resources reduces the risk of unauthorized use or
loss to the government and helps achieve management directives. The
degree of restriction depends on the vulnerability of the resource and the
perceived risk of loss or improper use, and should be periodically
assessed. When determining an asset's vulnerability, its cost, portability
and exchangeability should be considered.

4. Verifications
Transactions and significant events are verified before and after process-
ing, e.g. when goods are delivered, the number of goods supplied is ver-
ified with the number of goods ordered. Afterwards, the number of
goods invoiced is verified with the number of goods received. The
inventory is verified as well by performing stock-takes.

5. Reconciliations
Records are reconciled with the appropriate documents on a regular
basis, e.g. the accounting records relating to bank accounts are recon-
ciled with the corresponding bank statements.

6. Reviews of operating performance

Operating performance is reviewed against a set of standards on a regu-
lar basis, assessing effectiveness and efficiency. If performance reviews
determine that actual accomplishments do not meet established objec-
tives or standards, the processes and activities established to achieve the
objectives should be reviewed to determine if improvements are needed.

7. Reviews of operations, processes and activities

Operations, processes and activities should be periodically reviewed to
ensure that they are in compliance with current regulations, policies,
procedures, or other requirements. This type of review of the actual
operations of an organisation should be clearly distinguished from the

30
monitoring of internal control which is discussed separately in section
2.5.

8. supervision (assigning, reviewing and approving, guidance and

training)
Competent supervision helps to ensure that internal control objectives
are achieved. Assigning, reviewing, and approving an employee's work
encompasses:
• clearly communicating the duties, responsibilities, and accountabili-
ties assigned each staff member;
• systematically reviewing each member's work to the extent neces-
sary;
• approving work at critical points to ensure that it flows as intended.
A supervisor's delegation of work should not diminish the supervisor's
accountability for these responsibilities and duties. Supervisors also pro-
vide their employees with the necessary guidance and training to help
ensure that errors, waste, and wrongful acts are minimized and that man-
agement directives are understood and achieved.

The abovementioned list is not exhaustive but enumerates the most

common preventive and detective control activities. Control activities 1
– 3 are preventive, 4 – 6 are more detective while 7 – 8 are both pre-
ventive and detective. Entities should reach an adequate balance
between detective and preventive control activities, whereby often a
mix of controls is used to compensate for the particular disadvantages
of individual controls.

Once a control activity is implemented, it is essential that assurance

about its effectiveness is obtained. Consequently corrective actions are a
necessary complement to control activities. Moreover, it must be clear
that control activities form only a component of internal control. They
should be integrated with the other four components of internal control.

Examples
We refer the reader to the annexes for integrated examples on each of
the objectives and the components of internal control.

31
2.3.1 Information Technology Control Activities

Information systems imply specific types of control activities. There-

fore information technology controls consist of two broad groupings:

(1) General Controls

General controls are the structure, policies and procedures that
apply to all or a large segment of an entity’s information systems
and help ensure their proper operation. They create the environ-
ment in which application systems and controls operate.

The major categories of general controls are (1) entity-wide secu-

rity program planning and management, (2) access controls, (3)
controls on the development, maintenance and change of the appli-
cation software, (4) system software controls, (5) segregation of
duties, and (6) service continuity.

(2) Application Controls

Application controls are the structure, policies, and procedures that
apply to separate, individual application systems, and are directly
related to individual computerized applications. These controls are
generally designed to prevent, detect, and correct errors and irreg-
ularities as information flows through information systems.

General and application controls are interrelated and both are needed to
help ensure complete and accurate information processing. Because
information technology changes rapidly, the associated controls must
evolve constantly to remain effective.

As information technology has advanced, organisations have become

increasingly dependent on computerized information systems to carry
out their operations and to process, maintain, and report essential infor-
mation. As a result, the reliability and security of computerized data and
of the systems that process, maintain, and report these data are a major
concern to both management and auditors of organisations. Although
information systems imply specific types of control activities, informa-
tion technology is not a “standalone” control issue. It is an integral part
of most control activities.

The use of automated systems to process information introduces several

risks that need to be considered by the organisation. These risks stem

32
from, among other things, uniform processing of transactions; informa-
tion systems automatically initiating transactions; increased potential for
undetected errors; existence, completeness, and volume of audit trails;
the nature of the hardware and software used; and recording
unusual or non-routine transactions. For example, an inherent risk from
the uniform processing of transactions is that any error arising from
computer programming problems will occur consistently in similar
transactions. Effective information technology controls can provide
management with reasonable assurance that information processed by its
systems meets desired control objectives, such as ensuring the complete-
ness, timeliness, and validity of data and preserving its integrity.

Information technology controls consist of two broad groupings, general

controls and application controls.

General controls

General controls are the structure, policies and procedures that apply to
all or a large segment of an entity’s information systems - such as main-
frame, minicomputer, network, and end-user environments - and help
ensure their proper operation. They create the environment in which
application systems and controls operate.

The major categories of general controls are:

(1) Entity wide security program planning and management provide a
framework and continuing cycle of activity for managing risk,
developing security policies, assigning responsibilities, and monitor-
ing the adequacy of the entity’s computer-related controls.
(2) Access controls limit or detect access to computer resources (data,
programs, equipment, and facilities), thereby protecting these
resources against unauthorized modification, loss, and disclosure.
Access controls include both physical and logical controls.
(3) Controls on the development, maintenance and change of applica-
tion software prevent unauthorized programs or modifications to
existing programs.
(4) System software controls limit and monitor access to the powerful
programs and sensitive files that control the computer hardware and
secure applications supported by the system.
(5) Segregation of duties implies that policies, procedures and an organ-
isational structure are established to prevent one individual from
controlling all key aspects of computer-related operations and

33
 thereby conducting unauthorized actions or gaining unauthorized
access to assets or records.
(6) Service continuity controls help to ensure that when unexpected
events occur, critical operations continue without interruption or are
promptly resumed and critical and sensitive data are protected.

Application controls

Application controls are the structure, policies, and procedures that

apply to separate, individual application systems - such as accounts
payable, inventory, payroll, grants, or loans - and are designed to cover
the processing of data within specific applications software.

These controls are generally designed to prevent, detect, and correct

errors and irregularities as information flows through information sys-
tems.

Application controls and the manner in which information flows through

information systems can be categorized into three phases of a processing
cycle:
• input: data are authorized, converted to an automated form, and
entered into the application in an accurate, complete, and timely man-
ner;
• processing: data are properly processed by the computer and files are
updated correctly; and
• output: files and reports generated by the application reflect transac-
tions or events that actually occurred and accurately reflect the results
of processing, and reports are controlled and distributed to the author-
ized users.
Application controls may also be categorized by the kinds of control
objectives they relate to, including whether transactions and information
are authorized, complete, accurate and valid. Authorization controls con-
cern the validity of transactions and help ensure transactions represent
events that actually occurred during a given period. Completeness controls
relate to whether all valid transactions are recorded and properly classi-
fied. Accuracy controls address whether transactions are recorded cor-
rectly and all the data elements are accurate. Controls over the integrity of
processing and data files, if deficient, could nullify each of the above-
mentioned application controls and allow the occurrence of unauthorized
transactions, as well as contribute to incomplete and inaccurate data.

34
Application controls include programmed control activities, such as
automated edits, and manual follow-up of computer-generated output,
such as reviews of reports identifying rejected or unusual items.

General and application controls over computer systems are inter-

related

The effectiveness of general controls is a significant factor in determin-

ing the effectiveness of application controls. If general controls are
weak, they severely diminish the reliability of controls associated with
individual applications. Without effective general controls, application
controls may be rendered ineffective by override, circumvention or mod-
ification. For example, edit checks designed to prevent users from enter-
ing unreasonable number of hours worked (e.g. more than 24 in a day)
into a payroll system can be an effective application control. However,
this control cannot be relied on if the general controls permit unautho-
rized program modifications that might allow some transactions to be
exempt from the edit.

While the basic objectives of control do not change, rapid changes in

information technology require that controls evolve to remain effective.
Changes such as the increased reliance on networking, powerful com-
puters that place responsibility for data processing in the hands of end
users, electronic commerce, and the Internet will affect the nature and
implementation of specific control activities.

Further guidance on information technology control activities can be

obtained from the Information Systems Audit and Control Association
(ISACA), in particular the ISACA Control Objectives for Information
and Related Technology (COBIT) reference framework, and the pro-
ceedings of the INTOSAI IT-audit committee.

Examples

We refer the reader to the annexes for integrated examples on each of

the objectives and the components of internal control.

35
2.4 Information and
Communication

Information and communication are essential to realising all internal

control objectives.

Information

A precondition for reliable and relevant information is the prompt

recording and proper classification of transactions and events.
Pertinent information should be identified, captured and communi-
cated in a form and timeframe that enables staff to carry out their
internal control and other responsibilities (timely communication
to the right people). Therefore, the internal control system as such
and all transactions and significant events should be fully docu-
mented.

Information systems produce reports that contain operational, financial

and non-financial, and compliance-related information and that make it
possible to run and control the operation. They deal not only with
internally generated data, but also information about external events,
activities and conditions necessary to enable decision-making and
reporting.

Management’s ability to make appropriate decisions is affected by the

quality of information which implies that the information should be
appropriate, timely, current, accurate and accessible.

36
Information and communication are essential to the realisation of all the
internal control objectives. For example, one of the objectives of internal
control is fulfilling public accountability obligations. This can be
achieved by developing and maintaining reliable and relevant financial
and non-financial information and communicating this information by
means of a fair disclosure in timely reports. Information and communi-
cation relating to the organisation’s performance will create the possibil-
ity to evaluate the orderliness, ethicality, economy, efficiency and effec-
tiveness of operations. In many cases, certain information has to be
provided or communication has to take place in order to comply with
laws and regulations.

Information is needed at all levels of an organisation in order to have

effective internal control and achieve the entity’s objectives. Therefore
an array of pertinent, reliable and relevant information should be identi-
fied, captured and communicated in a form and timeframe that enables
people to carry out their internal control and other responsibilities. A
precondition for reliable and relevant information is the prompt record-
ing and proper classification of transactions and events.

Transactions and events must be recorded promptly when they occur if

information is to remain relevant and valuable to management in con-
trolling operations and making decisions. This applies to the entire
process or life cycle of a transaction or event, including the initiation and
authorization, all stages while in process, and its final classification in
summary records. It also applies to promptly updating all documentation
to keep it relevant.

Proper classification of transactions and events is also required to ensure

that reliable information is available to management. This means organ-
izing, categorizing, and formatting information from which reports,
schedules, and financial statements are prepared.

Information systems produce reports that contain operational, financial

and non-financial, and compliance-related information, and that make it
possible to run and control the operation. The systems deal not only with
quantitative and qualitative forms of internally generated data, but also
with information about external events, activities and conditions neces-
sary for informed decision-making and reporting.

Management’s ability to make appropriate decisions is affected by the

quality of information which implies that the information is:

37
• appropriate (is the needed information there?);
• timely (is it there when required?);
• current (is it the latest available?);
• accurate (is it correct?);
• accessible (can it be obtained easily by the relevant parties?).

In order to help ensure the quality of information and reporting, carry

out the internal control activities and responsibilities, and make monitor-
ing more effective and efficient, the internal control system as such and
all transactions and significant events should be fully and clearly docu-
mented (e.g. flow charts and narratives). This documentation should be
readily available for examination.

Documentation of the internal control system should include identifica-

tion of an organisation's structure and policies and its operating cate-
gories and related objectives and control procedures. An organisation
must have written evidence of the components of the internal control
process, including its objectives and control activities.

The extent of the documentation of an entity’s internal control varies

however with the entity's size, complexity and similar factors.

Communication

Effective communication should flow down, across, and up the organ-

isation, throughout all components and the entire structure.

All personnel should receive a clear message from top management

that control responsibilities should be taken seriously. They should
understand their own role in the internal control system, as well as how
their individual activities relate to the work of others.

There also needs to be effective communication with external parties.

Information is a basis for communication, which must meet the expecta-

tions of groups and individuals, enabling them to carry out their respon-
sibilities effectively. Effective communication should occur in all direc-
tions, flowing down, across and up the organisation, throughout all
components and the entire structure.

38
One of the most critical communications channels is that between man-
agement and its staff. Management must be kept up to date on perform-
ance, developments, risks and the functioning of internal control, and
other relevant events and issues. By the same token, management should
communicate to its staff what information it needs and provide feedback
and direction. Management should also provide specific and directed
communication addressing behavioural expectations. This includes a
clear statement of the entity’s internal control philosophy and approach,
and delegation of authority.

Communication should raise awareness about the importance and rele-

vance of effective internal control, communicate the entity’s risk
appetite and risk tolerances, and make personnel aware of their roles and
responsibilities in effecting and supporting the components of internal
control.

In addition to internal communications, management should ensure there

are adequate means of communicating with, and obtaining information
from external parties, as external communications can provide input that
may have a highly significant impact on the extent to which the organi-
sation achieves its goals.

Based on the input from internal and external communications, manage-

ment has to take necessary action and perform timely follow up actions.

Examples
We refer the reader to the annexes for integrated examples on each of
the objectives and the components of internal control.

39
2.5 Monitoring

Internal control systems should be monitored to assess the quality of the

system’s performance over time. Monitoring is accomplished through
routine activities, separate evaluations or a combination of both.

(1) Ongoing monitoring

Ongoing monitoring of internal control is built into the normal,
recurring operating activities of an entity. It includes regular man-
agement and supervisory activities, and other actions personnel
take in performing their duties.

Ongoing monitoring activities cover each of the internal control

components and involve action against irregular, unethical, uneco-
nomical, inefficient and ineffective internal control systems.

(2) Separate evaluations

The scope and frequency of separate evaluations will depend pri-
marily on an assessment of risks and the effectiveness of ongoing
monitoring procedures.

Specific separate evaluations cover the evaluation of the effective-

ness of the internal control system and ensure that internal control
achieves the desired results based on predefined methods and pro-
cedures. Internal control deficiencies should be reported to the
appropriate level of management.

Monitoring should ensure that audit findings and recommendations are

adequately and promptly resolved.

40
Monitoring internal control is aimed at ensuring that controls are operat-
ing as intended and that they are modified appropriately for changes in
conditions. Monitoring should also assess whether, in pursuit of the
entity’s mission, the general objectives set out in the definition of inter-
nal control are being achieved. This is accomplished through ongoing
monitoring activities, separate evaluations or a combination of both, in
order to help ensure that internal control continues to be applied at all
levels and across the entity, and that internal control achieves the desired
results. Monitoring the internal control activities themselves should be
clearly distinguished from reviewing an organisation’s operations which
is an internal control activity as previously described in section 2.3.

Ongoing monitoring of internal control occurs in the course of normal,

recurring operations of an organisation. It is performed continually and
on a real-time basis, reacts dynamically to changing conditions and is
ingrained in the entity’s operations. As a result, it is more effective than
separate evaluations and corrective actions are potentially less costly.
Since separate evaluations take place after the fact, problems will often
be identified more quickly by ongoing monitoring routines.

The scope and frequency of separate evaluations should depend prima-

rily on the assessment of risks and the effectiveness of ongoing monitor-
ing procedures. When making that determination, the organisation
should consider the nature and degree of changes, from both internal and
external events, and their associated risks; the competence and experi-
ence of the personnel implementing risk responses and related controls;
and the results of the ongoing monitoring. Separate evaluations of con-
trol can also be useful by focusing directly on the controls’ effectiveness
at a specific time. Separate evaluations may take the form of self-assess-
ments as well as a review of control design and direct testing of internal
control. Separate evaluations also may be performed by the SAIs, by
external or internal auditors.

Usually, some combination of ongoing monitoring and separate evalua-

tions will help ensure that internal control maintains its effectiveness
over time.

All deficiencies found during ongoing monitoring or through separate

evaluations should be communicated to those positioned to take necessary
action. The term “deficiency” refers to a condition that affects an entity’s
ability to achieve its general objectives. A deficiency, therefore, may rep-
resent a perceived, potential or real shortcoming, or an opportunity to

41
strengthen internal control to increase the likelihood that the entity’s gen-
eral objectives will be achieved.

Providing needed information on internal control deficiencies to the

right party is critical. Protocols should be established to identify what
information is needed at a particular level for effective decision making.
Such protocols reflect the general rule that a manager should receive
information that affects actions or behaviour of personnel under his or
her responsibility, as well as information needed to achieve specific
objectives.

Information generated in the course of operations is usually reported

through normal channels, which means to the individual responsible for
the function and also to at least one level of management above that
individual. However, alternative communications channels should also
exist for reporting sensitive information such as illegal or improper acts.

Monitoring internal control should include policies and procedures

aimed at ensuring the findings of audits and other reviews are adequately
and promptly resolved. Managers are to (1) promptly evaluate findings
from audits and other reviews, including those showing deficiencies and
recommendations reported by auditors and others who evaluate agen-
cies’ operations, (2) determine proper actions in response to findings and
recommendations from audits and reviews, and (3) complete, within
established time frames, all actions that correct or otherwise resolve the
matters brought to their attention.

The resolution process begins when audit or other review results are
reported to management, and is only completed after action has been
taken that (1) corrects the identified deficiencies, (2) produces improve-
ments, or (3) demonstrates that the findings and recommendations do
not warrant management action.

Examples
We refer the reader to the annexes for integrated examples on each of
the objectives and the components of internal control.

42
3 Roles and Responsibilities
Everyone in an organisation has some responsibility for internal con-
trol:

Managers are directly responsible for all activities of an

organisation, including designing, implementing,
supervising proper functioning of, maintaining
and documenting the internal control system.
Their responsibilities vary depending on their
function in the organisation and the organisa-
tion’s characteristics.

Internal auditors examine and contribute to the ongoing effec-

tiveness of the internal control system through
their evaluations and recommendations and
therefore play a significant role in effective
internal control.
However they do not have management’s pri-
mary responsibility for designing, implementing,
maintaining and documenting internal control.

Staff members contribute to internal control as well. Internal

control is an explicit or implicit part of every-
one’s duties. All staff members play a role in
effecting control and should be responsible for
reporting problems of operations, non-compli-
ance with the code of conduct, or violations of
policy.

External parties also play an important role in the internal control

process. They may contribute to achieving the organisation’s objec-
tives, or may provide information useful to effect internal control.
However, they are not responsible for the design, implementation,
proper functioning, maintenance or documentation of the organisa-
tion’s internal control system.

43
Supreme Audit encourage and support the establishment of effec-
Institutions (SAIs) tive internal control in the government. The
assessment of internal control is essential to the
SAI’s compliance, financial and performance
audits. They communicate their findings and rec-
ommendations to interested stakeholders.

External auditors audit certain government organisations in some

countries. They and their professional bodies
should provide advice and recommendations on
internal control.

Legislators and establish rules and directives regarding internal

regulators control. They should contribute to a common
understanding of internal control.

Other parties interact with the organisation (beneficiaries, sup-

pliers, etc.) and provide information regarding
achievement of its objectives.

Internal control is primarily effected by an entity’s internal stakeholders

including management, internal auditors and other staff. However, the
actions of external stakeholders also impact the internal control system.

Managers

All personnel in the organisation play important roles in making internal

control work. However, management has the overall responsibility for
the design, implementation, supervising proper functioning of, mainte-
nance and documentation of the internal control system. The manage-
ment structure may include boards and audit committees, which all have
different roles and compositions and are subject to different legislation
in different countries.

Internal auditors

Management often establishes an internal audit unit as part of the internal

control system and uses it to help monitor the effectiveness of internal

44
control. Internal auditors regularly provide information about the func-
tioning of internal control, focusing considerable attention on evaluating
the design and operation of internal control. They communicate informa-
tion about strengths and weaknesses and recommendations for improving
internal control. However their independence and objectivity should be
guaranteed.

Therefore internal auditing should be an independent, objective assur-

ance and consulting activity that adds value and improves an organisa-
tion’s operations. It helps an organisation accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control and governance processes.

Although internal auditors can be a valuable educational and advisory

resource on internal control, the internal auditor should not be a substi-
tute for a strong internal control system.

For an internal audit function to be effective, it is essential that the inter-

nal audit staff be independent from management, work in an unbiased,
correct and honest way and that they report directly to the highest level
of authority within the organisation. This allows the internal auditors to
present unbiased opinions on their assessments of internal control and
objectively present proposals aimed at correcting the revealed shortcom-
ings. For professional guidance, internal auditors should use the Profes-
sional Practices Framework (PPF) of The Institute of Internal Auditors
(IIA) including the Definition, the Code of Ethics, the Standards and the
Practice Advisories. Additionally, internal auditors should follow the
INTOSAI Code of Ethics.

In addition to its role of monitoring an entity’s internal control, an ade-

quate internal audit staff can contribute to the efficiency of the external
audit efforts by providing direct assistance to the external auditor. The
nature, scope, or timing of the external auditor’s procedures may be mod-
ified if the external auditor can rely upon the internal auditor’s work.

Staff members

Staff members and other personnel also effect internal control. It is often
these frontline individuals who apply controls, review controls, correct
for misapplied controls, and identify problems that may best be
addressed through controls in conducting their daily assignments.

45
External parties

The second major group of internal control stakeholders are external

parties such as external auditors (including SAIs), legislators and regula-
tors, and other parties. They may contribute to achieving the organisa-
tion’s objectives, or may provide information useful to effect internal
control. However, they are not responsible for the design, implementa-
tion, proper functioning, maintenance or documentation of the organisa-
tion’s internal control system.

SAIs and external auditors

The tasks of external parties, in particular external auditors and SAIs,

include assessing the functioning of the internal control system and
informing management about its findings. However, the external party’s
consideration of the internal control system is determined by his/her
mandate.

Auditors’ assessment of internal control implies:

• determining the significance and the sensitivity of the risk for which
controls are being assessed;
• assessing the susceptibility to misuse of resources, failure to attain
objectives regarding ethics, economy, efficiency and effectivity, or
failure to fulfil accountability obligations, and non-compliance with
laws and regulations;
• identifying and understanding the relevant controls;
• determining what is already known about control effectiveness;
• assessing the adequacy of the control design;
• determining, through testing, if controls are effective;
• reporting on the internal control assessments and discussing the nec-
essary corrective actions.
The Supreme Audit Institution also has a vested interest in ensuring that
strong internal audit units exist where needed. Those audit units consti-
tute an important element of internal control by providing a continuous
means for improving an organisation's operations. In some countries,
however, the internal audit units may lack independence, be weak, or be
non-existent. In those cases, the SAI should, whenever possible, offer
assistance and guidance to establish and develop those capacities and to
ensure the independence of the internal auditor's activities. This assis-
tance might include secondment or lending of staff, conducting lectures,

46
sharing training materials, and developing methodologies and work pro-
grams? This should be done without threatening the independence of the
SAI or external auditor.

The SAI also needs to develop a good working relationship with the
internal audit units so that experience and knowledge can be shared and
work mutually can be supplemented and complemented. Including inter-
nal audit observations and recognizing their contributions in the external
audit report when appropriate can also foster this relationship. The SAI
should develop procedures for assessing the internal audit unit's work to
determine to what extent it can be relied upon. A strong internal audit
unit could reduce the audit work of the SAI and avoid needless duplica-
tion of work. The SAI should ensure that it has access to internal audit
reports, related working papers, and audit resolution information.

SAIs should also play a leadership role for the rest of the public sector
by establishing their own organisation’s internal control framework in a
manner consistent with the principles set out in this guideline.

Not only SAIs but also external auditors play an important role in con-
tributing to the achievement of the internal control objectives, in partic-
ular “fulfilling accountability obligations” and “safeguarding
resources”. This is because external audits of financial reports and infor-
mation are integral to accountability and good governance. External
audits are still a primary mechanism that external stakeholders use to
review performance, along with non-financial information.

Legislators and regulators

Legislation can provide a common understanding of the internal control

definition and objectives to be achieved. It can also prescribe the poli-
cies that internal and external stakeholders are to follow in carrying out
their respective roles and responsibilities for internal control.

47
Annex 1 Examples

49
 Fulfilling accountability obligations example (1): A department that is responsible for the management of safe transport by water

50
and sea has been organised by different service departments responsible for piloting, buoyage, inspection of the quality of the water,
promotion of the use of waterways, investments in and maintenance of infrastructure (bridges, dikes, canals and locks).

Control Environment Risk Assessment Control Activities Information & Monitoring

Communication
For each of the service Possible risks are Control activities that The information and A follow-up of the
departments an collisions of ships, can be organised are the communication related number of collisions,
operational manager is draining off toxic waste pilotage of ships by to this situation can be environmental violations,
appointed who has to or fuel, and bursting of competent pilots, placing the reporting of results of the samples
report to the general dikes. If mishaps are buoys, beacons and collisions to warn other and a comparison with
manager of the related to negligence of markers; visual ships; informing ships of other countries and with
department. The the government inspection by air, and weather conditions, and historical data, can help
operational managers department, it could face taking water samples. publishing the names of to monitor the
have the appropriate a huge liability. polluters and the effectiveness and
skills and have the sanctions they are efficiency of the pilotage
authority to make certain facing, and the remedial of ships, the placing of
decisions. All of them actions undertaken. the beacons and markers,
also sign a code of the inspections, and the
proper conduct. water samples.
 Fulfilling accountability obligations example (2): The manager of the department of sports stipulated last year the objective that the
practice of sports would increase by 15% in the coming years.

Control Environment Risk Assessment Control Activities Information & Monitoring

Communication
Because of the By not specifying the This risk can be This report should be The verification of
manager’s good objectives, the risk arises decreased by installing delivered in time and whether or not the report
reputation, the executive of not achieving them. appropriate lines of according to the is satisfactory and what
committee trusted the Also the danger exists reporting and a reporting specified reporting information is given and
manager and did not that reporting will not be model which defines the model. It should specify what information is still
carry out the usual status timely as the manager information that should the growth objectives, missing can be a form of
meetings to check on the wants to wait with this be given. how they are measured monitoring.
manager’s progress. report until he can say and why they are
he realised the objective measured this way. All
of 15% growth. the back up information
(The abovementioned Moreover, how to should be available.
situation is not an measure the 15% growth
example of good was not revealed, so he
practice!) can say the number of
people doing sports has
increased or the number
of hours people do
sports, or even the
number of sports centres
or sports clubs has
increased by 15%. This
way the quality of the
reported information
decreases substantially.

51
 Compliance with applicable laws and regulations example: The ministry of defence wants to buy new fighter planes via a public

52
contract and publishes all stipulations and procedures for this government tender. All tenders received are left unopened until the end
of the tender period. At that moment all tenders are opened in the presence of the responsible managers and some officials. Only these
tenders will be investigated and compared to decide which tender is the best.

Control Environment Risk Assessment Control Activities Information & Monitoring

Communication
The team that will One of the risks related In order to mitigate The procedures relating Internal audit can do file-
execute this transaction to government tenders risks, procedures should to the publication of all reviews and follow-up on
is composed of and public contract is be developed and stipulations for this claims.
competent people who insider dealing. One of applied in accordance government tender, the
signed a document that the tenderers may have with all relevant laws assessment of the
they have no financial or prior knowledge of the and regulations received tenders and the
relational bond with any bids of the other concerning public announcement of the
of the tenderers. The tenderers and could contracts. selected tenderer, should
responsible managers make a winning tender be documented in
and officials also signed with this information writing and detail all
this document. resulting in what may actions to be taken.
not be the best choice of When assessing the
all tenders. Another risk tenders, all reasons why
consists of choosing the a tender was or was not
wrong tender which may chosen should be
result in a new public documented.
contract because the
other one did not meet
the expectations. Also
other tenderers who feel
they were unfairly
treated may make
claims.
 Orderly, ethical, economical, efficient and effective operations example (1): The department of culture wants to increase museum
visits by the public. In order to accomplish this, it proposes to build new museums, give every citizen a cultural cheque and decrease
ticket prices. To be economical, effective and efficient, management has to consider and evaluate whether or not the objectives as for-
mulated can be achieved by its proposals and how much each of these proposals will cost.

Control Environment Risk Assessment Control Activities Information & Monitoring

Communication
The department of The fact that the number The control activities The information and The analysis of the
culture needs to make of museum visits does related to the before communication related justifications for
sure that its organisation not increase is one of the mentioned risks can be a to this example can exceeding budget and
structure is suited to possible risks. Also the budgetary control that consist of the related interest costs due
support overseeing risk that some of the compares actual to documentation of to delayed work or
design and construction proposals will backfire budget, observations of meetings with architects, payments are a part of
of the proposed and exceed their budget the progress of the fire department (for monitoring.
additions, as well as is possible. For instance, construction, and safety regulations),
planning and operations if decreasing ticket demanding justifications artists and others. It can
of the new museums. prices does not increase for overspending the also contain different
museum visits, this budget. reports concerning
decreases the following up on the
government receipts. budget and the progress
Further, building new of the construction work.
museums without proper
planning and
consideration of
requirements of lighting,
temperature and security
can result in expensive
adjustments during or
after construction.

53
 Orderly, ethical, economical, efficient and effective operations example (2): The government wants to develop agriculture and

54
increase the quality of life in the countryside. They provide funds to subsidize the construction of irrigation and the drilling of wells.

Control Environment Risk Assessment Control Activities Information & Monitoring

Communication
The government must The risks involved are Control activities can be: - Progress reports Monitoring can consist of
ensure that it has the that unscrupulous - Checking the detailing the costs and a follow-up of the
appropriate department associations qualify for a qualifications of the the number of wells drilling of wells and the
in place to implement grant but do not use the associations applying that were drilled and construction of irrigation,
and conduct the subsidy money for what it was for a grant. the number of acres and a comparison with
operation, and create the intended. - Checking on site the that were irrigated. other similar projects.
appropriate tone for the progress of and
timely and efficient reviewing progress - (Copies of) invoices Also a follow-up on the
completion of this reports on the are requested as proceeds of the irrigated
project. construction works. justifications for the land can be considered.
- Checking the subsidised expenses.
expenditures of the
associations by
reviewing their
invoices, and delaying
payment of (or part of)
the subsidy until this
review is completed.
 Safeguarding resources example (1): The ministry of defence has some warehouses, military stores and fuel depots. The army com-
mand has the policy that these supplies are only for professional military use and not for personal use.

Control Environment Risk Assessment Control Activities Information & Monitoring

Communication
Good human capital The risk exists that Control activities that Reports of damaged Monitoring can be an
policies would be people will want to try deal with these risks can fences and differences inspection of the fence,
effective in recruiting to steal weapons to use be putting fences and noticed during stock unannounced stock takes,
and maintaining the them inappropriately or walls around the takes. Supply approvals follow-up of stock
appropriate personnel to sell them. Also other warehouses and depots, and procedures also movements or even a
staff and operate such supplies like fuel can be or placing armed guards provide information and secret test of security.
warehouses. vulnerable to theft. with dogs at the communication related
entrances. Regularly to this objective.
checking the stock
records and a procedure
which states that
supplies can only be
given with approval of a
superior officer will also
help to safeguard the
assets.

55
 Safeguarding resources example (2): Large amounts of sensitive information are stored on computer media in an agency of the min-

56
istry of justice. However, the importance of IT controls is neglected and consequently the IT control has numerous deficiencies.

Control Environment Risk Assessment Control Activities Information & Monitoring

Communication
Management must At the general controls The agency can: Procedures on IT control Performing an IT audit,
dedicate its commitment level, the agency has not: - implement logical (e.g. should be available and doing a disaster
to competence and - limited user access to passwords) and physical software changes should simulation exercise, and
proper behaviour only that needed by access controls (e.g. be documented before monitoring the web
involving IT, and users to perform their locks, ID badges, the software is placed in server activity, can be
provide proper training duties; alarms); operation. part of monitoring the IT
in this area. Human - developed adequate - deny the ability to log in environment.
capital policies also play system software to the operating system Policies and job
a key role in establishing controls to protect for application users; descriptions supporting
a positive control programs and sensitive - limit access to the the principles of
environment for IT data; production environment segregation of duties
issues. - documented software for the application should be developed.
changes; development staff;
- segregated incompatible - use audit logs to register Audit logs on access
duties; all access (attempts) and (attempts) and
- addressed service commands to detect (unauthorized)
continuity; security violations; commands should be
- protected its network - have a contingency and periodically reported and
from unauthorized disaster recovery plan to reviewed.
traffic. ensure the availability of
critical resources and
At the application
facilitate the continuity
controls level, the agency
of operations;
has not maintained access
- have firewalls and
authorizations.
monitor the web server
(This is not an example activity to secure the
of good practice!) network traffic.
Annex 2 Glossary

57
This glossary is intended to provide a common understanding of the main terms
used in these guidelines in respect to internal control definitions and practices.
In addition to some definitions we introduced in this document, we also used
existing definitions from various sources as noted.
• Code of ethics and auditing standards, INTOSAI, 2001. (INTOSAI auditing
standards)
• Internal Control – Integrated Framework, COSO, 1992. (COSO 1992)
• Glossarium, Office for official publications of the European communities, P.
Everard and D. Wolter, 1989. (glossarium)
• Auditing and assurance services, an integrated approach, A. A. Arens, R. J.
Elder and M. S. Beasley, Prentice Hall international edition, ninth edition,
2003. (Arens, Elder & Beasley)
• the COSO exposure draft “Enterprise Risk Management Framework”,
COSO, 2003. (COSO ERM)
• Handbook of international auditing, assurance, and ethics pronouncements,
IFAC, 2003. (IFAC)
• Transparency International Source Book 2000, (Transparency Interna-
tional)
• XVI INCOSAI, Montevideo, Uruguay, 1998, Principal Paper Theme 1A (Pre-
venting and Detecting Fraud and Corruption), February 1997, (XVI INCO-
SAI, Uruguay, 1998)
• Professional Practices Framework, The Institute of Internal Auditors.
(IIA)

Access control
In information technology, controls designed to protect resources from unautho-
rized modification, loss, or disclosure.

Accountability
• The process whereby public service bodies and the individuals within them
are held responsible for their decisions and actions, including their stewardship
of public funds and all aspects of performance.
• Duty imposed on an audited person or entity to show that he/it has adminis-
tered or controlled the funds entrusted to him/it in accordance with the terms on
which the funds were provided. (glossarium)

Application
Computer program designed to help people perform a certain type of work,
including specific functions, such as payroll, inventory control, accounting,
and mission support. Depending on the work for which it is designed, an
application can manipulate text, numbers, graphics, or a combination of these
elements.

58
Application controls
• The structure, policies, and procedures that apply to separate, individual appli-
cation systems and are designed to cover the processing of data within specific
applications software.
• Programmed procedures in application software, and related manual proce-
dures, designed to help ensure the completeness and accuracy of information
processing. Examples include computerized edit checks of input data, numerical
sequence checks and manual procedures to follow up on items listed in excep-
tion reports. (COSO 1992)

Audit
Review of a body’s activities and operations to ensure that these are being per-
formed or are functioning in accordance with objectives, budget, rules and stan-
dards. The aim of this review is to identify, at regular intervals, deviations
which might require corrective action. (glossarium)

Audit committee
A committee of the Board of Directors whose role typically focuses on
aspects of financial reporting and on the entity's processes to manage busi-
ness and financial risk, and for compliance with significant applicable legal,
ethical, and regulatory requirements. The Audit Committee typically assists
the Board with the oversight of (a) the integrity of the entity's financial state-
ments, (b) the entity's compliance with legal and regulatory requirements,
(c) the independent auditors' qualifications and independence, (d) the per-
formance of the entity's internal audit function and that of the independent
auditors and (e) compensation of company executives (in absence of a remu-
neration committee).

Audit institution
Public body which, however it is appointed, composed or organised, carries out
external audit duties in accordance with the law. (glossarium)

Budget
Quantitative, financial expression of a program of measures planned for a given
period. The budget is drawn up with a view to planning future operations and to
making ex post facto checks on the results obtained. (glossarium)

Budgetary control
Control by which an authority which has granted an entity a budget ensures that
this budget has been implemented in accordance with the estimates, authorisa-
tions and regulations. (glossarium)

59
C

Collusion
A cooperative effort among employees to defraud a business of cash, inventory,
or other assets. (Arens, Elder & Beasley)

Compliance
• Having to do with conforming with laws and regulations applicable to an
entity. (COSO 1992)
• Conformity and adherence to policies, plans, procedures, laws, regulations,
contracts, or other requirements. (IIA)

Component of internal control

One of five elements of internal control. The internal control components are the
entity’s internal control environment, risk assessment, control activities, infor-
mation and communication, and monitoring. (COSO 1992)

Computer controls
1. Controls performed by computer, i.e., controls programmed into computer
software (contrast with manual controls). 2. Controls over computer processing
of information, consisting of general controls and application controls (both pro-
grammed and manual). (COSO 1992)

Computer information system

A computer information system (CIS) environment exists when a computer of
any type or size is involved in the processing by the entity of (financial) infor-
mation of significance to the audit, whether that computer is operated by the
entity or by a third party. (IFAC)

Control
• 1. A noun, used as a subject, e.g. existence of a control – a policy or proce-
dure that is part of internal control. A control can exist within any of the five
components. 2. A noun, used as an object, e.g. to effect control – the result of
policies and procedures designed to control; this result may or may not be effec-
tive internal control. 3. A verb, e.g. to control – to regulate; to establish or
implement a policy that affects control. (COSO 1992)
• Any action taken by management, the board, and other parties to manage risk
and increase the likelihood that established objectives and goals will be
achieved. Management plans, organizes, and directs the performance of suffi-
cient actions to provide reasonable assurance that objectives and goals will be
achieved. (IIA)

Control activity
Control activities are the policies and procedures established to address risks and
to achieve the entity’s objectives. The procedures that an organisation puts in
place to treat risk are called internal control activities. Internal control activities

60
are a response to risk in that they are designed to contain the uncertainty of out-
come that has been identified.

Control environment
The control environment sets the tone of an organisation, influencing the control
consciousness of its staff. It is the foundation for all other components of inter-
nal control, providing discipline and structure.

Corruption
• Any form of unethical use of public authority for personal or private advan-
tage. (XVI INCOSAI, Uruguay, 1998)
• The misuse of entrusted power for private benefit. (Transparency International)

COSO
Committee of Sponsoring Organisations of the Treadway Commission, a group
of several accounting organisations. In 1992, it published a significant study on
internal control titled Internal Control – Integrated Framework. The study is
often referred to as the COSO Report.

Data
Facts and information that can be communicated and manipulated.

Deficiency
A perceived, potential or real internal control shortcoming, or an opportunity to
strengthen internal control to provide a greater likelihood that the entity's objec-
tives are achieved. (COSO 1992)

Design
1. Intent. As used in the definition, internal control is intended to provide rea-
sonable assurance as to the achievement of objectives; when the intent is real-
ized, the system can be deemed effective. 2. Plan; the way a system is supposed
to work, contrasted with how it actually works. (COSO 1992)

Detective control
A control designed to discover an unintended event or result (contrast with pre-
ventive control) (COSO 1992)

Documentation
• Documentation of the internal control structure is the material and written evi-
dence of the components of the internal control process, including the identifi-
cation of an organisation's structure and policies and its operating categories, its
related objectives and control activities. These should appear in documents such
as management directives, administrative policies, procedures manuals, and
accounting manuals.

61
E

Economical
Not wasteful or extravagant. It means getting the right amount of resources, of
the right quality, delivered at the right time and place, at the lowest cost.

Economy
• Minimising the cost of resources used for an activity, having regard to the
appropriate quality. (INTOSAI auditing standards)
• Acquisition at the right time and at the lowest cost of financial, human and
material resources which are suitable in terms of both quality and quantity.
(glossarium)

Edit checks
Programmed controls built into the early stages of the input process to identify
erroneous data fields. For example, alphanumeric characters entered into numer-
ical fields can be rejected by this control. Programmed edit controls can also be
applied, for example, when transactions data enter the processing cycle from
another application.

Effective
Refers to the accomplishment of objectives or the extent to which the out-
comes of an activity match the objective or the intended effects of that
activity.

Effectiveness
• The extent to which objectives are achieved and the relationship between the
intended impact and the actual impact of an activity. (INTOSAI auditing stan-
dards)
• Extent to which the stated objectives have been attained in a cost-effective
way. (glossarium)

Efficient
Refers to the relationship between the resources used and the outputs produced
to achieve the objectives. It means that minimum resource inputs are used to
achieve a given quantity and quality of output, or a maximum output with a
given quantity and quality of resource inputs.

Efficiency
• The relationship between the output, in terms of goods, services or other
results, and the resources used to produce them. (INTOSAI auditing stan-
dards)
• Use of financial, human and material resources in such a way as to maximize
output for a given amount of resources, or to minimize input for a given quan-
tity or quality of output. (glossarium)

62
End user computing
Refers to the use of non-centralized (i.e., non-IT department) data processing
using automated procedures developed by end-users, generally with the aid of
software packages (e.g., spreadsheet and database). End-user processes can be
sophisticated and become an extremely important source of management infor-
mation. Whether they are adequately tested and documented may be question-
able.

Entity
An organization of any size established for a particular purpose. An entity, for
example, may be a business enterprise, not-for-profit organization, government
body or academic institution. Other terms used as synonyms include organiza-
tion and department. (COSO 1992)

Ethical
Relates to moral principles.

Ethical values
Moral values that enable a decision maker to determine an appropriate course of
behavior; these values should be based on what is “right,” which may go
beyond what is legally required. (COSO 1992)

External audit
Audit carried out by a body which is external to and independent of the auditee,
the purpose being to give an opinion on and report on the accounts and the
financial statements, the regularity and legality of operations, and/or the finan-
cial management. (glossarium)

Flowchart
A diagrammatic representation of the client’s documents and records, and the
sequence in which they are processed. (Arens, Elder & Beasley)

Flow-charting
Illustrates a flow of procedures, information or documents. This technique
makes it possible to give a summary description of complex circuits or proce-
dures. (glossarium)

Fraud
An unlawful interaction between two entities, where one party intentionally
deceives the other through the means of false representation in order to gain
illicit, unjust advantage. It involves acts of deceit, trickery, concealment, or
breach of confidence that are used to gain some unfair or dishonest advantage.
(XVI INCOSAI, Uruguay, 1998)

63
G

General controls
• General controls are the structure, policies and procedures that apply to all or
a large segment of an entity’s information systems and help ensure their proper
operation. They create the environment in which application systems and con-
trols operate.
• Policies and procedures that help ensure the continued, proper operation of
computer information systems. They include controls over information technol-
ogy management, information technology infrastructure, security management,
and software acquisition, development and maintenance. General controls sup-
port the functioning of programmed application controls. Other terms some-
times used to describe general controls are general computer controls and infor-
mation technology controls. (COSO ERM)

Independence
• Freedom given to an audit body and its auditors to act in accordance with the
audit powers conferred on them without any outside interference. (glossarium)
• The freedom of the SAI in auditing matters to act in accordance with its audit
mandate without external direction or interference of any kind. (INTOSAI audit-
ing standards)
• The freedom from conditions that threaten objectivity or the appearance of
objectivity. Such threats to objectivity must be managed at the individual audi-
tor, engagement, functional and organizational levels.(IIA)
• The auditor’s ability to maintain an unbiased viewpoint in the performance of
professional services (independence in fact) (Arens, Elder & Beasley)
• The auditor’s ability to maintain an unbiased viewpoint in the eyes of others
(independence in appearance). (Arens, Elder & Beasley)

Inherent limitations
Those limitations of all internal control systems. The limitations relate to the
limits of human judgment; resource constraints and the need to consider the
cost of controls in relation to expected benefits; the reality that breakdowns
can occur; and the possibility of management override and collusion. (COSO
1992)

Inherent risk
The risk to an entity in the absence of any actions management might take to
alter either the risk’s likelihood or impact. (COSO ERM)

Institute of Internal Auditors (IIA)

The IIA is an organisation that establishes ethical and practice standards, pro-
vides education, and encourages professionalism for its members.

64
Integrity
The quality or state of being of sound moral principle; uprightness, honesty and
sincerity; the desire to do the right thing, to profess and live up to a set of val-
ues and expectations. (COSO 1992)

Internal audit
• The functional means by which the managers of an entity receive an assurance
from internal sources that the processes for which they are accountable are oper-
ating in a manner which will minimise the probability of the occurrence of
fraud, error or inefficient and uneconomic practices. It has many of the charac-
teristics of external audit but may properly carry out the directions of the level
of management to which it reports. (INTOSAI auditing standards)
• an independent, objective assurance and consulting activity designed to add
value and improve an organisation’s operations. It helps an organisation accom-
plish its objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control and governance
processes (IIA)
• Internal auditing is an appraisal activity established within an entity as a serv-
ice to the entity. Its functions include, amongst other things, examining, evalu-
ating and monitoring the adequacy and effectiveness of the accounting and
internal control systems. (IFAC)

Internal auditor(s)
Examine and contribute to the ongoing effectiveness of the internal control
system through their evaluations and recommendations, but they don’t have
primary responsibility for designing, implementing maintaining and document-
ing it.

Internal audit unit

• Department (or activity) within an entity, entrusted by its management with
carrying out checks and assessing the entity’s systems and procedures in order
to minimize the likelihood of fraud, errors and inefficient practices. Internal
audit must be independent within the organization and report directly to man-
agement. (glossarium)
• A department, division, team of consultants, or other practioner(s) that pro-
vides independent, objective assurance and consulting services designed to add
value and improve an organisation’s operations. The internal audit activity helps
an organisation accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control
and governance processes. (IIA)

Internal control
Internal control is an integral process that is effected by an entity’s management
and personnel and is designed to address risks and provide reasonable assurance
that in pursuit of the entity’s mission, the following general objectives are being
achieved: executing orderly, ethical, economical, efficient and effective operations,

65
fulfilling accountability obligations, complying with applicable laws and regula-
tions and safeguarding resources against loss, misuse and damage.

Internal Control System (or Process, or Architecture)

A synonym for Internal Control, applied in an entity. (COSO 1992)

International Organisation of Supreme Audit Institutions (INTOSAI)

INTOSAI is the professional organisation of supreme audit institutions (SAI) in
countries that belong to the United Nations or its specialised agencies. SAIs play
a major role in auditing government accounts and operations and in promoting
sound financial management and accountability in their governments. INTOSAI
was founded in 1953 and has grown from the original 34 countries to a mem-
bership of over 170 SAIs.

Input
Any data entered into a computer or the process of entering data into the com-
puter.

Legislature
The law-making authority of a country, for example a Parliament. (INTOSAI
auditing standards)

Logical access
The act of gaining access to computer data. Access may be limited to “read
only”, but more extensive access rights include the ability to amend data, create
new records, and delete existing records. (see also physical access)

Mainframe
A high-level computer designed for the most intensive computational tasks.
Mainframe computers are often shared by multiple users connected to the com-
puter by terminals.

Management
Comprises officers and others who also perform senior managerial functions.
Management includes directors and the audit committee only in those instances
when they perform such functions. (IFAC)

Management intervention
Management's actions to overrule prescribed policies or procedures for legiti-
mate purposes; management intervention is usually necessary to deal with

66
non-recurring and non-standard transactions or events that otherwise might be
handled inappropriately by the system (contrast this term with Management
Override). (COSO 1992)

Management override
Management's overruling of prescribed policies or procedures for illegitimate
purposes with the intent of personal gain or an enhanced presentation of an
entity's financial condition or compliance status (contrast this term with Man-
agement Intervention). (COSO 1992)

Management process
The series of actions taken by management to run an entity. Internal control is a
part of and integrated with the management process. (COSO 1992)

Manual controls
Controls performed manually, not by computer (contrast with Computer Con-
trols). (COSO 1992)

Monitoring
Monitoring is a component of internal control and it is the process that assesses
the quality of the internal control system’s performance over time.

Network
In information technology, a group of computers and associated devices that are
connected by communications facilities. A network can involve permanent con-
nections, such as cables, or temporary connections made through telephone or
other communications links. A network can be as small as a local area network
consisting of a few computers, printers, and other devices, or it can consist of
many small and large computers distributed over a vast geographic area.

Objectivity
An unbiased mental attitude that allows SAI’s, internal and external auditors to per-
form engagements in such a manner that they have an honest belief in their work
product and that no significant quality compromises are made. Objectivity requires
the auditors not to subordinate their judgment on audit matters to that of others.

Operations
• Used with “objectives” or “controls”: having to do with the effectiveness
and efficiency of an entity's activities, including performance and profitability
goals, and safeguarding resources. (COSO 1992)

67
• The functions, processes, and activities by which an entity’s objectives are
achieved.

Orderly
Means in a well-organised way, or methodically.

Output
In information technology, data/information produced by computer processing,
such as graphic display on a terminal or hard copy.

Physical access
In access control, gaining access to physical areas and entities. (see logical
access)

Policy
Management's dictate of what should be done to effect control. A policy serves
as the basis for procedures for its implementation. (COSO 1992)

Preventive control
A control designed to avoid unintended events or results (contrast with detective
control). (COSO 1992)

Procedure
An action that implements a policy. (COSO 1992)

Processing
In information technology, the execution of program instructions by the com-
puter’s central processing unit.

Public accountability
The obligations of persons or entities, including public enterprises and corpora-
tions, entrusted with public resources to be answerable for the fiscal, managerial
and program responsibilities that have been conferred on them, and to report to
those that have conferred these responsibilities on them. (INTOSAI auditing
standards)

Public sector
The term ‘public sector’ refers to national governments, regional (for example,
state, provincial, territorial) governments, local (for example, city, town) gov-
ernments and related governmental entities (for example, agencies, boards, com-
missions and enterprises). (IFAC)

68
R

Reasonable assurance
• Equates to a satisfactory level of confidence under given considerations of
costs, benefits, and risks.
• The concept that internal control, no matter how well designed and operated,
cannot guarantee that an entity's objectives will be met. This is because of
inherent limitations in all internal control systems. (COSO 1992)

Residual risk
The risk that remains after management responds to the risk.

Risk
The possibility that an event will occur and adversely affect the achievement of
objectives. (COSO ERM)

Risk appetite
• The amount of risk to which the entity is prepared to be exposed before it
judges action to be necessary.
• The broad-based amount of risk a company or other entity is willing to accept
in pursuit of its mission or vision. (COSO ERM)

Risk assessment
Risk assessment is the process of identifying and analysing relevant risks to the
achievement of the entity’s objectives and determining the appropriate response.

Risk assessment cycle

An ongoing, iterative process to identify and analyse altered conditions, opportu-
nities and risks and to take actions as necessary, in particular modifying internal
control to address changing risk. Risk profiles and related controls have to be reg-
ularly revisited and reconsidered in order to have assurance that the risk profile
continues to be valid, that responses to risk remain appropriately targeted and pro-
portionate, and mitigating controls remain effective as risks change over time.

Risk evaluation
Means estimating the significance of a risk and assessing the likelihood of the
risk occurrence.

Risk profile
An overview or matrix of the key risks facing an entity or sub-unit that includes
the level of impact (e.g., high, medium, low) along with the probability or like-
lihood of the event occurring.

Risk tolerance
The acceptable variation relative to the achievement of objectives. (COSO
ERM)

69
S

Security program
An organization-wide program for security planning and management that
forms the foundation of an organization’s security control structure and reflects
senior management’s commitment to addressing security risks. The program
should establish a framework and continuing cycle of activity for assessing risk,
developing and implementing effective security procedures, and monitoring the
effectiveness of these procedures.

Segregation (or separation) of duties

To reduce the risk of error, waste, or wrongful acts and the risk of not detect-
ing such problems, no singular individual or team should control all key
stages (authorizing, processing, recording, reviewing) of a transaction or
event.

Service continuity control

This type of control involves ensuring that when unexpected events occur, crit-
ical operations continue without interruption or are promptly resumed and criti-
cal and sensitive data are protected.

Stakeholders
Parties that are affected by the entity, such as shareholders, the communities
in which the entity operates, employees, customers and suppliers. (COSO
ERM)

Supreme Audit Institution (SAI)

The public body of a State which, however designated, constituted or organised,
exercises by virtue of law the highest public auditing function of that State.
(INTOSAI auditing standards & IFAC)

System software
Software primarily concerned with coordinating and controlling hardware and
communication resources, access to files and records, and the control and sched-
uling of applications.

System software controls

Controls over the set of computer programs and related routines designed to
operate and control the processing activities of computer equipment.

Uncertainty
Inability to know in advance the exact likelihood or impact of future events.
(COSO ERM)

70
V

Value for money

See Economy, Effectiveness and Efficiency

71
 The International Standards of Supreme Audit Institutions, ISSAI, are
INTOSAI GOV 9110 issued by the International Organization of Supreme Audit Institutions,
INTOSAI. For more information visit www.issai.org

Guidance for
INT OSAI
Reporting on the
Effectiveness of
Internal Controls;
SAI Experiences in Implementing
and Evaluating Internal Controls
 INTO S AI Pr o f e s si o n a l S t an d ar ds Co m mitt e e
PSC-Secretariat
Rigsrevisionen • Landgreven 4 • P.O. Box 9009 • 1022 Copenhagen K • Denmark
Tel.:+45 3392 8400 • Fax:+45 3311 0415 •E-mail: [email protected]

IN TO S AI

EXPERIENTIA MUTUA
EXP ERIENTIA M UTUA

OMNIBUS PRODEST
OMNIBUS
P RODEST

INTOSAI General Secretariat - RECHNUNGSHOF

(Austrian Court of Audit)
DAMPFSCHIFFSTRASSE 2
A-1033 VIENNA
AUSTRIA
Tel.: ++43 (1) 711 71 • Fax: ++43 (1) 718 09 69

E-MAIL: [email protected];
WORLD WIDE WEB: http://www.intosai.org
 INTOSAI

Guidance for Reporting on the Effectiveness of Internal Controls: SAI Experiences In

Implementing and Evaluating Internal Controls

Issued by The Internal Control Standards Committee

PREFACE

Chapter I
INTRODUCTION

Chapter II
EFFECTIVELY IMPLEMENTING GENERAL STANDARDS
REASONABLE ASSURANCE
SUPPORTIVE ATTITUDE
INTEGRITY AND COMPETENCE
CONTROL OBJECTIVES
MONITORING CONTROLS

Chapter III
ACHIEVING CONTROL OBJECTIVES THROUGH DETAILED STANDARDS
DOCUMENTATION
PROMPT AND PROPER RECORDING OF TRANSACTIONS AND EVENTS
AUTHORIZATION AND EXECUTION OF TRANSACTIONS AND EVENTS
SEPARATION OF DUTIES
SUPERVISION
ACCESS TO AND ACCOUNTABILITY FOR RESOURCES AND RECORDS

Chapter IV
BUILDING EFFECTIVE INTERNAL CONTROL STRUCTURES
LEGISLATIVE UNDERPINNINGS
INTERNAL CONTROL STANDARDS
MANAGEMENT'S RESPONSIBILITY
SELF-ASSESSMENTS
INTERNAL AUDITS
SUPREME AUDITOR'S RESPONSIBILITY

CONCLUSIONS
APPENDIX I
CONTRIBUTING SUPREME AUDIT INSTITUTIONS
PREFACE

In June 1992, the Internal Control Standards Committee of the International Organization of
Supreme Audit Institutions (INTOSAI) issued Guidelines for Internal Control Standards. The
standards set forth in the guidelines were intended for use by government management to
implement an effective internal control structure and by government auditors to help evaluate
those structures.

Five years later, the committee invited INTOSAI members to share their countries'
experiences in developing, maintaining, and evaluating internal control structures based on
the guidelines. This document provides an overview of the responses from

- Bolivia, Office of the Comptroller General;

- China, National Audit Office;

- Costa Rica, Office of the Comptroller General;

- Egypt, Central Auditing Organization;

- Iceland, National Audit Office;

- Japan, Board of Audit;

- the Netherlands, Netherlands Court of Audit

- New Zealand, Audit Office;

- South Africa, Auditor-General;

- Tonga, Audit Office;

- the United Kingdom, National Audit Office; and

- the United States, General Accounting Office.

The committee appreciates the participation of these INTOSAI members in this project. Their
experiences in using INTOSAI's internal control standards can help to further guide all
INTOSAI members in building or enhancing their capacity to design high-quality internal
control structures and adequately assess them and thus, strengthen public sector financial
management and accountability.

Arpad Kovacs, President

State Audit Office of Hungary

Chairman, Internal Control Standards Committee

Chapter I

INTRODUCTION
INTOSAI's June 1992 Guidelines for Internal Control Standards defines an internal control
structure as the plans of an organization, including management's attitude, methods,
procedures, and other measures that provide reasonable assurance that the following general
objectives are achieved:

- promoting orderly, economical, efficient, and effective operations and quality products and
services consistent with the organization's mission;

- safeguarding resources against loss due to waste, abuse, mismanagement, errors, and fraud
and other irregularities;

- adhering to laws, regulations, and management directives; and

- developing and maintaining reliable financial and management data and fairly disclosing
that data in timely reports.

The internal control standards prescribed by INTOSAI form a framework for an internal
control structure that meets these objectives. INTOSAI's general and detailed standards are
reiterated in chapters II and III, respectively. These chapters also highlight the viewpoints on
implementing the standards that were provided by INTOSAI members. Their enlightening
perspectives are presented in the context of both control practices that have worked well and
examples of control weaknesses that have been identified.

Also, the information furnished by INTOSAI's members for this study was valuable in
identifying practices that Supreme Audit Institutions have found to be most useful in creating
and monitoring a strong internal control framework. These common practices include

- having a constitutional or a legislative provision that establishes in law an overall basis (or a
requirement and objectives) for maintaining effective internal controls;

- prescribing internal control standards to be followed when designing an internal control

structure and which can be patterned after or adopted from INTOSAI's standards;

- focusing management's attention on its responsibilities for implementing effective internal

controls and continuously maintaining a positive internal control environment;

- emphasizing the prevention of internal control breakdowns - rather than detecting and
correcting them - through such means as requiring managers to periodically undertake self-
evaluations of internal control operations;

- stressing the role of internal auditors as a critical part of an organization's internal control
structure; and

- ensuring that Supreme Audit Institutions play a key role in (1) establishing internal control
standards, (2) creating a solid internal control framework, (3) working with internal auditors,
and (4) evaluating internal controls as an integral part of both financial and performance
audits.

These overarching elements of a sound internal control structure are further discussed in
chapter IV. They reinforce guidance in these areas that the INTOSAI Internal Controls
Committee promulgated in June 1992.
Chapter II

EFFECTIVELY IMPLEMENTING GENERAL STANDARDS

To provide the proper control environment within an organization, INTOSAI has established
internal control general standards in the following areas: (1) reasonable assurance, (2)
supportive attitude, (3) integrity and competence, (4) control objectives, and (5) monitoring
controls.

REASONABLE ASSURANCE

INTOSAI's first internal control general standard states that internal control structures are to
provide reasonable assurance that the general objectives will be accomplished. Reasonable
assurance equates to a satisfactory level of confidence under given considerations of costs,
benefits, and risks. This means that the cost of internal control should not exceed the benefit
derived. INTOSAI member countries have had experience in applying this standard.

New Zealand, for example, reports that each chief executive of a government department has
an obligation as a responsible manager for establishing and maintaining a system of internal
control procedures that provides reasonable assurance as to the integrity and reliability of
financial reporting. While this responsibility is normally delegated to the organization's chief
financial officer (CFO), both the chief executive and the CFO sign a Statement of
Responsibility, which is included as part of the organization's annual report along with
audited financial statements and service performance measures.

In Japan, reasonable assurance that internal controls are effectively maintained is affected by
public sector activities that have become increasingly complicated and diversified in the past
decades and by increasing delegation of authority to lower echelons. But Japan's Constitution
provides the overall foundation necessary to create an effective control environment through
requirements such as for (1) the Cabinet to annually submit final accounts of State revenues
and expenditures to the Diet (parliament) and (2) the Board of Audit to audit these accounts
every year.

On the other hand, in the Republic of South Africa, government internal controls are reported
to not yet be at a satisfactory level nor effective due to several factors, including the large size
of its departments and slack controls. Compounding these problems, management does not
always have the knowledge to implement the appropriate internal controls and to maintain
them in a working order.

Although the Republic of South Africa's internal control environment does not currently
provide reasonable assurance that adequate internal controls are in place and operating as
intended, the government realizes this problem and is addressing them by means such as
implementing an internal audit function in all government entities. Also, the government has
appointed local and international consultants to facilitate the establishment of a professional
institute for public finance and auditing.

SUPPORTIVE ATTITUDE

Another general control standard stipulates that managers and employees are to maintain and
demonstrate a positive and supportive attitude toward internal controls at all times. INTOSAI
member countries have learned first-hand the central role this standard can play in creating an
effective internal control environment.

For example, in the early 1990s, Iceland's National Audit Office conducted several audits
among major governmental lending institutions that showed serious weaknesses in a range of
areas related to controlling, monitoring, and reporting nonperforming loans. In many instance,
government managers' lax attitude towards proper controls in lending, collections, risk
management, and application of loan loss reserves contributed to the weaknesses. As a result,
at the end of 1991, the Development Fund of Iceland ceased operations because its
management failed to recognize heavy loan losses. Improvements have been made in some
areas, such as properly accounting for loan loss reserves, which is now done on a regular basis
by all major governmental funds.

In another example, in the 1980s and 1990s, the United States experienced substantial savings
and loan institution and bank failures, which cost the federal government hundreds of billions
of dollars. Control weaknesses were a major cause of the failures; a key factor leading to
these weaknesses was a fundamental flaw in management's philosophy and operating style
regarding internal controls. For instance, at some savings and loan institutions, inadequate
board supervision and the presence of a dominant figure had a detrimental effect on the
viability of the institution. This led to risk-oriented activities such as excessive growth-
oriented practices, unwarranted loan concentrations, and an overreliance on volatile funding
sources.

However, INTOSAI member countries, including Iceland and the United States, view internal
control as a major and important part of their operations. For example, in response to the
savings and loan institution and bank failures, the U.S. Congress enacted legislation, the
Federal Deposit Insurance Corporation Improvement Act of 1990, to address the serious
weaknesses that contributed to earlier bank failures and to require reporting on the
effectiveness of financial reporting internal controls. In another instance, the Kingdom of
Tonga's government has demonstrated a supportive attitude toward internal controls by
passing legislation and establishing related regulations and policies. These includes (1) laws
to establish an internal control framework for disbursing public money and preparing
accounts and (2) regulations setting out the internal control points for the receipt, expenditure,
custody, and handing over of public funds. Further, the Audit Department emphasizes to
government departments the importance of improving internal controls over financial
management and programs.

INTEGRITY AND COMPETENCE

Regarding integrity and competence, INTOSAI's general control standards call for the
following. Managers and employees are to have personal and professional integrity and are to
maintain a level of competence that allows them to understand the importance of developing,
implementing, and maintaining good internal controls and to accomplish the general
objectives of internal controls. Several INTOSAI countries have found that, when this general
standard is not adhered to, the result can be weak internal control situations involving large
monetary values.

In one such situation, during a governmentwide review of purchasing goods and services,
which represents a significant level of New Zealand's public expenditures, the Audit Office
found an array of weaknesses it attributed, in part, to the lack of integrity and competence by
purchasing managers. The deficiencies ranged from not documenting the decisionmaking
processes for determining purchasing needs and not specifying delegations of authority to not
providing adequate review and approval of specific purchases. The New Zealand Audit Office
also reports that a recent focus on sensitive areas of discretionary expenditures, such as using
credit cards, has resulted in instances of senior officials' integrity being questioned.

Another case in point is the United States government's Department of Housing and Urban
Development (HUD), which is the principal government agency responsible for housing,
community development, and fair housing opportunities. While HUD has since taken action
to change the way the agency is managed, in 1989, major incidents of fraud, abuse, and
mismanagement at HUD were found and attributed to internal control weaknesses, including
an insufficient mix of properly skilled staff.

On the other hand, INTOSAI member countries also report having internal controls practices
designed to help avoid situations such as those just described. For instance, the National Audit
Office of the People's Republic of China reports internal controls covering personnel
requirements. Applicants for a post go through strict examinations, are assessed and selected
in an open and impartial way, and new members are trained. They will not be allowed to go to
their new posts before they are able to procure the "Certificate for The Post." Thus, they are
recognized according to their abilities. Further, the members are examined regularly and
awarded or penalized according to their work performance and contribution to their
organization. When necessary, they will be transferred to other posts.

CONTROL OBJECTIVES

INTOSAI's internal control standards also suggest that specific control objectives are to be
identified or developed for each ministry/department/agency activity and are to be
appropriate, comprehensive, reasonable, and integrated into the overall organizational
objectives. The following instances typify the experiences of INTOSAI member countries in
establishing control objectives, which in some cases have not yet progressed beyond having
overall organizational objectives.

The Republic of South Africa's Auditor-General reports that a primary objective for the
government is to prevent errors or irregularities from occurring in management or financial
information or, if any have occurred, to detect them. A range of specific overall control
objectives have been identified and include (1) properly recording and accounting for
business transactions and activities, (2) safeguarding assets and information from misuse and
misappropriation, and (3) establishing limits to which various staff can commit an entity.

Also, the Auditor General for the Kingdom of Tonga reports taking the lead to identify and
develop specific control objectives for each government ministry and department activity. The
Auditor General is in the process of ensuring that the control objectives are appropriate,
comprehensive, reasonable, and integrated into the overall organization structure. INTOSAI's
internal control guidelines are being used as the foundation for this process.

Conversely, when internal controls and their objectives are not clearly established and
understood, internal control breakdowns can result. For example, Japan's Board of Audit
found that municipalities improperly included the medical costs of many retired persons in
State subsidized National Health Insurance costs. Significant overpayments in subsidy costs
resulted. The problem arose, in part, because municipalities did not understand the State
subsidy medical cost subsidy system and requirements.
MONITORING CONTROLS

In addition, INTOSAI's standards specify that managers are to continually monitor their
operations and take prompt, responsive action on all findings of irregular, uneconomical,
inefficient, and ineffective operations. The following cases show the importance of
monitoring operations to ensure that controls are achieving the desired results and of building
this standard into the methods and procedures used to control operations.

In one case, the Icelandic National Audit Office reports a main internal control weakness to
be the lack of understanding of the importance of internal controls among individual agency
managers. Along with other problems, this weakness was evident in a lack of adherence to the
established internal control structure. The National Audit Office said that, although an
Icelandic government agency might have well defined internal controls on paper, the reality
can be quite different. The audit office has found that, without the necessary understanding
and monitoring, it is more convenient for people to not follow established control practices.

Another case involves the New Zealand government, which commonly uses consultants that
represents a significant expenditure. The New Zealand Audit Office reports finding irregular,
uneconomical, inefficient, and ineffective operations associated with the use of consultants.
Further, the Office's experience has been that the departments have not taken prompt,
responsive action on these findings and thus, the standard calling for monitoring controls was
not being adhered to.

On a more positive note, the United Kingdom's National Audit Office reports that, when
instances of weak internal controls are identified and reported, management responds to the
points raised and early corrective action will normally have been taken. The Office's aim is to
monitor follow-up action, and to provide further advice to management as necessary. New
areas of risk identified as a result of audit will be reflected in subsequent audit planning.

Chapter III

ACHIEVING CONTROL OBJECTIVES THROUGH DETAILED STANDARDS

To help achieve control objectives and an orderly and effective internal control structure,
INTOSAI's internal control guidelines provide detailed standards covering (1) documentation,
(2) prompt and proper recording of transactions and events, (3) authorization and execution of
transactions and events, (4) separation of duties, (5) supervision, and (6) access to and
accountability for resources and records.

DOCUMENTATION

Regarding adequate documentation, INTOSAI's detailed standards indicate the following. The
internal control structure and all transactions and significant events are to be clearly
documented, and the documentation is to be readily available for examination.
Documentation of transactions or significant events should be complete and accurate and
should enable each transaction or event (and related information) to be traced from its
inception, while it is in process, to after it is completed. A cross section of INTOSAI member
countries reported having learned the detrimental effects of not having adequate
documentation, as illustrated by the following three situations.
First, the National Audit Office in the United Kingdom reported instances of non-existent or
inadequate documentation to support financial transactions having been identified as a result
of financial audits. For example, the Audit Office reported instances of

- the lack of documentation being submitted by employees to support payments made for
expenses paid by government credit cards;

- the lack of adequate documentation to support legal aid applicants' claims, resulting in
insufficient evidence to confirm entitlement and proper payments as authorized by
Parliament; and

- the government body being unable to produce documentation to support the decision of its
management board to dispense with competitive tendering for a contract.

Second, the government of Tonga's departments, ministries, and statutory bodies have also
identified nonexistent and incomplete documentation and records. For instance, at one
department, copies of receipts were lost but the accounting officer and the accounts section
did not consider this as serious or contrary to laws and regulations.

Third, as a result of examining documentation maintained to support transactions, the

Republic of South Africa's Auditor-General identified and reported to Parliament a substantial
number of instances involving payments from the government's Department of Labor where
beneficiaries had been paid the same amounts based on the same source documents. In other
instances, the same amounts had again been paid in respect to the same source documents,
although the beneficiaries' names were not exactly identical. The value of the double or
multiple payments was substantial.

To help overcome deficiencies such as these, INTOSAI's internal control standards suggest
that documentation of transactions or significant events should be complete and accurate. This
should enable each transaction or event (and related information) to be traced from its
inception, while it is in process, to after it is completed.

PROMPT AND PROPER RECORDING OF TRANSACTIONS AND EVENTS

INTOSAI's detailed standards also provide that transactions and significant events are to be
promptly recorded and properly classified. This applies to the entire process or life cycle of a
transaction or event, including (1) the initiation and authorization, (2) all stages while in
process, and (3) its final classification in summary records. As with documentation,
INTOSAI's members reported on the challenges of meeting this standard as well.

For example, because of lapses in internal control in the system used to pay United States
Army personnel, some individuals were paid that should not have been paid because they
were no longer in the Army. Further, these improper payments were not detected by the
payroll system. In a one-month period that the U.S. General Accounting Office reviewed, it
determined that about 2,200 Army soldiers were overpaid. Many of these individuals received
unauthorized payments for several months, with total overpayments reaching $7.8 million.
The improper payments occurred primarily because U.S. Department of Defense personnel
did not comply with established procedures. For instance, field-level finance offices did not
always enter soldiers' separations from active duty and other personnel transactions in the
payroll system in a timely manner and payroll staff could not provide adequate support for
some payments.
The United Kingdom's National Audit Office has also reported instances which it has
classified as control weaknesses involving transactions not being promptly and properly
recorded. In one instance, procedures were not in place to ensure the prompt and secure
handling and recording of cash receipts. For example, the Office identified delays of over two
weeks in depositing checks, which increased the risks of misappropriation. In another case,
the Office reported financial control weaknesses in purchasing, including failures to record
the authorization of transactions such as purchase order, inadequate proof of delivery, and
inadequate checking of goods received.

Moreover, in New Zealand, a number of government entities have undergone significant

system changes that were not fully tested. This has resulted in instances of untimely
processing of transactions and lack of reconciliations; a common control deficiency reported
by that country's National Audit Office.

To help prevent situations such as these, INTOSAI's internal control standards recognize that
prompt and proper recording of information is essential. Meeting this standard is pivotal for
assuring the timeliness and reliability--and thus, the value and relevance to management--of
all information used by an organization to support its operations and decisionmaking.

AUTHORIZATION AND EXECUTION OF TRANSACTIONS AND EVENTS

INTOSAI's detailed standards set forth the expectation that transactions and significant events
are to be authorized and executed only by persons acting within the scope of their authority.
Conforming to the terms of an authorization means that employees execute their assigned
duties

in accordance with directives and within the limitations established by management or

legislation. But some INTOSAI members have reported instances where stronger controls
over the authorization of transactions could have resulted in more effective controls and
savings. For instance, in 1992, the Icelandic National Audit Office audited automobile
expenses across many sections of the Icelandic government. The audit showed several
weaknesses in the overall structure and control in this area, including many contracts that
were made with individual employees in an unstructured manner regardless of transportation
requirements--thus limiting managerial approval and other controls.

Yet another perspective on this issue was demonstrated by the Comptroller General of the
Republic of Costa Rica through an example involving that country's use of State-owned
vehicles. An audit detected that, while the use of such vehicles should be properly authorized,
they were being used (1) for unauthorized purposes, (2) during non-working hours without
authorization, and (3) inappropriately by an official for discretionary purposes.

Based on studies of internal control problems such as these, auditors in China have reported
agreement that the concept of internal control must cover control of authorization. They
advise that this control is necessary to help ensure that personnel work within the limits of
their permitted authority and thus, exert control over business activities at the point at which
they are started.

SEPARATION OF DUTIES

As with the other detailed standards, INTOSAI's member countries fully understand the risk
of error, waste, or wrongful acts associated with having one person control all key stages of a
transaction or event. In this regard, INTOSAI's internal control guidelines direct that key
duties and responsibilities in authorizing, processing, recording, and reviewing transactions
and events should be separated among individuals. Properly implementing this standard
would greatly help to avoid situations like the following episodes reported by INTOSAI
members, such as Tonga, which found that separation of duties is a major weakness that is
common to departments and ministries of its government.

In more specific examples, the Audit Office in New Zealand has found that risks have arisen
as a result of the use of significant numbers of contracting staff in certain government entities.
Although the entities may have met their aim of reducing expenditures, there has sometimes
been a trade-off in creating a separation of duties risk.

To address these kinds of problems, Japan reports that its control system to prevent
accounting errors and fraud incorporates separation of duties, such as those of contract
officers and disbursement officers. For example, (1) the Ministry of Finance notifies the
disbursement officers of approved disbursement plans, (2) the disbursement officers submit
disbursement reports to the Ministry of Finance, (3) the contract officers notify the
disbursement officers of contract amounts and contents, and (4) the disbursement officers
approve disbursement after checking whether the contract amount is within the budgeted
amounts.

However, as the United Kingdom's National Audit Office reports, it is often difficult for small
organizations to maintain proper segregation of duties. The Office has found cases where (1)
people were able to both authorize and check payments, (2) staff could requisition, authorize,
and receive goods, and (3) there was little or no evidence that supervisory checks were done.

In cases where small organizations make adequate separation of duties difficult, INTOSAI's
guidelines suggest that management must be aware of the risks and compensate with other
controls. For instance, rotation of employees may help ensure that no one person deals with
key aspects of transactions or events for an undue length of time.

SUPERVISION

INTOSAI's internal control guidelines prescribe that competent supervision is to be provided

to ensure that internal control objectives are achieved. The efforts of INTOSAI members to
implement and audit internal controls have underscored the importance of proper supervision
of assignments and employees as a fundamental internal control mechanism.

The Comptroller General of the Republic of Costa Rica has provided two excellent case
studies involving noncompliance with INTOSAI's supervision standard. The first case relates
to a computerized system used by banks that collect Customs revenues for the electronic
transmission to Customs offices throughout Costa Rica. Auditors found that the process
developed by Customs for confirming, recording, and revising this information allowed for
unsupervised modification of electronically transmitted data without any documentary
support or verification of its validity and reliability.

The second case relates to an evaluation of the Costa Rican government's resources used to
deliver health services--particularly the external consultation service provided by one of the
country's largest public hospitals. Auditors reported that medical resources were significantly
underutilized because the established work schedule was not complied with, which resulted in
the misuse of available equipment and facilities and the absence of timely attention to waiting
patients. The underlying cause was attributed to the absence of supervision and subsequent
control of work timetables by the heads of medical specialties.

Another country, the Kingdom of Tonga, has also identified supervision, as well lack of
training, as an internal control weakness common to most government agencies. The Auditor
General has assisted in addressing these weaknesses by starting training programs, identifying
supervisors for every level of staff, and stressing the importance of these aspects of internal
control systems.

A third INTOSAI member, the National Audit Office of the United Kingdom, has found that
adequate supervision is essential in operations such as those related to contracts. It found that
monitoring the operation of contracts is key to ensuring that suppliers meet the terms and
conditions of the contract for price, standards, and delivery and that the contract remains
competitive. The Office found, for instance, that evidence of poor contract monitoring
resulted in a final cost of £180,000 on a contract initially worth £25,000 without the required
approval for the increase having been made. In another case, a refund was due on a contract
but because of poor monitoring, the government was unaware of the potential refund and thus,
did not make a claim.

To help ensure proper supervision, INTOSAI's internal control standards state that supervisors
are to review and approve, as appropriate, the assigned work of their employees. They must
also provide their employees with the necessary guidance and training to help ensure that
errors, waste, and wrongful acts are minimized and that specific management directives are
understood and achieved.

ACCESS TO AND ACCOUNTABILITY FOR RESOURCES AND RECORDS

The last INTOSAI detailed standard instructs that access to resources and records is to be
limited to authorized individuals who are accountable for their custody or use. To ensure
accountability, the resources are to be periodically compared with the recorded amounts to
determine whether the two agree. The asset's vulnerability should determine the frequency of
the comparison. The work of INTOSAI members has demonstrated the effects of failing to
effectively implement this standard to reduce the risk of unauthorized use or loss to the
government and help achieve management directives.

In one circumstance involving access to records, the United States government's tax collector,
the Internal Revenue Service (IRS), has been plagued by poor internal controls over its
computer systems. The U.S. General Accounting Office's financial statement audits showed
that IRS did not have adequate safeguards to detect or prevent unauthorized employee access
to taxpayer information or to prevent employees from changing certain computer programs to
make unauthorized transactions without being detected. The fundamental control problems
included controls that did not adequately prevent users from unauthorized access to sensitive
programs and data files. Also, numerous users had been given authorized access to powerful
computer system privileges which could allow existing security controls to be circumvented.

In a situation involving the comparison of resources and records, the Auditor-General for the
Republic of South Africa reported finding that the completeness and correctness of the
Department of Land Affairs' bank balance could not be confirmed because the Department
had not compiled a bank reconciliation for more than 1 year. The difference between the
balance according to the Department's accounting records and the bank's statements was
great.
INTOSAI's internal control standards point out that restricting access to resources and a
periodical reconciliation of records reduces the risk of unauthorized use or loss to the
government and helps achieve management directives.

Chapter IV

BUILDING EFFECTIVE INTERNAL CONTROL STRUCTURES

Consistent with INTOSAI's guidelines, member countries have stressed that building effective
internal control structures requires the following critical elements: (1) legislative
underpinnings, (2) internal control standards, (3) managers who accept primary responsibility
for effective controls, (4) periodic internal control self-assessments by managers, (5) internal
audits of controls, and (6) a supreme audit organization that is engaged in establishing and
reviewing internal control systems.

LEGISLATIVE UNDERPINNINGS

As discussed in the INTOSAI internal control guidelines, in some countries, the legislators
will establish the overall objectives that the internal control structures should achieve while
leaving the internal control standards to be established to a responsible central organization.
In others, the legislators set specific controls for certain operations in legislation.

Indeed, INTOSAI members have found it helpful to have legislation that establishes an
overall requirement and objectives for maintaining effective internal controls. For example, in
Bolivia and in the Netherlands a legislative foundation for public sector internal control is
provided by the 1990 Governmental Management and Control law and the Government
Accounts Act, respectively.

In Japan, financial and accounting check and control systems are stipulated in the Public
Finance Law and the Public Account Law, as well as regulations based on this law. The
financial accounting activities of all the Japanese government's ministries and agencies are
governed by these statutory check and control systems.

The United States Congress has also recognized the importance of having legislative
underpinning to promote effective internal controls. For instance, it has enacted legislation
that requires U.S. government agencies to (1) annually evaluate and report on the status of
control systems, (2) have an independent audit function, and (3) annually issue and have
audited reports on their financial condition.

INTERNAL CONTROL STANDARDS

INTOSAI's internal control guidance also points out that, in establishing the framework for
internal control structures, a specific authority should be assigned the responsibility for
developing and promulgating the standards to be followed when designing an internal control
structure. This responsibility could be assigned through constitutional or other legal
enactment and given to a central organization with authority across various government
organizations.

Several INTOSAI member countries have prescribed internal control standards that are to be
followed in establishing and monitoring an internal control structure, and some have patterned
their standards after, or have adopted, INTOSAI's standards. For instance, the Office of the
Comptroller General of the Republic of Bolivia used INTOSAI's guidelines to prepare and
issue

internal control standards for use in that country. The Office reports that the result has
contributed to and facilitated the achievement of control objectives. In the United States,
under law, the Comptroller General is charged with developing internal control standards for
use by agencies of the U.S. government. These were first issued in 1983 as Standards for
Internal Controls in the Federal Government to provide the criteria for establishing and
evaluating internal controls. These standards are currently being updated.

Another country, the Peoples Republic of China, has also found that a standard is necessary
for assessing an organization's internal controls. The National Audit Office reports that the
standard is defined by auditors on the basis of the regulations issued by the Chinese
government and related departments. The Chinese National Audit Office advises that such a
standard--which is usually referred to as an ideal control standard--embodies the control links
and procedures essential for a sound internal control system, and it is used by auditors to
impartially assess the target organization to determine whether its internal controls are
complete and effective.

MANAGEMENT'S RESPONSIBILITY

INTOSAI's guidelines explain at length management's internal control responsibilities,

emphasizing that all managers should realize that a strong internal control structure is
fundamental to their control of the organization and its purpose, operations, and resources.
INTOSAI member countries that provided information for this study have experienced the
need for focusing managers' attention on their responsibilities for implementing effective
internal controls and continuously maintaining a positive internal control environment.

For example, the Netherlands Court of Audit reports that the framework of responsibility for
internal control, which is a cornerstone of central government in the Netherlands, has been
developed by means of close cooperation between Parliament, the ministry of Finance, and
the Court. Also in this regard, the Government Accounts Act states that it is the minister who
is responsible for pursuing sound financial management and for controlling the effectiveness
and efficiency of management, organization, and policy.

Another instance involves Iceland, where the Icelandic National Audit Office reports that the
management of individual governmental agencies is responsible for developing and
implementing internal controls. Also, agencies within the central government--such as the
Central Accounting Office, the Financial Reporting Commission and to some degree the
Ministry of Finance--are directly responsible for implementation of financial controls.

Another example comes from Egypt. The Egyptian Central Auditing Organization reports that
the senior management of an entity is responsible for developing and implementing internal
controls such as by continuously reconsidering the organizational structure that has been
created to direct and control its activities.

SELF-ASSESSMENTS

INTOSAI member countries concentrate on preventing internal control breakdowns before

they occur. To illustrate, South Africa's Supreme Auditor reports that a primary objective is to
prevent errors or irregularities from occurring in management or financial information, or if
any have occurred to detect them. Also, in Egypt, auditors evaluate internal control systems to
identify their efficiency in preventing or detecting major mistakes.

Several INTOSAI member countries require managers to periodically undertake self-

evaluations of internal control operations. INTOSAI's guidelines recognize this practice as
useful to ensure that controls for which managers are responsible continue to be appropriate
and are working as planned.

For New Zealand, emphasis is given to self-review procedures in each individual government
entity. These procedures include a program of self-assessment covering internal audit and
financial controls, as well as management review and evaluation of output effectiveness.

In another case, agencies of the United States government are required by law to annually
conduct control self-assessments. These evaluations are to be made pursuant to guidelines
issued centrally by the U.S. Office of Management and Budget. The results are to be reported
to the U.S. President and the U.S. Congress. These reports are to state whether systems meet
the objectives of internal control and conform to standards established by the U.S.
Comptroller General. Also, U.S. government agencies are required to take actions to correct
control weaknesses the self-assessments identify.

In addition, the Bolivian Comptroller General's future plans call for governmental institutions
to schedule self-evaluations of the design, operation, and effectiveness of their internal control
structures. Bolivia's Comptroller General envisions that the highest responsible officials in
each public institution would carry out a self-evaluation and at least annually report their
conclusions to the Office of the Comptroller General, which would (1) evaluate the process
and outcome and (2) determine the reliability of the data generated by the institution and/or
proposed corrective measures.

INTERNAL AUDITS

Management often establishes an internal audit unit as part of its internal control and self-
review framework. In this tradition, most INTOSAI members find the role of internal auditors
to be a critical part of an organization's internal control structure. For example, the Supreme
Auditors of both Bolivia and Egypt report that internal auditors should evaluate and
periodically report on the effectiveness of and deficiencies in internal control structures and
the risk that such weaknesses represent for effective government operations and protecting its
assets.

The Netherlands is also typical--the audit departments of the ministries audit the financial
statements of their ministries and perform specific financial management systems audits. The
Netherlands Court of Audit reports that, by advising the minister on internal control
weaknesses found during these audits, the internal auditors play an important role in the
ongoing improvement of internal (financial) controls. This is reinforced by the performance
of specific internal control investigations done at the request of the ministers.

In the United Kingdom, the Accounting Officers within each central government body, who
are responsible for the financial management and internal control systems, are assisted in
fulfilling these responsibilities by the services of an internal audit function. Internal audit
operates as a service to management by measuring, evaluating, and reporting on the
effectiveness of the elements of the internal control system.
SUPREME AUDITOR'S RESPONSIBILITY

INTOSAI members have underscored the key role Supreme Auditors play in (1) establishing
internal control standards, (2) creating a solid internal control framework, (3) working with
internal auditors, and (4) evaluating internal controls as an integral part of both their financial
and performance audits. In sum, the Supreme Audit Institution should gear its work toward
assessing the adequacy in principal and the effectiveness in practice of existing internal
controls in audited organizations.

One nation's Supreme Audit Institution described its internal control responsibilities this way.
Control accomplished by the Comptroller General of the Republic of Costa Rica essentially
consists of the financial, accounting, economic, operational, administrative and legal
examination of public resources and is basically carried out by means of investigations and
audits covering financial, operational, legal, computerized and special areas.

Like the process reported in use by many INTOSAI Supreme Auditors, the Costa Rica's
Comptroller General

- evaluates the internal control system in the audited institution, which is comprised of the
control environment, the recording and information system, and control proceedings;

- verifies the effectiveness of the internal control system and identifies the critical areas in the
activity under examination;

- prepares reports to the administration that summarize detected deficiencies and weaknesses
and recommend measures to be adopted for their solution and for the prevention of more
severe problems; and

- carries out pertinent follow-up studies to determine whether recommendations and

measures, which have been jointly agreed upon with the administration, have been adequately
enforced.

CONCLUSIONS

In 1992, when INTOSAI's Internal Control Standards Committee issued its guidelines for
internal control standards, it called for Supreme Auditors to encourage and support the
establishment of internal controls. As envisioned by the Committee, this would encompass (1)
educating management as to its responsibilities for implementing and monitoring the control
structures and (2) auditing those structures to assure that controls are adequate to achieve the
desired result.

In the intervening 5 years, INTOSAI member countries have achieved a wide range of
positive results and are making progress--in some cases, substantial progress--in fulfilling this
vision. The individual country papers prepared by Supreme Auditors have provided
considerable new insights into the use and assessment of internal controls by various
INTOSAI members.

Through these papers, the committee has identified several common elements, which this
chapter outlines, that are evident in sound internal control structures in all systems of
government. These elements parallel INTOSAI's 1992 guidance, which provides a foundation
for supporting the prescribed general and detailed control standards.
However, this foundation is not yet fully in place and working smoothly in all of INTOSAI's
member countries. Further, preserving the effectiveness of these elements and refining the
adequacy of internal controls based on the standards should be a continuous process.
Accordingly, each INTOSAI member can learn from the constructive examples and
experiences that Supreme Auditors have shared with the committee.

Their individual country papers, which more extensively discuss the areas presented in this
overview, will be available at the XVI INCOSAI in Montevideo. Also, additional information
may be obtained by directly contacting the contributing Supreme Audit Institutions at the
locations listed in appendix I.

APPENDIX I

CONTRIBUTING SUPREME AUDIT INSTITUTIONS

The following is a list of the names and telephone numbers and the mailing and INTERNET
addresses for the Supreme Audit Institutions that have provided the information summarized
in this overview document and presented in the related country papers.

Mr. Marcelo Zalles Barriga

Contralor General de la Republica
Casilla Postal 432
La Paz, BOLIVIA
Tel: 591 (2) 37 88 61
Fax: 591 (2) 39 21 87

Mr. Li Jinhua
Auditor General
National Audit Office
of the People's Republic of China
1 Beiluyuan, Zhanlan Road
Xicheng District
Beijing 100830, CHINA
Tel: 86 (10) 68 30 12 14
Fax: 86 (10) 68 33 09 58
email: [email protected]

Mr. Luis Fernando Vargas Benavides

Contralor General de la Republica
Apartado 11-79-1000
San Jose, COSTA RICA
Tel: 506 220 31 20
Fax: 506 220 43 85
email: [email protected]

Dr. Shawky Khater

President of the
Central Auditing Organization
Madinet Nassr
P. O. Box 11789
Cairo, ARAB REPUBLIC OF EGYPT
 The International Standards of Supreme Audit Institutions, ISSAI, are
INTOSAI GOV 9120 issued by the International Organization of Supreme Audit Institutions,
INTOSAI. For more information visit www.issai.org

Providing a
INT OSAI
Foundation for
Accountability in
Government
 INTO S AI Pr o f e s si o n a l S t an d ar ds Co m mitt e e
PSC-Secretariat
Rigsrevisionen • Landgreven 4 • P.O. Box 9009 • 1022 Copenhagen K • Denmark
Tel.:+45 3392 8400 • Fax:+45 3311 0415 •E-mail: [email protected]

IN TO S AI

EXPERIENTIA MUTUA
EXP ERIENTIA M UTUA

OMNIBUS PRODEST
OMNIBUS
P RODEST

INTOSAI General Secretariat - RECHNUNGSHOF

(Austrian Court of Audit)
DAMPFSCHIFFSTRASSE 2
A-1033 VIENNA
AUSTRIA
Tel.: ++43 (1) 711 71 • Fax: ++43 (1) 718 09 69

E-MAIL: [email protected];
WORLD WIDE WEB: http://www.intosai.org
Overview
“Internal control is a management tool used to provide reasonable assurance
that management objectives are being achieved.”
Guidelines for Internal Control Standards,
INTOSAI

Managers are responsible for establishing an effective control environment

in their organizations. This is part of their stewardship responsibility over
the use of government resources. Indeed, the tone managers set through
their actions, policies, and communications can result in a culture of either
positive or lax control. Planning, implementing, supervising, and
monitoring are fundamental components of internal control. You may go
about these activities routinely, without thinking of them as part of a broad
control environment that helps to ensure accountability. But they are.

Internal control, or management control, helps to provide reasonable

assurance that the organization

• adheres to laws, regulations, and management directives;

• promotes orderly, economical, efficient, and effective operations and
achieves planned outcomes;
• safeguards resources against fraud, waste, abuse, and mismanagement;
• provides quality products and services consistent with the
organization’s mission; and
• develops and maintains reliable financial and management information
and fairly discloses that data through timely reporting.

Therefore, it is essential that all managers in an organization understand

the importance of establishing and maintaining effective internal control.
For this reason, the Internal Control Standards Committee of the
International Organization of Supreme Audit Institutions (INTOSAI) has
prepared this booklet to

• provide an overall framework for establishing and maintaining

effective internal controls,
• describe internal control roles and responsibilities for government
managers and auditors,
• describe common internal control practices,
• provide a simple checklist to help you begin thinking about whether
your organization has taken appropriate steps to ensure effective
internal control, and
• provide a list of references for further information.

1
Framework for Establishing
and Maintaining Effective
Internal Control
Managers’ Internal Control
Roles and Responsibilities Auditors’ Roles and Responsibilities

• Create a positive control environment by • Maintain independence in fact and appearance.

• setting a positive ethical tone, • Ensure professional competence of audit staff.
• providing guidance for proper behavior, • Advise management on areas at risk.
• removing temptations for unethical behavior, • Establish auditing strategic plans and goals.
• providing discipline when appropriate, • Perform audits of operations.
• preparing a written code of conduct for • Evaluate information technology systems.
employees.
• Recommend ways to improve operations
• Ensure that personnel have and maintain a
level of competence to perform their duties. and strengthen controls.
• Clearly define key areas of authority and • Follow up to ensure recommendations are
responsibility. fully and effectively implemented.
• Establish appropriate lines of reporting. • Coordinate audit activities with external auditors.
• Establish management control policies and • Implement an audit quality assurance system.
procedures that are based on management’s
analysis of risk.
• Use training, management communications,
and day-to-day actions of managers at all
levels to reinforce the importance of
management control.
• Monitor the organization’s control
operations through annual
Internal
assessments and reports to top Controls
management.

Common Internal
Control Practices
Continually monitor
• Internal control practices are often
operation of internal
designed to comply with internal control
control practices Periodically
standards developed and promulgated by
throughout the evaluate
a central authority, usually designated by a
organization and effectiveness of
legislative body.
modify them as internal control
appropriate • An organization’s workforce is effectively trained practices
and managed so as to achieve results.
• Performance indicators are developed and monitored.
• Key duties and responsibilities are divided among people to
reduce the risk of error or fraud. That is, duties are segregated.
• Managers compare actual performance to planned or expected results
and analyze differences.
• Information processing is controlled, such as through edit checks of data entered.
• Physical control is established to secure and safeguard all vulnerable assets.
• Access to resources and records is limited to authorized individuals. Accountability
for their custody and use is assigned and maintained.
• Transactions and other significant events are authorized and executed only by persons acting
within the scope of their authority.
• Transactions are promptly recorded to maintain their relevance and value to management in
controlling operations and making decisions.
• Internal control and all transactions and other significant events are clearly documented and the
documentation is readily available for examination.

2
Managers

Managers should realize that a strong internal control structure is

fundamental to control of an organization and its purpose,
operations, and resources.

Responsibility for providing an adequate and effective internal control

structure rests with an organization’s management. The head of each
governmental organization must ensure that a proper internal control
structure is instituted, reviewed, and updated to keep it effective. A
positive and supportive attitude on the part of all managers is critical. All
managers must be individuals of personal and professional integrity. They
are to maintain a level of competence that allows them to understand the
importance of developing, implementing, and maintaining effective
internal controls.

Management establishes an independent audit function as a key part of the

internal control structure. Management should establish objectives for the
audit function and place no restrictions on auditors in meeting them. To
ensure independence, the head of this audit unit should report directly to
the manager heading the agency. Management should also select an
experienced, well-qualified person to lead the unit and provide sufficient
resources and a competent staff to carry out audit operations. In this
regard, managers work constructively with auditors to identify risks and
design mitigating controls, and they give auditors responsibility for
periodically evaluating internal control operations to identify weaknesses
and recommend corrective measures.

3
Auditors

Management often establishes an audit unit as part of its internal

control and self-assessment framework.

Auditors are a part of a governmental organization’s internal control

framework, but they are not responsible for implementing specific internal
control procedures in an audited organization. That is properly
management’s job.

The auditors’ role is to audit an organization’s internal control policies,

practices, and procedures to assure that controls are adequate to achieve
the organization’s mission. Although auditors may be part of the
organization they audit, it is important and necessary that the auditors’
independence be maintained.

For its part, management can demonstrate its support by emphasizing the
value of independent and objective auditing. Management should also
identify areas for improving performance quality and respond to
information developed through audits.

An external audit unit may also play a role in auditing a

governmental entity’s internal control.

Most governmental entities are also audited by an external audit function.

This external auditor is often appointed by, and reports to, the oversight
body to which an entity is responsible. This external auditor may examine
and suggest improvements to a governmental entity's internal control.

4
Internal Control

Simply defined, internal control is the process by which an

organization governs its activities to effectively and efficiently
accomplish its mission.

Internal control should not be looked upon as separate, specialized

systems within a governmental organization. Rather, internal control
should be recognized as an integral part of each system that management
uses to guide its operations.

Establishing effective internal control involves an assessment of the risks

the agency faces from both external and internal sources. A precondition
to risk assessment is the establishment of clear, consistent entity
objectives, which are the goals or purposes to be achieved. Risk
assessment is the identification and analysis of relevant risk associated
with achieving the objectives. Internal control practices (such as
procedures, processes, physical arrangement, organizational structure, and
assignment of responsibility and authority) should then be designed and
implemented to achieve the goals.

Also, information should be recorded and communicated in writing to

management and others within the entity who need it and within a time
frame that enables them to carry out their internal control and other
responsibilities. Internal control monitoring should assess the quality of
performance over time and ensure that the findings of audits and other
reviews are promptly resolved.

5
Checklist for Managers

In establishing your framework, have you

q Assessed the risks the organization faces?

q Identified control objectives to manage the risks?
q Established control policies and procedures to achieve the control
objectives?
q Created a positive control environment?
q Maintained and demonstrated personal and professional integrity and
ethical values?
q Maintained and demonstrated a level of skill necessary to help ensure
effective and efficient performance?
q Maintained and demonstrated an understanding of internal controls
sufficient to effectively discharge responsibilities?

For implementing internal control, have you

q Adopted effective internal control throughout the organization?

q Based the organization’s internal control on sound internal control
standards?
q Included in the organization’s internal control structure appropriate
and cost-effective control practices?
q Prescribed control practices through management directives, plans,
and policies?
q Established a means of continually monitoring the operation of the
organization’s internal control practices?

Concerning the audit function, have you

q Shown an understanding of the difference between internal control and

audit?
q Recognized that an audit function is integral to your organization’s
internal control?
q Established an audit function?
q Ensured the audit organization’s independence?
q Given the audit organization responsibility for evaluating the
effectiveness of the audited organization’s internal control practices?
q Established a system to monitor the organization's progress in
implementing internal and external auditor recommendations?

6
References for Further
Information
The International Organization of Supreme Audit Institutions has
issued the following documents.

_ Guidelines for Internal Control Standards

_ Guidelines for Reporting on the Effectiveness of Internal Controls: SAI
Experiences in Implementing and Evaluating Internal Controls

These publications can be found at (http://www.intosai.org).

Various professional accounting organizations can provide internal

control information.

The American Accounting Association

(http://www.aaa-edu.org)

The American Institute of Certified Public Accountants

(http://www.aicpa.org/index.htm)

The Canadian Institute of Chartered Accountants

(http://www.cica.ca)

The Chartered Institute of Public Finance and Accountancy

(http://www.cipfa.org.uk)

The Committee of Sponsoring Organizations of the Treadway

Commission (COSO)
(http://www.coso.org)

The Institute of Chartered Accountants in England & Wales

(http://www.icaew.co.uk)

The Institute of Internal Auditors

(http://www.theiia.org)

This document was prepared and issued by

The Internal Control Standards Committee,
International Organization of Supreme Audit Institutions, 2001.

7
INTOSAI GOV 9130
The International Standards of Supreme Audit Institutions, ISSAI, are
issued by the International Organization of Supreme Audit Institutions,
INTOSAI. For more information visit www.issai.org

INTOSAI Guidelines for

Internal Control
Standards for the
Public Sector –
Further Information
on Entity Risk
Management
 I NT OS AI P r ofe ss i o n a l S t an d ar ds Co m mi t te e
PSC-Secretariat
Rigsrevisionen • Landgreven 4 • P.O. Box 9009 • 1022 Copenhagen K • Denmark
Tel.:+45 3392 8400 • Fax:+45 3311 0415 •E-mail: [email protected]

INTOSAI

EXPERIENTIA MUTUA
EXPERIENTIA MUTUA

OMNIBUS PRODEST
OMNIBUS
PRODEST

INTOSAI General Secretariat - RECHNUNGSHOF

(Austrian Court of Audit)
DAMPFSCHIFFSTRASSE 2
A-1033 VIENNA
AUSTRIA
Tel.: ++43 (1) 711 71 • Fax: ++43 (1) 718 09 69

E-MAIL: [email protected];
WORLD WIDE WEB: http://www.intosai.org
Guidelines for Internal
Control Standards for
the Public Sector –
Further Information on
Entity Risk Management
Preface
The 1992 INTOSAI Guidelines for Internal Control
Standards were conceived as a living document reflecting
the vision that standards should be promoted for the design,
implementation, and evaluation of internal control. This
vision involves a continuing effort to keep these guidelines
up-to-date.

The 17th INCOSAI (Seoul, 2001) recognized a strong need

for updating the 1992 guidelines and agreed that the
Committee on Sponsoring Organisations of the Treadway
Commission’s (COSO) integrated framework for internal
control should be relied upon. Subsequent consultation
resulted in a further expansion to address ethical values and
provide more information on the general principles of
control activities related to information processing.

The updated Internal Control Guidelines were issued in

2004 and should also be viewed as a living document

4
which over time will need to be further developed and
refined to embrace the impact of new developments such as
COSO’s Enterprise Risk Management framework 1 .
Accordingly, this addition to the Guidelines has been
produced to cover current thinking on risk management, as
set out in COSO's ERM framework. As this paper is
intended primarily for public sector readers the term
“entity” is used in place of “Enterprise” which has a
particular private sector association.

The additional information provided here is the result of the

joint effort of the members of the INTOSAI Internal
Control Standards Subcommittee. This update has been
coordinated by a Task Force set up among the
subcommittee members with representatives of the SAIs of
France, Hungary, Bangladesh, Lithuania, the Netherlands,
Oman, the Ukraine, Romania, the United Kingdom, the
United States of America and Belgium (chair).

Franki VANSTAPEL
Senior President of the Belgian Court of Audit
Chairman of the INTOSAI Internal Control Standards
Subcommittee

1
Enterprise Risk Management - Integrated
Framework (COSO - September 2004)

5
Introduction
The underlying premise of the COSO Entity Risk
Management framework is that every entity exists to
provide value for its stakeholders. In the public sector,
general expectations are that public servants should serve
the public interest with fairness and manage public
resources properly. Effectively the stakeholders are the
public and their elected representatives.

All entities face uncertainty and the challenge for

management is to determine how much uncertainty to
accept as it strives to obtain best value for stakeholders. It
is also important to note that uncertainty presents both risk
and opportunity, with the potential to erode or enhance
value or, in public sector terms to service the public interest
more or less well. The aim of entity risk management is to
enable management to effectively deal with uncertainty and
its associated risk and opportunity, enhancing the capacity
to build value, to deliver more effective services more
efficiently and economically, and to target them whilst
taking into account values such as equity and justice.

The INTOSAI Guidelines for Internal Control Standards

for the Public Sector sees internal control as providing an
overarching conceptual framework through which an entity
can be managed to achieve its objectives. The COSO ERM
framework and other similar models take this a stage
further in that the entity can be directed on the basis of
identifying future risks and opportunities to refine
objectives and design internal controls to minimise risk and
maximise opportunity.

As well as extending the definition of functions covered by

the corporate governance regime entity risk management
required a change in the way organisations think about
achieving their objectives. This is because to be effective,

6
entity risk management is an ongoing process applied in
strategy setting, effective across and affected by all levels
and every business unit of an entity and which is designed
to identify all events that will affect the organisation's
ability to achieve its objectives.

This document outlines a recommended framework for

applying the principles of entity risk management in the
public sector and provides a basis against which entity risk
management can be evaluated. However, it is not intended
to replace or supplant the Guidelines for Internal Control
Standards for the Public Sector but rather is designed to
provide complementary additional information to be used
alongside those standards where member states consider it
to be appropriate to do so. Nor, is it intended to limit or
interfere with duly granted authority related to developing
legislation, rule-making or other discretionary policy-
making in an organisation.

In conclusion, it should be clearly stated that this document

includes additional guidelines for corporate governance
standards. The guidelines do not provide detailed policies,
procedures and practices for implementing a best practice
corporate governance regime, nor are they expected to be
suitable for all organisations in all regulatory environments.
However, the addendum provides an addition to the broad
framework within which entities can develop regimes to
best help them maximise the services provided to
stakeholders.

7
How is this document structured?
The supplement is structured in a similar manner to the
INTOSAI Guidelines for Internal Control Standards for
the Public Sector. In the first chapter the concept of Entity
risk management is defined and its scope is delineated. In
the second chapter the components of Entity risk
management are presented and the extensions to the
internal control standards highlighted.

8
C hapter 1: W hat is
Entity Risk Management
1.1 Definition
1.1.1 COSO's Entity Risk Management: Integrated
Framework states that Entity risk management
deals with risks and opportunities affecting value
creation or value preservation defined as follows:

"Entity risk management is a process effected by

an entity's board of directors, management and
other personnel, applied in strategy setting and
across the Entity, designed to identify potential
events that may affect the entity and manage risk
to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives." (COSO ERM model 2004)

1.1.2 In the public sector the terms value creation and

value preservation do not have as much direct
relevance as in the private sector. However, the
definition is purposefully broad to cover as many
sectors and types of organisations as feasible. As
such it is possible to substitute service creation
and preservation for value creation and
preservation for the definition to be fully
applicable to public sector entities.

9
1.2 Identifying the Mission
1.2.1 The starting point for Entity risk management is
the entity's established mission or vision. Within
the context of this mission, management should
establish strategic objectives, select strategies to
achieve these objectives and set supporting
aligned objectives that are cascaded throughout
the organisation.

1.3 Setting Objectives

1.3.1 The INTOSAI Guidelines on Internal Control
Standards states that objectives can be sub-divided
into four categories (although most objectives will
fall into more that one category). These are:

• Strategic - high level goals, aligned with and

supporting the entities mission

• Operational – executing orderly, ethical,

economical, efficient and effective operations;
and safeguarding resources against loss,
misuse and damage

• Reporting - reliability of reporting including

fulfilling accountability obligations

• Compliance - compliance with applicable

laws and regulations and being able to act in
accordance with Government policy

1.3.2 Objectives in the first two categories are not

entirely within an entity's control so any risk
management system can only provide reasonable
assurance that these risks are being managed

10
 satisfactorily, but should enable management to be
aware of the extent to which these objectives are
being met in a timely fashion. However,
objectives relating to reliability of reporting and
compliance are within an entity's control so
effective Entity risk management will usually give
management assurance that these objectives are
being met.

1.4 Identifying Events - Risks and

Opportunities
1.4.1 Once objectives have been set Entity risk
management requires an organisation to identify
events that might have an impact on the
achievement of those objectives. Events can have
a negative impact, a positive impact or both.
Events with a negative impact represent risks,
which can hinder the entity's ability to achieve its
objectives. These risks can arise due to internal
and external factors. Figure 1, below, sets out
many of the risks which government entities face
– there may well be other risks relevant to
particular entities.

1.4.2 Events with a positive impact may offset negative

impacts or represent opportunities. Opportunities
are the possibility that an event will occur that will
enhance the entity's ability to achieve its
objectives or enable the entity to achieve
objectives more efficiently. As well as seeking to
mitigate risks management should formulate plans
to seize opportunities.

11
1.5 Communication and Learning
1.5.1 Determining whether an entity's Entity risk
management is "effective" is a fundamental part of
the process. Management need to make a
judgement on whether the components of Entity
risk management are present and operating
effectively; namely that there are no material
weaknesses and that all risks have been brought
within acceptable parameters given the entity's
risk appetite. Where Entity risk management is
effective management will understand the extent
to which objectives in all four categories are
aligned with the mission and are being achieved.
Effective top down and bottom up communication
throughout the entity is essential to facilitate this
process.

1.6 Limitations
1.6.1 No matter how well designed and operated the
system is, Entity risk management cannot provide
management with absolute assurance regarding
the achievement of general objectives. Instead,
this supplement recognises that only a reasonable
level of assurance is obtainable.

1.6.2 Reasonable assurance equates to a satisfactory

level of confidence that objectives will be
achieved or that management will be made aware
in a timely fashion if objectives are unlikely to be
achieved. Determining how much assurance is
required to reach a satisfactory level of confidence
is a matter of judgement. In exercising that
judgement management will need to consider the
entity's risk appetite and events that may impact
on achievement of objectives.

12
1.6.3 Reasonable assurance reflects the notion that
uncertainty and risk relate to the future, which no-
one can predict with certainty. In addition, factors
outside an entity's control or its influence, such as
political factors, can impact on its ability to
achieve its objectives. In the public sector, factors
outside an entity's control can even change core
objectives at quite short notice. Limitations also
result from the following realities: that human
judgement in decision making can be faulty; that
breakdowns can occur because of human failures
such as simple errors or mistakes; that decisions
on responding to risk and establishing controls
need to consider the relevant costs and benefits;
and that controls can be circumvented by collusion
between two or more people and management can
override the control system. These limitations
preclude management from having absolute
assurance that objectives will be achieved. Figure
1 sets out some of the risks might typically face.
It is intended to be illustrative rather than
exhaustive.

13
Figure 1: Some Typical Risks that Government Entities
Face?

Economic changes such as Failure to Loss or

lower economic growth innovate misappropriation
reduce tax revenue and leading to of funds through
opportunities to provide a sub standard fraud or
wider range of services or

Environmental Inconsistent
damage caused policy
by failure of objectives
regulations or resulting in
government

Project delays Achieving Service

Failure to
cost overruns Delivery
measure
and
performance
inadequate

Failure to
Inadequate
monitor
service plans
implementation
to maintain
continuity of

Failure to evaluate Technical risk –

Inadequate Failure of properly pilot failure to keep pace
skills or contractors, projects before a with technical
resources to partners or other new service is developments, or
deliver government introduced may investment in
services as agencies to provide result in problems inappropriate or

14
1.7 Link between Internal Control
and Entity Risk Management
1.7.1 In many respects entity risk management may be
regarded as a natural evolution of the internal
control model. Most organisations will seek to
fully apply the internal control model before
implementing the concepts inherent within Entity
risk management. Internal control is an integral
part of entity risk management. The entity risk
management framework encompasses internal
control, but in addition, forms a more robust
conceptualisation of how an entity's business
decisions should fall out of its core mission and
associated objectives and provides a tool for
management to help them to determine what the
correct response to a particular event should be.
The ERM model goes further than the INTOSAI
Internal Control Guidelines in a number of areas,
in particular:

• the categories of objectives are broader, and

also include more complete reporting, non-
financial information, strategic objectives;

• it expands the risk assessment component and

introduces different risk concepts, such as risk
appetite, risk tolerance, risk response; and

• it emphasises the importance of independent

directors on the board and elaborates on their
roles and responsibilities.

15
C hapter 2:

C omponents of Entity
Risk Management
Entity risk management consists of eight interrelated
components. These are derived from the way that
management runs a business and are integrated with the
management process. The components are:

• Internal environment
• Objective setting
• Event identification
• Assessing risks
• Risk response
• Control activities
• Information and communication
• Monitoring
In applying the components of Entity risk management, an
entity should consider the entire scope of its activities at all
levels of the organisation. Management should also
consider new initiatives and projects using the Entity risk
management framework.

16
 The International Standards of Supreme Audit Institutions, ISSAIs, are
INTOSAI GOV 9140 issued by the International Organization of Supreme Audit Institutions,
INTOSAI. For more information visit www.issai.org

INT OSAI Internal Audit

Independence in the
Public Sector
 INTO S AI Pr o f e s si o n a l S t an d ar ds Co m mitt e e
PSC-Secretariat
Rigsrevisionen • Landgreven 4 • P.O. Box 9009 • 1022 Copenhagen K • Denmark
Tel.:+45 3392 8400 • Fax:+45 3311 0415 •E-mail: [email protected]

IN TO S AI

EXPERIENTIA MUTUA
EXP ERIENTIA M UTUA

OMNIBUS PRODEST
OMNIBUS
P RODEST

INTOSAI General Secretariat - RECHNUNGSHOF

(Austrian Court of Audit)
DAMPFSCHIFFSTRASSE 2
A-1033 VIENNA
AUSTRIA
Tel.: ++43 (1) 711 71 • Fax: ++43 (1) 718 09 69

E-MAIL: [email protected];
WORLD WIDE WEB: http://www.intosai.org
 1. INTRODUCTION

1.1 This paper on internal audit independence in the public sector addresses concerns
related to independence and objectivity and methods to achieve independence.

1.2 Internal auditing is performed in diverse environments and within organizations

that vary in purpose, size, and structure. In addition, the laws and regulations within
various countries differ from one another. Particularly, public sector auditors operate
in organizational structures that are as complex and varied as the many forms of
government that exist throughout the world today.

1.3 The International Standards of Supreme Audit Institutions (ISSAI) and the
Institute of Internal Auditors’ (the IIA’s) International Standards for the Professional
Practice of Internal Auditing (Standards), present general terms to allow adoption in
different national contexts with the understanding that implementation will be
governed by the environment in which the internal audit activity carries out their
responsibilities and in accordance with the applicable laws and regulations. The IIA’s
Standards are universal and are intended to apply to all members of the internal audit
profession.

1.4 Internal auditing has become a factor of the new accountability and control era.
The manner in which public sector entities maintain internal control and how they are
held accountable has evolved to require more transparency and more accountability
from these organizations that spend investor or taxpayer funds. This trend has
significantly impacted how management implements, monitors, and reports on
internal control.

1.5 Although internal auditors can be a valuable advisory resource on internal control,
the internal auditor should not be a substitute for a strong internal control system. A
system of internal control is the primary response to risks.

1.6 The role of internal auditing has evolved from an administrative procedure with a
focus on compliance, to an important element of good governance. In many cases the
existence of internal auditing is mandatory.

1.7 In describing public sector auditing, the Lima Declaration calls for internal audit
services to be functionally and organizationally independent as far as possible within
their respective constitutional frameworks (ISSAI 1/section 3, par. 2).

1.8 The IIA’s Standards and Code of Ethics recognize the importance of internal
auditors maintaining their independence and objectivity when performing their work,
irrespective of whether the internal auditors are engaged in public or private sector
audits. In addition, the IIA Standards advocate a strong system of internal control
that is monitored by a well-resourced internal audit activity as a fundamental feature
of good governance. In the public sector, a strong system of governance is essential
in ensuring adequate service delivery to the public at large.

1
1.9 For both SAIs and internal auditors, the need for independence and objectivity in
conducting an audit is essential. Internal auditors’ independence and objectivity is an
important factor to enable coordination and cooperation between SAIs and internal
auditors (INTOSAI GOV 9150), including in determining whether and to what extent
SAIs can use the work of internal auditors (ISSAI 1610, ISA 610/par. 9). In this
regard, it is critical that public sector internal audit activities are configured and
positioned appropriately within the organization.

1.10 This paper does not include tools or best practices. They will be made available
on the Subcommittee for Internal Control Standards’ e-platform.

2. THE ROLE OF INTERNAL AUDITING

2.1 IIA defines internal auditing as an independent, objective assurance and

consulting activity designed to add value and improve an organization’s operations. It
helps an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.

2.2 Internal auditing may analyze strengths and weaknesses of an organization’s

internal control, considering its governance, organizational culture, and related threats
and opportunities for improvement which can affect whether the organization is able
to achieve its goals. The analysis assesses whether risk management identifies the
risks and puts controls in place to manage public funds in an effective and efficient
manner.

2.3 Internal auditing works with those charged with governance,1 such as board, audit
committee, senior management or, where appropriate, an external oversight body, in
ensuring that appropriate systems of internal control are designed and implemented.
As such, internal auditing can provide assistance regarding accomplishment of goals
and objectives, strengthening controls, and improving the efficiency and effectiveness
of operations and compliance with authorities. It is important to clarify that while
internal auditing can provide assistance on internal control, it should not perform
management or operational duties.

3. PUBLIC SECTOR INTERNAL AUDITING

3.1 As is true for all internal auditors, public sector internal auditors are called upon to
assist organizations in improving their operations. The public sector internal audit
function is an element of a strong public sector governance foundation. Most public
sector internal auditors also play a role in their entity’s accountability to the public as
part of the check-and-balance process.

3.2 The diverse nature of the public sector places increasing importance and value on
a common understanding of independence as it is key to any auditor’s credibility. As

1
Those charged with governance: cf ISSAI 1260.

2
internal auditors are an integral part of the organization, the achievement and
maintenance of independence is even more challenging.

3.3 The internal audit function can be organized and performed at various levels
within an entity, or within a broader framework that covers a set of similar entities.
The same principles and rules apply to these different organizational levels of internal
auditing.

4. MODELS FOR RESOURCING INTERNAL AUDITING

4.1 There are various models for resourcing an internal audit activity. These include:
 In-house:
Internal audit services are provided exclusively or predominantly by in-house
employees of the organization. The internal audit activity is managed in-
house by an employee of the organization.
 Co-sourced:
Internal audit services are provided by a combination of in-house employees
and service providers. The internal audit activity is managed in-house by an
employee of the organization.
 Outsourced with in-house management:
Internal audit services are provided by service providers contracted to the
organization for this purpose. The internal audit activity is managed in-house
by an employee of the organization, and
 Fully outsourced.
All internal audit services are provided by service providers contracted to the
organization for this purpose. The service provider also manages the internal
audit activity. Project management of the service provider contract is done in-
house by an employee of the organization.

5. DEFINING INDEPENDENCE AND OBJECTIVITY

5.1 Independence can be generally defined as freedom from dependence on, or

influence or control by, another person, organization, or state. Internal auditors work
for, and primarily report to, the audited entity. For internal auditors, independence is
the freedom from conditions that threaten the ability of the internal audit activity or
the chief audit executive (CAE) to carry out internal audit responsibilities in an
unbiased manner. Independence permits internal auditors to render the impartial and
unbiased judgments essential to the proper conduct of engagements.

5.2.1 Objectivity is defined in the IIA Standards as an unbiased mental attitude that
allows internal auditors to perform engagements in such a manner that they have an
honest belief in their work product and that the quality of their work is not
compromised in any way.

5.2.2 IIA Standards also states that objectivity requires that internal auditors do not
subordinate their judgment on audit matters to others. Threats to objectivity, such as

3
possible conflicts of interests, must be managed at the individual auditor, engagement,
functional, and organizational levels, and disclosed as necessary.

6. WHY INDEPENDENCE AND OBJECTIVITY ARE VITAL

6.1 Whatever the form of government, the need for independence and objectivity in
audit is vital (ISSAI 200/2.3). Independence and objectivity are vital in ensuring that
stakeholders view the audit work performed, and the results, as credible, factual, and
unbiased.

6.2 The nature of internal auditing and the role of providing unbiased and accurate
information on the use of public resources and services delivered require the internal
audit activity to perform their duties without restrictions - free from interference or
pressures from the organization being reviewed or the area under audit.

6.3 Development of sound working relationships with management and staff at all
levels of the organization is fundamental to the effectiveness of the internal audit
function. The internal audit activity’s knowledge and understanding of the
organization assist in building effective relationships and in evaluating and improving
the effectiveness of risk management, internal control, and governance processes.
Ideally, and where appropriate, the organization’s employees should bring concerns,
information, and important matters to the attention of the internal audit activity. In
addition, an effective and well-run audit activity will be sought out for services,
information, and guidance.

6.4 By providing unbiased, objective assessments of whether public sector operations

and resources are responsibly and effectively managed to achieve intended results, the
auditor can help the public sector organization achieve accountability and integrity,
improve operations, and instill confidence among citizens and stakeholders.

7. INDEPENDENCE AND OBJECTIVITY CRITERIA

7.1 ISSAI 1610 seeks to assess whether the environment in which internal auditing
operates allows the internal auditor to be sufficiently autonomous and objective to the
extent that the external auditor can use the work of the internal auditor. This is
equivalent to the assessment of internal audit independence within INTOSAI GOV
9140.

7.2 In addition to the criteria in ISA 610, ISSAI 1610 provides criteria to assess the
objectivity of the internal audit function in the public sector. The internal audit
function:
 Is established by legislation or regulation;
 Is accountable to top management, for example the head or deputy head of the
government entity, and to those charged with governance;
 Reports the audit results both to top management, for example the head or
deputy head of the government entity, and those charged with governance;

4
  Is located organizationally outside the staff and management function of the
unit under audit;
 Is sufficiently removed from political pressure to conduct audits and report
findings, opinions, and conclusions objectively without fear of political
reprisal;
 Does not permit internal audit staff to audit operations for which they have
previously been responsible for to avoid any perceived conflict of interest; and
 Has access to those charged with governance.

7.3 Additionally, criteria to assess the independence of the internal audit function in
the public sector may include:
 Clear and formally defined responsibilities and authorities of internal auditing
in an audit charter;
 Functional and personal segregation of internal auditing from responsibilities
for management tasks and decisions (e.g. as heads of operational working
groups in administrative reform projects);
 Adequate freedom for the CAE in establishing audit plans;
 Adequate payment and grading within the salary scale according to the
responsibility and significance of internal auditing; and
 Involvement and participation of the CAE in recruitment of audit staff.

7.4 Also the IIA Standards requires, and leading practices dictate, that the internal
audit activity is independent, and that internal auditors are objective in performing
their work. To achieve the degree of independence necessary to effectively carry out
the responsibilities of the internal audit activity, the head of the internal audit activity
has direct and unrestricted access to those charged with governance. Independence is
achieved through organizational status and objectivity (IPPF 1100-1130 Independence
and Objectivity).

7.5 Under IIA Standards the CAE must report to a level within the organization that
allows the internal audit activity to fulfill its responsibilities. The CAE must confirm
to those charged with governance, at least annually, the organizational independence
of the internal audit activity. According to the IIA Practice Advisory 1111-1 the CAE
must communicate and interact directly with the board. Direct communication occurs
when the CAE regularly attends and participates in board meetings that relate to the
board’s oversight responsibilities for auditing, financial reporting, organizational
governance, and control. Such communication and interaction also occurs when the
CAE meets with the board, at least annually. The internal audit activity must be free
from interference in determining the scope of internal auditing, performing work, and
communicating results.

8. CONCERNS RELATED TO INDEPENDENCE AND OBJECTIVITY

8.1 An internal auditor occupies a unique position within an organization. The

auditor is employed by the organization but is also expected to review the conduct of
operations. This has a potential to create significant tension since the internal
auditor's “independence” from management is necessary for the auditor to objectively
assess management’s actions.

5
8.2 Internal auditing’s in-depth knowledge and understanding of operational
conditions of the audited entity can add significant value to the organization.
However, it may be hindered in upholding the public trust if measures to protect its
independence are not developed, implemented, and maintained. These measures
include provisions to ensure that the internal audit activity is empowered to report
significant issues to those charged with governance; is supported by management
formally and in practice; and is provided with sufficient resources to effectively
perform its duties.

8.3 The appearance or perception of a lack of independence and objectivity could be

as damaging as the actual condition. If internal auditors are involved in developing
the internal control systems, it may become difficult to maintain the appearance of
independence when auditing these systems.

9. HOW TO ACHIEVE INDEPENDENCE AND OBJECTIVITY

9.1 Clearly, independence and objectivity are key elements of an effective public
sector internal audit activity. To comply with the independence and objectivity
criteria mentioned above several measures may be considered. Recommended
measures are:

9.2 Appropriate Placement and Organizational Status

9.2.1 The ability to achieve internal audit activity independence and objectivity is
contingent on the appropriate placement and/or organizational status of the internal
audit activity within the organization.

9.2.2 The organizational status of the internal audit activity should be sufficient to
allow it to accomplish its activities as defined by its audit charter. The audit activity
must be positioned in such a way that it may obtain cooperation from management
and staff of the program or entity being audited, and have free, unrestricted access to
all functions, records, property, and personnel – including those charged with
governance.

9.2.3 Where practicable, those charged with governance (oversight body) should
exercise discretion and at least be consulted regarding the appointment, removal, and
compensation considerations of the CAE. Consideration may also be given to
appointing an appropriately organized, independent body to appoint the CAE.

9.2.4 The CAE should be equal in rank to senior management of the organization. To
avoid possible conflicts of interest, the CAE should report to a level in the
organization that would allow the internal audit activity to effectively carry out its
responsibility.

9.2.5 The CAE should have direct communication with those charged with
governance. This communication reinforces the organizational status of internal
auditing, enables full support and unrestricted access to functions, records, property,

6
and personnel, and helps ensure that there is no impairment to independence. This
provides sufficient authority to ensure broad audit coverage, adequate consideration
of engagement communications, and appropriate action on recommendations.

9.3 Reporting Relationship

9.3.1 Under IIA Standards the CAE must report to a level within the organization that
allows the internal audit activity to fulfill its responsibilities.

9.3.2 The CAE should report to executive management for assistance in establishing
direction, support, and administrative interface; and to those charged with governance
for strategic direction, reinforcement, and accountability. Those charged with
governance (e.g. the audit committee) should safeguard the independence by
approving the internal audit charter and (where applicable) the mandate.

9.3.3 The IIA Standards requires, and other guidance strongly recommend, that to
help maintain the independence of the internal audit activity, its personnel should
report to the CAE, who reports administratively to the chief executive officer or
equivalent and functionally to those charged with governance.

9.4 Competency

9.4.1 The IIA’s Code of Ethics requires, and leading practices dictate, that internal
auditors engage in those services for which they have the necessary knowledge, skills,
and experience; perform duties in accordance with the Standards; and continually
improve their proficiency and effectiveness. The Standards requires that internal
auditors, and the internal audit activity collectively possess or develop the knowledge,
skills, and other competencies needed to perform their responsibilities. Competent
and professional internal audit staff, in particular those that adhere to the Standards,
can help ensure the internal audit activity’s success.

9.5 Legislative Requirements

9.5.1 Legislative requirements to establish an internal audit activity help protect the
funding and independence of the internal audit activity and recognize internal audit as
an important function in the public sector. Finally, adequate legal protection of
internal auditor independence, in particular under civil service law, is an important
element of a legislative framework.

7
REFERENCES

INTOSAI
- ISSAI 1 The Lima Declaration, Section 3. Internal audit and external audit
- ISSAI 200 General standards in Government Auditing and standards with
ethical significance
- ISSAI 1260 Communication with those Charged with Governance
- ISSAI 1610 Financial Audit Guideline – Special Considerations – Using the
Work of Internal Auditors
- INTOSAI GOV 9100 Guidelines for Internal Control Standards for the Public
Sector
- INTOSAI GOV 9150 Coordination and Cooperation between SAIs and
Internal Auditors in the Public Sector

IFAC
- International Standard on Auditing 610
- Governance in the Public Sector: A Governing Body Perspective, 2001

IIA
- The International Professional Practices Framework, including the Definition
of Internal Auditing, the Code of Ethics, The International Standards for the
Professional Practice of Internal Auditing (Standards), Practice Advisories,
Position Papers and Practice Guides
- The Role of Auditing in Public Sector Governance, 2006

Independence and Objectivity: A Framework for Internal Auditors, 2001, American

Accounting Association, IIA Research Foundation

Internal Auditing: Assurance & Consulting Services, 2009, IIA Research Foundation
Internal Auditing in the Public Sector, Gansburghe, Internal Auditor Magazine,
August 2005

Internal Audit Trends in the Public Sector, Sterck and Bouckaert, Internal Auditor
Magazine, August 2006

20 Questions Directors Should Ask About Internal Audit, 2004, Fraser & Lindsay,
The Canadian Institute of Chartered Accountants

Best Practices and tools will be integrated in the e-platform

8
 The International Standards of Supreme Audit Institutions, ISSAIs, are
INTOSAI GOV 9150 issued by the International Organization of Supreme Audit Institutions,
INTOSAI. For more information visit www.issai.org

INT OSAI Coordination and

Cooperation between
SAIs and Internal
Auditors in the Public
Sector
 INTO S AI Pr o f e s si o n a l S t an d ar ds Co m mitt e e
PSC-Secretariat
Rigsrevisionen • Landgreven 4 • P.O. Box 9009 • 1022 Copenhagen K • Denmark
Tel.:+45 3392 8400 • Fax:+45 3311 0415 •E-mail: [email protected]

IN TO S AI

EXPERIENTIA MUTUA
EXP ERIENTIA M UTUA

OMNIBUS PRODEST
OMNIBUS
P RODEST

INTOSAI General Secretariat - RECHNUNGSHOF

(Austrian Court of Audit)
DAMPFSCHIFFSTRASSE 2
A-1033 VIENNA
AUSTRIA
Tel.: ++43 (1) 711 71 • Fax: ++43 (1) 718 09 69

E-MAIL: [email protected];
WORLD WIDE WEB: http://www.intosai.org
 1. INTRODUCTION

1.1 This paper provides guidance on how to achieve coordination and cooperation
between Supreme Audit Institutions (SAIs) and internal auditors in the public
sector—while respecting the distinctive functions and professional requirements of
both.

1.2 In addition to SAIs and internal auditors, this guidance may also be useful to other
auditors conducting internal and external audits in the public sector on their behalf..

1.3 This paper should be read in the context of the International Standards on Auditing
for Supreme Audit Institutions (ISSAIs), International Standards of Auditing
(ISAs) issued by the International Auditing and Assurance Standards Board, and
the Institute of Internal Auditors International Professional Practices Framework.

1.4 Although SAIs and internal auditors have differing and clearly defined roles, their
collective purpose is to promote good governance through contributions to
transparency in and accountability for the use of public resources, as well as to
promote efficient, effective, and economic public administration. Common areas of
work performed by SAIs and internal auditors offer opportunities for coordination
and cooperation. Through SAI and internal auditor coordination and cooperation,
the efficiency and effectiveness of both party’s work can be improved.

1.5 In developing internal auditor/SAI coordination and cooperation, cognizance

should be given to the specific roles of each party.

1.6 Both SAIs and internal auditors can perform the full range of government audits1
and can offer distinctive and important contributions.2 SAIs have the additional
responsibility of evaluating the effectiveness of the internal audit function.

1.7 If internal audit is judged to be effective, efforts shall be made, without prejudice to
the right of the SAI to carry out an overall audit, to achieve the most appropriate
division or assignment of tasks and cooperation between the SAI and internal audit
(ISSAI 1/3/par. 3). This will likely benefit both parties in their ongoing drive for
efficiency and effectiveness in public services.

1.8 All coordination and cooperation efforts between SAIs and internal auditors should
take into consideration the respective constitutional and legislative frameworks or
agreements. These frameworks may define collaboration and responsibilities of the
different parties. Collaboration mostly occurs at the discretion of SAIs, but where

1
For the full range of government audits see chapter 3 (roles and responsibilities)
2
The scope of internal auditor/SAI coordination and cooperation covers financial, compliance, and
performance audits.

1
 possible, cooperation and coordination between SAIs and internal auditors should
be seen as an opportunity to improve the effectiveness of the audit.

1.9 Formal coordination and cooperation will only be possible where certain basic
criteria regarding skills and competence are met. This paper does not preclude other
forms of liaison, such as informal discussions or reviews of documents to aid in
understanding of an entity’s operations.

1.10 In the public sector, SAIs and internal auditors may cooperate in a variety of ways.
Such cooperation can maximise the benefits gained from working together in areas
where there is an avoidable overlap in the scope of work carried out by SAIs and
internal auditors. This paper also recognises the contribution that internal auditors
can make to the efficiency of external audits.

1.11 This paper does not include tools or best practices. They will be made available on
the Subcommittee for Internal Control Standards’ e-platform.

2. RECOGNITION OF RELEVANT EXISTING INTOSAI STANDARDS

2.1 For both SAIs and internal auditors, the need for independence and objectivity in
audit is essential. An internal auditor’s independence and objectivity are important
factors for SAIs to consider when determining whether they will be able to
coordinate and cooperate with an internal auditor and to what extent they can use
the work of the internal auditor (ISSAI 1610, ISA 610/par. 9; INTOSAI GOV 9140).
Both SAIs and internal auditors have their own independence standards.3

2.2 Internal audit services are subordinate to the head of the entity within which they
have been established. Nevertheless, they shall be functionally and organizationally
independent as far as possible within their respective constitutional framework
(ISSAI 1/3/ par. 2; ISSAI 1610; INTOSAI GOV 9140). In this paper reference is
made to ISSAI 1610 and INTOSAI GOV 9140, especially with regard to the
criteria used to determine the independence of the internal audit function.

2.3 When the SAI uses the work of an internal auditor, it performs procedures to obtain
assurance that the internal auditor has exercised due care and complied with
relevant auditing standards (ISSAI 200/2.45). The SAI may review the work of the
internal auditor to satisfy itself as to the quality of that work (ISSAI 1610).

3
Internal auditors use the International Professional Practices Framework (IPPF) of the Institute of Internal
Auditors (IIA) including the Definition of Internal Auditing, the Code of Ethics, and the International
Standards for the Professional Practice of Internal Auditing (Standards) and Position Papers, Practice
Advisories, and Practice Guides. SAI’s use INTOSAI’s ISSAI 10 - the Mexico Declaration on SAI
Independence; ISSAI 11 - INTOSAI Guidelines and Good Practices Related to SAI Independence; ISSAI
30 - the INTOSAI Code of Ethics; and ISSAI - 200 INTOSAI General Standards. External auditors use the
International Federation of Accountants (IFAC) Code of Ethics for Professional Accountants.

2
2.4 When an SAI has determined that an entity’s internal audit function is likely to be
relevant to its audit, the SAI will determine (a) whether, and to what extent, to use
specific work of the internal auditors; and (b) if so, whether such work is adequate
for the purposes of the audit (ISSAI 1610, ISA 610/8-12).

2.5 The SAI has sole responsibility for audit opinions it expresses, and that
responsibility is not reduced by its use of the work of the internal auditors (ISSAI
1610, ISA 610/4).

3. ROLES AND RESPONSIBILITIES

3.1.1 In developing coordination and cooperation between SAIs and internal auditors the
specific roles of both parties are recognized.

3.1.2 Internal auditors work for and primarily report to the audited entity
(administratively to management and functionally to those charged with
governance,4 such as board, audit committee, senior management or, where
appropriate, an external oversight body), while SAIs function as external auditors
and issue their reports to the legislature or parliament (and indirectly the public).
Specific legislation may require that internal audit also report to the SAI.

3.2 Internal audit

3.2.1 INTOSAI defines an internal audit function as the functional means by which the
managers of an entity receive an assurance from internal sources that the processes
for which they are accountable are operating in a manner which will minimize the
probability of the occurrence of error, inefficient and uneconomic practices, or
fraud (INTOSAI GOV 9100).

3.2.2 The Institute of Internal Auditors defines internal auditing as an independent,

objective assurance and consulting activity designed to add value and improve an
organisation’s operations. It helps an organisation accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.

3.2.3 Within the context of roles and responsibilities, the following general principles are
applicable according to INTOSAI GOV 9100:
 Internal auditors examine and contribute to the ongoing effectiveness and
efficiency of the internal control structure through their evaluations and
recommendations and therefore play a significant role in effective internal
control.

4
See ISSAI 1260.

3
  Management often establishes an internal audit function as part of its internal
control framework. In this tradition, the role of internal auditors is a critical part
of an organisation’s internal control structure.
 However, the mandate of an internal audit function does not include
implementation of specific internal control procedures in the organisation. This is
the responsibility of management.
 An effective internal audit function may cover the review, appraisal, and reporting
on the adequacy of controls in order to contribute to the improvement of the
internal control system.
 The internal audit function should utilize a continuous, risk-based approach,
which should consider the risk criteria established by the governance body and
management.

3.2.4 Although internal auditors are part of the organisation they audit,5 certain
safeguards can be put in place to help protect the independence and objectivity of
the internal audit function. The internal audit function should be functionally and
organizationally independent as far as possible within its respective constitutional
framework (ISSAI 1/3/2). An internal auditor’s work and conclusions should be
impartial, neutral, and free from conflicts of interest.

3.3 SAIs

3.3.1 SAIs are generally established by the Supreme Lawmaking body or by

constitutional provision. In some jurisdictions, SAIs contract private auditors to
perform work on their behalf, or those charged with governance (such as board,
audit committee, senior management or, where appropriate, an external oversight
body) appoint a non-SAI auditor as their external auditor if permitted by legislation.

3.3.2 In most countries, SAIs have a wider range of responsibilities for reporting on the
activities of audited entities than do private sector auditors. The full scope of
government auditing includes regularity6 and performance audits (see also ISSAI
100/39-40), as well as special examinations and forensic audits.

3.3.3 The regularity audit embraces, amongst others, the attestation of financial
accountability of accountable entities and of the government administration as a
whole; the audit of financial systems and transactions; internal control and internal
audit functions; and the probity and propriety of administrative decisions taken
within the audited entity. It also includes the reporting of any other matters arising
from or relating to the audit that the SAI believes should be disclosed (ISSAI 100).

3.3.4 The performance audit is concerned with the audit of economy, efficiency, and
effectiveness (ISSAI 100).

5
However internal audit work in an organization can also be performed by a service provider. It is
getting more common in both the public and the private sector to have an external audit firm providing this
service (INTOSAI GOV 9140, chapter 4, models for resourcing internal auditing).
6
Regularity will become both financial and compliance in the future (from 2013 on).

4
3.3.5 As external auditors, SAIs have the responsibility of evaluating the effectiveness of
the internal audit function. If an internal audit function is judged to be effective,
cooperation between the SAI and the internal auditor will likely benefit both parties
(ISSAI 1/3 and 16).

4. BENEFITS OF COORDINATION AND COOPERATION

4.1 A range of benefits may be obtained from coordination and cooperation between
SAIs and internal auditors, including:

 An exchange of ideas and knowledge;

 Strengthening their mutual ability to promote good governance and accountability
practices, and enhancing management understanding of the importance of internal
control;
 More effective audits based on:
o Promoting a clearer understanding of respective audit roles and
requirements,
o Better informed dialogue on the risks facing the organisation leading to a
more focused audit and, consequently, more useful recommendations,
o Better understanding by both parties of the results arising from each
other’s work which may have an impact on their respective future work
plans and programmes;
 More efficient audits based on:
o Better coordinated internal and external audit activity resulting from
coordinated planning and communication,
o Refined audit scope for SAIs and internal auditors;
 Reducing the likelihood of unnecessary duplication of audit work (economy);
 Minimizing disruption to the audited entity;
 Improving and maximizing audit coverage based on risk assessments and
identified significant risks; and
 Mutual support on audit recommendations which may enhance the effectiveness
of audit services.

5
 5. POTENTIAL RISKS OF COORDINATION AND COOPERATION

5.1 Inherent in the coordination and cooperation process are certain risks which should
be managed, such as:

 Any compromise of confidentiality, independence, and objectivity;

 Possible conflicts of interest;
 Dilution of responsibilities;
 Use of different professional standards relating to independence or audit;
 Misinterpretation of conclusions when using each other’s work;
 Possible difference of conclusions or opinions on the subject matter;
 The possibility that potential findings of the other auditor may be prematurely
communicated to an external party, before sufficient audit evidence exists to
support those findings; and
 Not considering constraints or restrictions placed on the other auditor in
determining the extent of coordination and cooperation.

5.2 Internal audit work in an organization can also be performed by a service provider.
In some cases the same audit firm provides both external and internal audit service.
The service provider should not perform internal audit work if they are also the
external auditor or if they provide non-audit consulting services to that organization
as it endangers independence and objectivity.

6. GROUNDS FOR COORDINATION AND COOPERATION:

6.1 Coordination and cooperation are built on commitment, communication, common

understanding, and confidence.

6.1.1 Commitment
 Effective cooperation between internal auditors and SAIs can only be achieved if
both parties are willing and committed to developing coordinated and effective
audit services.
 Audit committee encouragement may improve the likelihood of successful
coordination and cooperation between internal auditors and SAIs.

6.1.2 Communication
 Communication is a two-way process.
 Regular and open communication between SAIs and internal auditors is essential
to the success of coordination and cooperation. Auditors should establish common
understanding on the timing and nature of such communications.7
 Communication may include:

7
Formal communication can include regular meetings, particularly to look at future plans to identify
opportunities for cooperation; to avoid duplication of efforts; to assure that audit coverage is coordinated;
and to agree on methods for the sharing of audit findings and other information.

6
 o the exchange of audit reports and management letters;
o in some circumstances, granting access to each other’s audit programs and
audit documentation while providing for sufficient discretionary and
confidentiality provisions.

6.1.3 Common understanding

 Auditors should understand each other’s objectives, scope, techniques, methods,
and terminology to facilitate reliance on each other’s work.
 It may be useful for SAIs and internal auditors to use similar techniques, methods,
and terminology to facilitate cooperation and effective coordination.

6.1.4 Confidence
 There should be mutual confidence based on the recognition that internal and
external audits are conducted within relevant professional standards.
 There should be confidence that any information exchanged is treated
professionally and with integrity and within professional ethical guidelines. This
exchange of information should incorporate sufficient discretionary and
confidentiality provisions.

7. MODES OF COOPERATION

7.1 A broad range of ways to achieve coordination and cooperation between SAIs and
internal auditors are possible. The degree of coordination and cooperation may vary
depending on circumstances, including considerations of independence and
legislative restrictions. Modes of coordination and cooperation may include:
 Communication of audit planning / audit strategy (e.g. joint planning sessions);
 Regular meetings between SAIs and internal auditors;
 Arrangements for the sharing of information (including consultation procedures);
 Communication of audit reports to each other;
 Organizing common training programmes and courses, and sharing training
material;
 Developing methodologies;
 Sharing training material, methodologies, and audit work programs;
 Granting access to audit documentation;8
 Secondment or lending of staff (e.g. training on the job);
 Use of certain aspects of each other’s work to determine the nature, timing, and
extent of audit procedures to be performed; and

8
The SAI must have access to the sources of information and data from the internal auditor in order
to carry out its audit responsibilities. SAIs should carefully consider confidentiality issues when disclosing
audit documents that may contain sensitive subjects, such as forensic investigations. In order to maintain
independence of SAI’s, internal auditors do not have any automatic access rights to the audit
documentation of the SAI or formal influence on the SAI’s work programme. Nonetheless there are some
circumstances where sharing audit documentation at the SAI’s discretion may aid the audit process.

7
  Collaborating on certain audit procedures, such as collecting audit evidence or
testing data.

8. WAYS TO ORGANIZE THE COORDINATION AND COOPERATION

8.1 Coordination and cooperation can either be organised formally or informally.

8.2 Formal coordination and cooperation can be organised through legislation, formal
agreements, or protocols.

8.3 In certain low-risk engagements, SAIs and internal auditors may coordinate and
cooperate in a more informal way.

8.4 Coordination and cooperation should be documented in compliance with applicable

auditing standards.

8.5 Audit committees may encourage coordination and cooperation between SAIs and
internal auditors.

9. AREAS OF COORDINATION AND COOPERATION

9.1 Areas of coordination and cooperation between SAIs and internal auditors may
include:

 Evaluating the audit entity’s (see also INTOSAI GOV 9100):

o Internal Control framework;
o Financial statements’ Compliance with Laws and Regulations;
o Performance indicators and performance studies;
o Public Governance; and
o Risk management (INTOSAI GOV 9130).
 Documenting the audit entity’s systems and operational processes;
 Developing audit procedures;
 Performing audit procedures, (e.g. audit of multi-located entities); and
 Investigating fraud and corruption allegations.

10. PHASES & CONTENT OF COORDINATION AND COOPERATION

10.1.1 Coordination and cooperation can happen during the entire audit process:

 Preliminary to the engagement;

 At the planning stage;
 Performing further audit procedures;
 Concluding, finalisation, and reporting stage; and

8
  Follow up of audit findings and recommendations

10.1.2 The continuous nature of the assessment and communication between SAIs and
internal auditors should be documented in their respective audit documents.

10.1.3 SAIs coordinate and cooperate during the audit process as follows:

10.2 Preliminary to the engagement

 Obtain an understanding of the audited entity and of each other’s function;

 Consider the scope of the work performed by each party; and
 Evaluate the use of the internal auditor’s work before determining its impact on
the nature, timing, and extent of audit procedures to be conducted. This involves
ensuring that the internal auditor that carried out the work was independent of the
audited entity or activity and was objective in carrying out that work

10.3 Planning stage

10.3.1 In preparing the audit plan and determining the audit strategy, the SAI may
evaluate the effect, if any, that the internal auditor’s work may have on the
external audit procedures. In this stage the auditor should perform a risk
assessment to identify areas of significant risk.

10.3.2 When the SAI intends to use the work of the internal auditor, the SAI should
evaluate:
 The independence of the internal audit activity;
 The objectivity and professional and technical9 competence of the internal
auditor;
 Whether the work of the internal auditor is carried out with due professional care
(conclusions are based upon audit objectives, audit scope, acceptable audit
methodology, and sufficient audit evidence); and
 The effect of any constraints or restrictions placed on the internal audit function
by any party or individual.

10.4Performing further audit procedures

10.4.1 The work of internal auditors may be used to obtain part of the audit evidence that
is necessary to achieve the objectives of SAI audit procedures.

10.4.2 The SAI should evaluate the internal auditor’s work for the following:
 Whether the work was performed by persons having appropriate skills and
expertise;

9
The work has to be performed by persons having appropriate skills and expertise.

9
  Whether the work was properly supervised, reviewed, and documented;
 The suitability of the working methods employed by the internal auditor;
 Whether sufficient, appropriate, and relevant evidence was obtained to draw
reasonable conclusions;
 Whether the conclusions reached are appropriate in the circumstances and any
reports prepared are consistent with the results of the work performed; and
 Whether any findings reported on by the internal auditor have been properly
addressed by the audited organisation.

10.4.3 Where necessary, the SAI performs additional audit work to obtain this assurance.

10.4.4 Documenting the assessment of the decision to use the work of internal auditors
will provide evidence to support the SAI’s procedures, findings, and conclusions.

10.5Concluding, finalisation, and reporting stage

10.5.1 When the work of internal auditors corroborates the findings obtained or
conclusions reached by the external auditors, then the SAI may use the work
performed by the internal auditor. This does not exempt the SAI from obtaining
sufficient, appropriate audit evidence to reach a conclusion based on audit
objectives, but it may reduce the extent of the auditor’s work.

10.5.2 When there is a discrepancy between the findings or conclusions arising from an
audit and those presented in the report of the internal auditor, the SAI and internal
auditor:
 investigate the cause of the discrepancy, and
 reconsider and determine whether the analysis and interpretation of the audit
evidence obtained was adequate and reasonable.

10.5.3 The SAI may discuss any discrepancies with the internal auditor and consider
reporting on it to the relevant and appropriate parties.

10.6 Follow up of audit findings and recommendations

10.6.1 As part of the SAI’s audit process, a follow up of the implementation and
fulfillment of the SAI’s audit recommendations should be undertaken.
In cooperation and understanding with the SAI, the internal auditor may follow up
the implementation and fulfillment of the SAI’s audit recommendations, as a
means of cooperating with the SAI’s audit processes.

10
REFERENCES

INTOSAI
 ISSAI 1 The Lima Declaration, Section 3. Internal audit and external audit
 ISSAI 100 I Auditing Standards - Basic Principles
 ISSAI 300 I Auditing Standards - Field Standards
 ISSAI 1260 Communication with those Charged with Governance
 ISSAI 1610 I Financial Audit Guideline – Special Considerations – Using the
Work of Internal Auditors
 INTOSAI GOV 9100 Guidelines for Internal Control Standards for the Public
Sector
 INTOSAI GOV 9110 Guidance for Reporting on the Effectiveness of Internal
Controls: SAI Experiences in Implementing and Evaluating Internal Controls
 INTOSAI GOV 9120 Internal Control: Providing a Foundation for Accountability
in Government
 INTOSAI GOV 9130 Further information on Entity Risk Management
 INTOSAI GOV 9140 Guidance for Good Governance, Internal Audit
Independence in the Public Sector

European implementing guidelines for the INTOSAI auditing standards

IFAC
 International Standard on Auditing 610
 Governance in the Public Sector: A Governing Body Perspective

IIA
 The International Professional Practices Framework, including the Definition of
Internal Auditing, the Code of Ethics, The International Standards for the
Professional Practice of Internal Auditing (Standards), Practice Advisories,
Position Papers and Practice Guides

NAO & HM Treasury

 Cooperation between internal and external auditors, a good practice guide

GAO
 Financial Audit Manual, FAM 650 Using the work of others

Best Practices and tools will be integrated in the e-platform

11
 The International Standards of Supreme Audit Institutions, ISSAI, are
INTOSAI GOV 9220 issued by the International Organization of Supreme Audit Institutions,
INTOSAI. For more information visit www.issai.org

Management
INT OSAI
Discussion and
Analysis of Financial,
Performance and
Other Information
 INTO S AI Pr o f e s si o n a l S t an d ar ds Co m mitt e e
PSC-Secretariat
Rigsrevisionen • Landgreven 4 • P.O. Box 9009 • 1022 Copenhagen K • Denmark
Tel.:+45 3392 8400 • Fax:+45 3311 0415 •E-mail: [email protected]

IN TO S AI

EXPERIENTIA MUTUA
EXP ERIENTIA M UTUA

OMNIBUS PRODEST
OMNIBUS
P RODEST

INTOSAI General Secretariat - RECHNUNGSHOF

(Austrian Court of Audit)
DAMPFSCHIFFSTRASSE 2
A-1033 VIENNA
AUSTRIA
Tel.: ++43 (1) 711 71 • Fax: ++43 (1) 718 09 69

E-MAIL: [email protected];
WORLD WIDE WEB: http://www.intosai.org
Accounting Standards Framework
Implementation Guide for SAIs:
Management Discussion and Analysis Of
Financial, Performance and Other Information

INTOSAI

Issued by the Committee on Accounting Standards

October 2001

1SEITE
 PREFACE

1. As a result of recommendations made at the Sixteenth International Congress of

Supreme Audit Institutions (INCOSAI XVI) in 1998, the International Organization
of Supreme Audit Institutions (INTOSAI) Committee on Accounting Standards
(CAS) undertook to expand the Accounting Standards Framework Implementation
Guide for SAIs: Departmental and Government-wide Financial Reporting (November
1998) to include a new Management Discussion and Analysis (MD&A) section. This
publication, Accounting Standards Framework Implementation Guide for SAIs:
Management Discussion and Analysis of Financial, Performance, and Other
Information (MD&A Implementation Guide), constitutes that section. It further
develops reporting concepts included in prior CAS publications.

2. The purpose of the MD&A is to provide a means for government management

officials to discuss what the financial statement numbers mean (financial
information), what was accomplished during the reporting periods (performance
information) and the organization’s systems, controls and legal compliance
(governance information). With the addition of the MD&A section, the Guide will
contain the basic components of an Accountability Report.

3. An Accountability Report presents financial, performance, and governance

information about a government entity and charts the entity’s progress in meeting its
goals. The report provides useful information about the government entity’s
accountability for and management of resources entrusted to it, - that is, the results of
government activities, the costs and benefits of those activities, and how those
activities help achieve government goals. It links all the information together in a
clear and concise report to help users make informed judgments about the reporting
entity.

4. Similar to prior CAS publications, this Guide was prepared by CAS according to
approved INTOSAI committee procedures for developing and publishing products.
A subcommittee of CAS prepared an initial draft of this product that was reviewed by
the full committee, which provided valuable comments. An exposure draft was then
provided for review and comment to all SAIs, the INTOSAI Governing Board, and
the CAS associates network. The associates network was formed in 1993, and is
composed of preparers of government accountability reports and representatives of
public sector standard-setting bodies from the countries represented on the CAS and
the Public Sector Committee (PSC) of the International Federation of Accountants
(IFAC). The final step in this process was the publication of the Guide for
distribution at INCOSAI XVII in Seoul Korea. In keeping with INTOSAI practice,
the Guide is considered a living document that will be modified and enhanced over
time as circumstances and SAIs needs change. The Chair of the Committee on
Accounting Standards would be pleased to receive comments on or suggestions for
changes to this Guide at any time.

2SEITE
5. In addition to guidance provided in this Guide, SAIs may also wish to refer to
Appendix I, which lists a number of sources for additional information and examples
of governmental reports including MD&As.

6. The CAS is chaired by the SAI of the United States of America and also includes
SAIs’ from the following member countries: Austria, Canada, Cuba, Ghana, Italy,
Kenya, Libya, Malaysia, Malta, Morocco, New Zealand, Peru, Sweden, and Trinidad
and Tobago. The CAS wishes to express its appreciation to INTOSAI members who
have supported its work and made these products possible. Particular appreciation is
expressed to the SAI of Canada who provided consultation during this product’s
development, and to the SAI’s of Italy, New Zealand, and Peru who reviewed early
drafts of this product and provided valuable input.

3SEITE
 TABLE OF CONTENTS

Page

Preface 2-3

Introduction 5-6

Section 1 - Purpose of the Management Discussion and Analysis 8-9

Section 2 - Objectives of the Management Discussion and Analysis

(Including illustrative examples)

Introduction 11

Mission and Organization Structure Information 12 - 15

Mission Statement 12
Major Programs, Functions and Activities 12
Organization Structure 14
Operating Environment 15

Financial Information 16 - 27
Financial Highlights 16
Financial Condition 22
Sources of Financing- Taxes and Other Receipts 25
Financing Provided by Debt and Related Debt -
Management Activities 27
Performance Information 28 - 35
Focus on Results and Achievements 29
Present in Context of Expectations 33
Relate Costs to Results 35
Governance Information 37 - 42
Systems and Controls 37
Compliance with Legal Requirements 39
Budget to Actual Comparisons 40
Forward Looking Information 41 - 42

Attachments 1 – Sources for Additional Information and Examples 43 - 46

2 – Illustrative Accountability Report Table of Contents 47

4SEITE
 INTRODUCTION

7. In 1995, INTOSAI published its “Accounting Standards Framework” (Framework).

The Framework includes sections on the users, objectives, and qualitative
characteristics of government financial reports. Financial reporting as described in
the Framework includes government-wide and departmental reports as well as
compliance and performance reports.

8. In 1998, INTOSAI published its “Accounting Standards Framework Implementation

Guide for SAIs: Departmental and Government-wide Financial Reporting”,
(Framework Implementation Guide). The Framework Implementation Guide
provides practical guidance to SAIs on how to implement the Accounting Standards
Framework. The Guide shows how to implement the five reporting objectives
included in the Framework. Using the Framework concepts, the Framework
Implementation Guide contains sections that discuss and provide illustrative
examples of department and government-wide reporting. These examples include
Overview, Highlights, Financial Statements, and Compliance and Performance
sections.

9. This MD&A Implementation Guide builds on and complements these previously

issued CAS publications and replaces the information contained in the Highlights and
Overview sections referred to in the Framework Implementation Guide with the
information in this Guide.

10. This MD&A Implementation Guide contains two sections:

(1) Purpose of MD&A – Generally discusses the basic objectives of the MD&A
and how it relates to financial statements, performance reports, and reports on
governance.

(2) Objectives of MD&A – Provides a detailed discussion of the objectives of the

MD&A and suggests the type of information that would meet those
objectives, including examples.

11. This guide also includes an appendix listing sources of additional information and
examples of governmental reports including MD&As.

12. This Guide has been designed as an audit tool to help SAIs review and comment on
the MD&A prepared by government officials. Where MD&As are not prepared and
published, SAIs are encouraged to help their governments do so. In infrequent cases,
if an MD&A is not prepared by government officials, a financial and/or performance
analysis may be prepared by the SAI. However, it should be clear that it was not
prepared by management and should not include “management” in the title. This
guide provides a basis for discussions about the development of such a document.

5SEITE
13. The preparation of an MD&A, and its possible inclusion in a broader Accountability
Report, requires consideration by SAIs and the government about the audit roles
appropriate for these components. At a minimum, the auditor should read the entire
MD&A to determine if the information presented is consistent with audited
information included in the Accountability Report. Appendix II to this Guide
provides an illustrative table of contents of an Accountability Report.

14. CAS acknowledges that the nature and extent of accountability reporting varies
across the INTOSAI community. Therefore, the illustrative MD&A information
presented in this Guide should be viewed only as examples, rather than as a standard.
Preparers have flexibility to structure their MD&A in the manner most appropriate to
reflect the administrative practices in their countries and to meet their needs.
Regardless of the precise reporting format selected, the Committee strongly believes
that citizens and legislators of all countries will increasingly expect their governments
to demonstrate open and transparent accountability. A quality MD&A is a key
component of this accountability reporting.

6SEITE
 SECTION 1

PURPOSE OF THE MANAGEMENT DISCUSSION AND ANALYSIS

7SEITE
 PURPOSE OF THE MANAGEMENT DISCUSSION AND ANALYSIS

15. Reporting objectives identify the goals and purposes of accountability reports and the nature
of the information that the reports should convey. The basic objectives of financial and
performance reporting are described in the Accounting Standards Framework. These same
objectives are applicable to the MD&A, and are included in the discussion in the next section
of this Guide. The overall reporting objective is, to the extent practicable, to provide users
with the information they need. Increasingly, these users include national and international
funding and rating organizations that require a high standard of accountability reporting. The
MD&A helps meet that expectation.

16. The Framework discusses the types of information, such as financial statements and
performance information that may be appropriate to help satisfy these user needs.

17. Financial statements should provide information about the reporting entity’s (departmental
or government-wide) financial position, operating results, and cash flows. Overall financial
position describes what a government owns (its assets) and what a government owes (its
liabilities) at a point in time. Operating results reports the extent to which a government’s
financial position has improved or deteriorated from one period to the next, and includes
information about revenues (or receipts) and expenses/expenditures (or disbursements).
Generally, financial statements also include information about future commitments and
obligations.

18. Performance reports provide information about the extent to which programs and activities
are achieving their desired objectives (effectiveness), and the related cost (economy and
efficiency) of achieving those goals.

19. In many cases, both financial and performance reports may explain what has happened, but
not necessarily why it happened or whether or not it is desirable. In such circumstances,
financial and performance reports may require the insight of management to help users
understand the answers to these important questions. A fully developed MD&A should
provide that insight.

20. In addition to financial and performance results, two other types of information are useful to
be included in the MD&A – governance information and forward-looking information.

21. Governance information refers to information about an entity’s management and information
systems, internal controls, and compliance with laws and regulations. Compliance
information, which includes budgetary compliance, is often reported on an exception basis.
This type of information is useful to help discern any issues or concerns with the day-to-day
operations of the entity, and could include a discussion of management’s plans or efforts that
are underway to remedy identified problems.

8SEITE
22. Forward-looking information to be presented may include discussion of the possible future
effects of currently identified risks, uncertainties, trends, or other significant events or
conditions that could have a major impact on the entity. This could include, for example
information about future commitments, including social insurance obligations, as necessary
to help the reader assess the future financial environment. This type of information is
especially important during times of significant demographic, economic or policy changes.

23. In summary, the MD&A supplements traditional financial and performance reports. It is an
important medium for government managers to communicate at a high-level, their insights
about the mission and goals of the government entity, its major initiatives, and results
achieved during the year. It gives the reader an opportunity to look at the organization
through the eyes of management by providing an analysis of the business of the organization.
It is a way of communicating financial, performance, and governance information about the
government entity and its activities to people who need it. In short, it provides a description
of the organization, what it does, how well it met the goals it set, and the cost of its activities.

24. Therefore, an effective MD&A generally should contain sections that include information
about the organization’s:
- Mission and organization structure
- Financial results
- Performance results
- Governance
- Forward looking information

25. Section 2, which follows, includes explanations and examples relating to these five
components. However, additional and/or different information components may be
appropriate to include in the MD&A, depending on the circumstances. Ultimately, each
government entity should include information and organize its MD&A in a manner that is
most useful to help achieve its reporting objectives.

9SEITE
 SECTION 2

OBJECTIVES OF THE MANAGEMENT DISCUSSION AND ANALYSIS

(WITH EXAMPLES)

10SEITE
 OBJECTIVES OF THE MANAGEMENT DISCUSSION AND ANALYSIS

Introduction

26. This part of the Implementation Guide describes and illustrates each of the five types of
MD&A information referred to previously. The purpose of this information is to satisfy the
Objectives of Government Financial Reports that are part of the Committee’s Accounting
Standards Framework. The first of these objectives, which is overarching, is “to provide
users with the information they need”. There are four other specific objectives that further
expand on the first objective. The interrelationships between the five types of MD&A
information and the objectives in the Accounting Standards’ Framework, is shown in the
matrix below:

Objective 1 Mission & Financial Performance Governance Forward

Organization Information Information Information Looking
Provide users with the Structure Informat
information they need Information ion
to:
Objective 2
X X X X X
Help understand the size of
the government entity, the
nature and scope of its
activities, and its financial
position.
Objective 3
X X
Help understand and
forecast how the
government entity finances
its activities.
Objective 4
X X X
Help understand and
forecast the effects of the
government entity’s
activities.
Objective 5
X X X X
Help determine whether the
government entity did what
it said it would do and the
costs of its activities.

11SEITE
Mission and Organization Structure Information

27. To provide users with overview information about the government entity, the MD&A could
contain a brief description of the entity’s:
- mission
- major programs, functions, and activities
- organization structure
- operating environment

Mission Statement

28. At the national government level, the government mission statement may represent a
statement about jurisdictional responsibilities of the government or what it hopes to achieve.
By their nature, national government mission statements may be very broad. For example,
some national governments are given defined powers by their constitutions, while all other
powers remain with component government units such as provinces or states. Other national
governments have all governmental powers and other governmental units receive their
powers from the national government. The MD&A could discuss these differences.

29. At levels of government below the national level, and for component units of the national
government, the mission statement may be more specific since such government units are
often organized and set up for a specific purpose or with specific goals and objectives. For
example, the mission statement of the United States Small Business Administration (SBA)
reads as follows:

U.S. Small Business Administration

Mission

The SBA helps maintain and strengthen the Nation’s economy by counseling, assisting, and protecting the
interests of small businesses and by helping businesses and families recover from disasters.

The SBA helps create opportunities for small business success through its credit and business assistance
programs. The critical success factor for SBA is a more vibrant and healthy small business sector. The
responsibility for achieving this outcome is not only the SBA’s, but is shared by many programs, often by
several levels of government, and by the Agency's small business customers themselves. SBA's measures of
success are directly related to those small businesses that are started, expanded, and maintained using the
Agency’s products and services.

Major Programs, Functions, and Activities

30. A high-level summary of the government’s programs, functions, and activities provides the
reader with information about what the government unit does. In some cases the government
entity’s policies, strategies, or priorities may significantly affect its programs. Where this is
so it may be appropriate to explain which programs are affected and in what way. For
example, facing increasing social insurance costs, a national priority may be to reduce
program benefits instead of raising taxes or social insurance contributions, or some
combination of the two strategies.

12SEITE
31. The U.S. Social Security Administration’s MD&A describes the social security programs as
follows:
Social Security Administration (U.S.)
Social Security Programs

The Social Security Act of 1934 established a program to help protect aged Americans against the loss
of income due to retirement. Protection for survivors of deceased retirees was added by the 1939
amendments, thus creating the Old Age and Survivors Insurance Program. Social security was
expanded again in 1956 to include the Disability Insurance (DI) Program, and in 1972 to include the
Supplementary Security Income Program (SSI). SSA’s responsibilities in 1998 focused on
administration of these three entitlement programs that deliver cash benefits to about 50 million
beneficiaries every month.
The OASI and DI programs, commonly referred to as Social Security, provide a comprehensive
package of protection against loss of earnings due to retirement, disability, and death. Monthly cash
benefits are financed through payroll taxes paid by workers and their employers and by self-employed
people.

32. This description shows the types of services that SSA provides and describes how these
services have increased over time.

33. The U.S. Department of Veteran’s Affairs (VA) MD&A summarizes its major programs as
follows:

Department of Veterans Affairs (U.S.) Programs

- Medical Care—provides primary care, specialized care, and related medical and social support
services throughout its 172 hospitals, 131 nursing homes, 439 clinics and other support services.
- Medical Education—helps to ensure an adequate supply of clinical care providers for veterans.
- Medical Research—contributes to the nation’s knowledge about disease and disability.
- Education—provides educational assistance to men and women of the armed forces to adjust to
civilian life after separation from the services.
- Insurance—provides life insurance benefits and services to veterans and beneficiaries.
- Burial—ensures that the military service of veterans is honored by providing dignified burials and
memorials.

13SEITE
34. To help understand the relative size of programs, the VA MD&A also presented information
comparing the number of veterans and dependents it served:

Department of Veterans Affairs (U.S.)

Medical Programs, Benefits and Administration Expenses for fiscal years 1997 and 1998

Benefits or Services Veterans and Dependents

Served
FY 1997 FY 1998

Medical Care 3,431,400 3,142,000

Medical Education and Research 2,269,700 2,256,700
Education 299,400 294,800
Insurance 2,408,700 2,300,100
Burial Service 76,700 73,000

Organizational Structure

35. In many cases, it is useful to describe the organizational structure of the entity. This will
provide the user with the context of the other information presented, including how it is
organized to carry out its mission through programs, functions, and activities. The
organizational structure may be described in a chart, narrative, or other means.

36. The Social Security Administration (SSA) describes its organizational structure in terms of
how it meets its needs to provide services to the public as follows:

Social Security Administration (U.S.)

Organizational Structure
SSA’s organizational structure is designed to provide responsive and accurate world-class service to the
public. SSA’s organization features centralized management of the national Social Security programs and a
decentralized nationwide network of 10 Regional Offices overseeing 6 Program Service Centers, 1,348 Field
offices, 1 Data Operations Center, 36 Teleservice Centers and 132 Hearings offices.
Field offices are located in cities and rural communities across the nation and are the Agency’s main physical
point of contact with beneficiaries and the public.

14SEITE
Operating Environment

37. A description of the government entity’s operating environment provides important

information that will help the reader better understand its financial and performance results.
The operating environment includes major factors or conditions affecting the entity. Some
countries have significant vulnerability to external variables including world economic
conditions or the price of specific commodities. In such cases it would be appropriate to
highlight such variables.

38. The following example, which was modified for presentation in this guide, is from the 1998
– 1999 Annual Report MD&A of the Canadian Farm Credit Corporation (FCC), a
governmental entity which provides loans to the agriculture sector of the economy, and
describes its operating environment as follows:

Farm Credit Corporation (Canada)

Global Marketplace Affects Canadian Agriculture

Canada’s agricultural industry is rapidly transforming to compete effectively in an increasingly

global marketplace. This transformation affects the entire spectrum of agriculture – from
inputs and primary production to value added and the consumer. Farmers, input suppliers,
equipment dealers, processors and manufacturers are working together to create new markets
and expand existing ones.

Tremendous growth in the agriculture and agri-food industry is expected in the next several
years. The industry has set the target of increasing agri-food exports to four per cent of the
world’s total trade by the year 2005, effectively doubling our current exports from $22 billion
to approximately $40 billion per year.

Canadian producers and agribusinesses are the driving force in meeting these goals. Their
ability to anticipate needs, produce high quality products and adopt leading-edge technologies
and processes will determine Canada’s share of the global agriculture and agri-food market in
the next millenium. The push to be competitive requires capital. Producers are making the
necessary capital investments to increase their productivity and profits. As Canada’s largest
agricultural term lender, FCC is working with producers and agribusiness operators to help
them make the necessary investments to succeed with financing tailored to the unique needs of
the industry.

39. The FCC MD&A then discusses its operating environment in terms of:
- the effects of changing demographics on markets and farm ownership
- pressures to diversify products
- the industry shift to value added products
- changes in producer financing options
- the advantages of producer partnerships and alliances.

15SEITE
Financial Information

40. The MD&A of a government entity should summarize the most important financial
information for that entity. This would involve incorporating a summary of more extensive
information contained in the entity’s financial statements, as well as financial information
about the entity contained in other separate reports to the extent appropriate. The following
four types of information may be useful in helping users of the MD&A understand the key
financial aspects of the entity:
- financial highlights
- financial condition
- sources of financing – taxes and other receipts
- financing provided by debt and debt management.

Financial Highlights

41. Financial highlights information summarizes the government’s financial position and
operating results. Financial position includes what the entity owns (its assets) and what it
owes (its liabilities) at a point in time. Operating results reflect the extent to which the
entity’s financial position has improved or deteriorated from one period to the next, and
includes an entity’s information about revenues (or receipts) and expenses/expenditures (or
disbursements).

16SEITE
42. The following graphs from the 1999 United States Financial Report clearly show the relative
significance of major categories of assets, liabilities, revenues and net cost1:

Major Categories of Assets

Property, plant and 4.0% 2.6%

equipment - 33.8% 6.2%
Loans receivable - 20.8%
33.8%
Inventories & related 13.0%
property -19.6%
Cash & other monetary
assets - 13.0%
Other - 6.2%

Accounts receivable - 4.0% 19.6%

20.8%
Taxes receivable - 2.6%

Major Categories of Liabilities

Federal debt held by 1.2%4.1%
4.5%
public - 52.6%

Federal employee and

veterans benefits -
37.6%
Environmental &
disposal liabilities - 4.5%

Accounts payable -
1.2%
52.6%
Other - 4.1% 37.6%

1
It should be noted that the amounts in this presentation are significantly affected by U.S. accounting principles that
do not place a value on certain national defense and stewardship assets, which are significant.
17SEITE
 Components of Revenue
by Major Source
5.6%
3.5%
Individual income tax &
9.0%
tax withholdings - 72.3%
Exchange revenue -
9.6%
Corporate income tax - 9.6%
9.0%
Excise tax - 3.5%

Other - 5.6%
72.3%

Net Cost by Major Function

5.4%
Human resources - 6.4%
51.6%
National defense - 13.1%
23.5%
Interest - 13.1%
51.6%
Other functions - 6.4%

Physical resources - 23.5%

5.4%

43. The financial highlights section of the MD&A can help the reader understand the entity’s
financial results and financial position by providing (1) general information such as the total
budget of the entity and (2) more specific information such as a summary of assets,
liabilities, revenues, and expenses, and (3) various financial ratios such as revenues or cost
as a percent of gross domestic product (GDP). The information is often provided in table or
graph format and is most useful if accompanied by a discussion of year-to-year changes
and/or comparisons to budgeted amounts.

18SEITE
44. The financial report of the New Zealand Government includes discussion and analysis
sections of Financial Performance, Financial Position, Prior Year Comparisons, and a five-
year table of historical information. For example, the Financial Performance section, which
was modified for presentation in this guide, is as follows:

1999 Financial Report of the New Zealand Government

Financial Performance

This section compares the actual 1998/99 financial performance against the 1999 budget forecast.
The operating balance for the year ended 30 June 1999 was made up as follows:

Operating Balance Actual Forecast Variance

$m $m $m
Revenues 36,357 36,462 (105)
Expenses 35,825 35,256 (569)
SOEs and Crown entities 1,245 958 287
surplus
Operating Balance 1,777 2,164 (387)

The operating surplus was $387 million lower than the 1998/99 estimated actual forecast. The main variances were:

- A significant increase in the valuation of GSF unfunded pension liability ($646 million) partly arising from a change
in discount rate methodology, and
- A shortfall in taxation revenue of $200 million compared to forecast, largely due to:
- Lower than forecast new companies taxation ($194 million), mainly due to higher than expected overpayment of
company tax in the earlier part of 1998/99 leading to a downward correction in the June quarter, and
- A shortfall in stamp duty ($134 million), partly due to higher than expected refunds from the abolition of
conveyance and lease duties.

These factors were partly offset by:

- Gains on sale of TVNZ’s shares in Clear Communications and Sky Network TV ($140 million) and the sale of the
Cobb Hydro station ($80 million) by Meridan Energy Limited, contributing to the higher net surpluses from SOEs and
Crown entities ($287 million); and
- The recognition of Public Trust reserves ($86 million) by the Crown for the first time.

These items were not forecast as a matter of policy.

19SEITE
45. Additional financial highlights and narrative discussion included in the 1999 Financial
Report of the New Zealand Government, also modified for this presentation, follow:

1999 Financial Report of the New Zealand Government

Overview

The Crown financial statements show:

- A $1.8 billion surplus, despite a period of slower economic growth, due to a number of positive one time
items;
- A significant decrease in net worth, reflecting the recognition of a $3.1 billion claims liability for future
actuarial pension costs;
- A fall in net debt, due to sale proceeds from Contract Energy Limited, and other assets.

30 June 1999 30 June 1999 30 June 1998

Actual Forecast Actual

Financial Summary Actual Ratio to Forecast Ratio to Actual Ratio to

$m GDP % $m GDP % $m GDP %
Operating Balance Surplus 1,777 1.8% 2,164 2.2% 2,534 2.6%
Net Worth 6,022 6.1% 5,456 5.5% 9,921 10.1%
Net Crown Debt 21,701 22.0% 22,369 22.5% 24,069 24.6%

The 1998/99 operating balance surplus contained a number of one-time items, both positive and negative.
Adjusted for these one-time items, the operating surplus would be around $150 million.

The positive items that boosted the surplus were largely gains on sales of assets – Contact Energy Limited,
Auckland and Wellington Airport companies, and smaller hydro power stations.

These gains were moderated somewhat by tax cuts from 1 July 1998 and slower economic growth resulting in
lower tax revenue. Expenses grew by 4.7% with increases in health (9.5%) and education spending (3.2%), partly
offset by a reduction in finance costs. An increase in the valuation of Government Superannuation Fund (GSF)
pension liability also contributed to higher expenses.

20SEITE
46. Financial highlights may also include a focus on the budget deficit or surplus amounts for the
year. The following discussion and analysis, as modified for this presentation, was included
in the 1999 United States Financial Report2 and has such a focus:

U.S. 1999 Financial Report

Continued Improvement in Fiscal Performance

Seven years ago, the federal budget deficit had exploded. It dominated the Government’s ability to make policy and
imposed an insidious burden on our economy. In 1992, the $290 billion deficit was the largest in American history
and was projected to continue spiraling upward without restraint. The economy suffered, interest rates were high and
job creation stalled. Capital that should have been used for productive investments to create new jobs was used to
finance the Government’s massive deficit-driven borrowing.

In 1993, the Omnibus Budget Reconciliation Act was signed. Its deficit reduction was to cut the deficit in half as a
percentage of the economy in 5 years. That goal was met in only three years. The 1997 Balanced Budget Act
proposed to eliminate the federal deficit by fiscal 2002. In fact, it reached its goal 4 years ahead of schedule,
producing the first budget surplus ($69 billion) in 1998.

Unified Federal Budget Surpluses and Deficits

DollarsinBilions
600
400
200
0
-200
-400
81 87 93 99 5 8
Years

We can now look back with pride at our progress and ahead with confidence as we consider the success of our fiscal
discipline and the opportunity to build upon it. Today we have lower interest rates, a higher level of investment, and
unprecedented prosperity. Our economy has added more than 20 million new jobs. The unemployment rate is the
lowest in 30 years; the welfare rolls are down by more than 50% since 1993; the core inflation is the lowest in 35
years; and more Americans own their homes than at any time in our history. Strong economic growth and passage of
deficit reduction programs placed the budget on its path toward surplus.

2
It should be noted that the calculations of the U.S. unified budget surplus includes social insurance and similar
revenues
21SEITE
Financial Condition

47. In describing the government entity’s financial condition in the MD&A, it may be useful to
discuss how it is influenced by conditions and institutions both inside and outside of the
control of the government entity. In some cases, it may be appropriate to adjust financial data
for the impact of inflation to provide meaningful information and comparisons.

48. For government-wide reporting, the MD&A could discuss the government’s financial
condition in terms of various indicators such as sustainability, flexibility, and vulnerability.
These indicators are discussed and defined in a research report prepared by the Canadian
Institute of Chartered Accountants titled Indicators of Government Financial Condition3.
Due to their nature, these types of indicators may apply more to national governments than to
their subdivisions. However, where appropriate, government departments may find these
concepts appropriate for discussion, especially, for example where dedicated revenues or
debt exist.

49. Sustainability is defined by the report as the degree to which a government can maintain
existing programs and meet existing creditor requirements without increasing the burden on
the economy. The primary indicator of a government’s sustainability is the ratio of its net
debt (liabilities minus financial assets) to its gross domestic product (GDP). The following
example modified from the Canadian research report illustrates the movement of the Debt-to-
GDP ratio for the Canadian government:

Net Public Debt as a % of GDP

Percent
80
72
70
63
60
53 53
50 48 49

40
30 32
30

20

10

0
80-81 82-83 84-85 86-87 88-89 90-91 92-93 94-95
Fiscal Year

3
Research Report of the Canadian Institute of Chartered Accountants, Canada, 1997.
22SEITE
50. Flexibility is defined by the Canadian research report as the degree to which a government
can increase its financial resources to respond to rising commitments by either expanding its
revenues or increasing its debt burden. One way to look at a government’s flexibility is to
show debt charges as a percent of total revenue over a period of years. The following
example, derived from the Canadian research report, shows public debt charges as a percent
of total revenues over a period of time for the Canadian government.

Public Debt Charges as a Percent of

Total Revenues “Interest Bite”
Percent
35
33 33

30 28 28
27 27

25 23 24

20

15

10

0
80-81 82-83 84-85 86-87 88-89 90-91 92-93 94-95
Fiscal Year

51. Vulnerability is defined in the Canadian research report as the degree to which a government
becomes dependent, and therefore vulnerable, to sources of funding outside of its control or
influence, both domestically and internationally. One way of portraying this type of
vulnerability is to compare foreign government debt as a percent of total government debt
over a period of years.

23SEITE
52. The following example of foreign debt as a percent of the total government debt is derived
from the Canadian research report. The chart shows that foreign holdings of Canadian
government debt increased significantly. This increases vulnerability to outside economic
pressures.

Foreign Held Government Debt

As a Percentage of Government Debt
Percent
20
18
18 17 19 19

16 15
14 13

12 11 11
10
8

2
0
80-81 82-83 84-85 86-87 88-89 90-91 92-93 94-95
Fiscal Year

53. In addition, the composition of debt (short, medium, or long term) as well as the ability to
modify its terms affects the vulnerability of the government entity to outside factors such as
changes in domestic or international interest rates.

54. Other indicators of financial condition could include current assets compared to current
liabilities (a liquidity indicator) and net revenue compared to debt service requirements.

24SEITE
Sources Of Financing – Taxes and Other Receipts

55. The MD&A may also include information about how the government entity has financed and
expects to finance its activities. Government financing includes the external sources of the
entity’s funding such as taxes and other receipts, debt financing, and the sale of government
assets, which may be used to finance deficits. Financing data in the MD&A should not
merely duplicate data in the financial statements, but rather should also include an analysis
and discussion of the changes in financing sources from year-to-year and other information
that would provide insight on financing activities. The U.S. Department of the Interior’s 1998
Financial Report describes its financing as follows:

U.S. Department of the Interior

1998 Financial Report
Revenues

In general, Interior’s missions are intended to be funded by general government funds derived from
tax receipts and other sources. However, an increasing number of Departmental activities are being
supported by other fees and collections.

Federal government revenue is either classified as Exchange Revenue or Non-exchange Revenue.

Exchange Revenue occurs when both parties to the transaction receive value (e.g., the government
sells maps to the public for a price).

Interior’s revenues from the public derive from sales of hydroelectric power, entrance fees at parks
and wildlife refuges, sales of maps, and other products and services directly related to the operating
responsibilities of the Department. (See figure below) Approximately $853 million of revenues
were collected from the public and were either retained in the Department after congressional
appropriation to further Interior’s mission, or were returned to the General Fund of the Treasury.
This represents a 25% decrease over the prior year. These revenues offset the taxpayer investments
in the Department. In addition, Interior earned $721 million from other Federal agencies, mostly
resulting from cross-servicing agreements or reimbursable services to other agencies. These efforts
help reduce the total cost of government operations by sharing expertise among agencies.

Exchange Revenue

Dollars in billions 1998 1997 %

Change
Revenue from Sale of Goods and Services to the Public $ .85 $ 1.13 -24.8
Revenue From Sale of goods and Services to Federal $ .72 $ .67 7.5%
Agencies
Other Revenue $ .32 $ .55 -41.8%

In addition, during 1998, the Department collected over $5.9 billion in revenue from outer
Continental Shelf and onshore oil, gas, and mineral lease sales and royalties, making Interior one of
the largest collectors of revenue in the Federal government. This was a decrease of $335 million
from the prior year. These receipts are presented on the Department’s Statement of Custodial
Activity since these collections are revenue of the government as a whole rather than of the
Department. These revenues are distributed primarily to Federal and State treasuries, Indian Tribes
and allottees, the Land and Water Conservation Fund, and the Historic Preservation Fund.

25SEITE
56. A presentation of historical and forecast data by financing source over several years provides
significantly more information than that included in the financial statements themselves. The
inclusion of forecast data along with a discussion of the economic outlook assumptions that
affect government entity financing provides financial statement users a perspective about
future financing sources and the basis for the forecasted amounts.

57. The following example of reported and forecasted financing sources, along with a related
discussion and analysis, was prepared at the government-wide level from summarized
information published in the 1999 U.S. Financial Report and the 2000 President’s Budgets.

U.S. 1998 Financial Report

US
($ in billions)
cial Report
Governmental Receipts are Growing

Governmental receipts in 1998 increased significantly from 1997 and, based on current assumptions,
are expected to continue to increase in the future as shown in the following table:

Source of receipts 1997 1998 1999 2000 2001 2002 2003 2004
Actual Actual
Individual income taxes 737.5 828.6 868.9 899.7 912.5 942.8 970.7 1017.7
Corporation income taxes 182.3 188.7 182.2 189.4 196.6 203.4 212.3 221.5
Social insurance/retirement 539.4 571.8 608.8 636.5 660.3 686.3 712.0 739.2
Excise taxes 56.9 57.7 68.1 69.9 70.8 72.3 73.8 75.4
Estate and gift taxes 19.8 24.1 25.9 27.0 28.4 30.5 31.6 33.9
Customs duties 17.9 18.3 17.7 18.4 20.0 21.4 23.0 24.9
Other receipts 25.5 32.7 34.7 42.1 44.9 50.3 51.7 53.0
Total receipts 1579.3 1721.8 1806.3 1883.0 1933.3 2007.1 2075.0 2165.5

1997 versus 1998 - The expanding economy during 1998 brought a surge in tax revenue. Receipts
increased from 1997 by 9.0% to $1,722 billion, faster than gains over the previous several years.
Growth was led by a more than 12% increase in individual income tax payments, reflecting rapid job
and income growth as well as high levels of capital gains from the rising stock market. That increase
was more than enough to offset a slowdown in corporate income tax receipts, which grew by 3 _% in
1998 compared with a 6% increase in 1997. Corporate profits weakened in 1998 primarily due to the
impact of the global situation on earnings, particularly on manufacturing firms.

Estimated receipts - Total receipts in 2000 are estimated to be $1.883 billion, an increase of $76.7 billion or 4.2%
above 1999. This increase is largely due to assumed increases in incomes resulting from both real economic
growth and inflation. Receipts are projected to grow at an average annual rate of 3.6% between 2000 and 2004.
As a share of gross domestic product, receipts are projected to decline from 20.6% in 1999 to 20.0 percent in
2004. In addition, several new laws were enacted in 1999 that will have a future effect on governmental receipts.

58. The MD&A may also provide information about the major economic assumptions used to
prepare revenue (and expense) forecasts. For example, the United States year 2000
President’s Budget provides detailed tables as well as discussions and analyses about future
assumptions for gross domestic product, corporate profits, wages and salaries, the consumer
price index, and unemployment and interest rates, among others. At a summary level, such
information may be appropriate to include in the MD&A. This provides forward-looking
information to the user as discussed later in Section 2, paragraphs 91 – 95.

26SEITE
Financing Provided By Debt and Related Debt Management Activities

59. A discussion of an organization’s debt and debt management can be presented in various
ways in the MD&A. One way is to show what the debt is comprised of and the effect
changing the amount of debt has or would have on the organization. The following graphs
from the 1997 annual report of the United States Postal Service show the relationship of
outstanding debt to interest.

Debt Outstanding at Year End

Dollars
12,000

10,000
When we reduce our debt...
8,000

6,000

4,000

2,000

0
1993 1994 1995 1996 1997
Year of Federal Financing Bank Debt and Mortgage Notes
Payable

Interest Expense on Borrowing

Dollars
700

600
…we save money
500

400

300

200

100

0
1993 1994 1995 1996 1997
Years

27SEITE
60. Another way to describe an organization’s debt and debt management is a discussion of debt
activity during the year including information on borrowings made and debt retired during
the year. The State of Texas fiscal year 1998 annual report discussed its debt activity as
follows:

State of Texas
Fiscal Year 1998 Annual Report

During fiscal year 1998, Texas’ state agencies and universities issued $2.5 billion in state bonds to
finance new construction, housing, water conservation and treatment, and other projects. General
obligation debt accounted for $1.2 billion of the state bonds. The remaining $1.3 is due to new issuances
of revenue bonds. Bonds retired were composed of $224.5 million in general obligation bonds and $1.1
billion in revenue bonds during the year. There were also $887.5 million in general obligation bonds and
$410.5 million in revenue bonds that were refunded.

61. Debt may also be described in the context of its purpose. For example, borrowings made to
finance current expenditures may require a discussion about whether or not the condition is
due to temporary economic conditions, or longer-term structural financing factors. The latter
situation, in particular, may have significant implications about the ability of the government
to maintain its programs or continue as a going concern.

Performance Information

62. Performance information helps the users of government accountability reports understand
the effects or outcomes of the entity’s activities. Performance information also helps readers
determine related outputs and costs, and whether expected or targeted results were achieved.

63. The MD&A for a government entity should summarize the most important indicators of
performance for that entity. This might involve incorporating a summary of more extensive
information provided in separate, more detailed performance reports.

64. Government performance reports, and the information summarized in MD&As, are most
useful if they, at a minimum, contain information that:4
- focuses on results and achievements
- is presented in the context of expectations
relates costs to results.

4
In discussing the measurement and reporting of government performance, it should be noted that, while concepts
and techniques are relatively well advanced at the departmental level, this is not yet the case at the government-wide
level. There are relatively few examples of government-wide performance information, although some governments
are experimenting with various approaches. Part of the conceptual difficulty is that, unlike financial information,
performance information at detailed levels generally does not roll-up easily to more summary levels.
28SEITE
65. A graphic representation of the performance measurement process that was taken from the
Canadian Research Study, might look as follows:

Costing and Performance Measurement

Process

Resources
(inputs)

Objectives Activities Services Outcomes

(outputs) (outputs)

Costing of Services Process

66. Most governments should be able to provide basic performance information in published
accountability reports, and to refine and broaden that information over time. Initially
information about inputs and activities might be provided; related outputs, costs, and
eventually outcomes and/or reasons why outcomes did not achieve the objectives could be
added later.

Focus on Results and Achievements

67. Historically, performance information for government entities has concentrated on resource
inputs, activities and processes rather than on actual results or achievements. Recently, the
focus has broadened to also incorporate results and achievements, expressed in terms of
outputs and occasionally outcomes.

68. Outputs are the goods and services delivered to achieve desired outcomes, and are often more
readily identifiable and measurable than outcomes. However, by themselves, outputs are not
a wholly satisfactory measure of the achievement of objectives. Aspects related to outputs
that may be measured and reported include cost, efficiency, quality, and client satisfaction.

29SEITE
69. The New Zealand Department of Corrections’ Annual Report contains a number of output
performance standards that are measured. The following illustration, extracted from that
report, measures various performance standards for clinical treatment services:

New Zealand Department of Corrections

Annual Report 1997/1998

Output – Clinical Treatment Services – Public Prisons

Performance Standard Budget Actual Variance

The projected number of psychological 19,000 18,619 -381
consultation hours (-2%)
The projected number of psychological 1,700 1,481 -219
reports (-12.9%)

Psychological treatment arising from

consultations provided to the standards
stated in the Psychological Services
Manual 95% 96.9% 1.9%
Psychological reports provided to the
standards stated in the Psychological
Services Manual 95% 92.5% -2.5%

Comment: Performance measures for Clinical Treatment Services were introduced for
the first time in the 1997/1998 financial year. The provision of these services is demand
driven, and the initial forecasts did not match the level of demand. As a result, the
forecasts have been revised for the 1998/1999 financial year.

70. Outcomes are the measurable consequences of a government policy, program or initiative.
While at times outcomes can be easy or inexpensive to measure, at other times they can be
difficult or costly to measure. As outcomes may result from multiple factors, in order for a
specific outcome to be a valid measure of performance, causal relationships should be
demonstrated, when possible. In some circumstances, it may be appropriate to measure
outputs against output objectives in the short run when outcomes cannot be directly
measured. Also, as outcomes are often delayed or long-term, they likely need to be reported
over a longer period than outputs.

30SEITE
71. The following example, summarized from the Swedish Rescue Services Agency 1997
Annual Report, describes the objective of a program and a graph of accomplishments to date
in terms of outputs. The accomplishments discussion detail was omitted for the purposes of
this example.

The Swedish Rescue Services Agency

1997 Annual Report

Objective
The Swedish Rescue Services Agency shall ensure that shelters are built for residents and people involved in
essential civil total defence activities within areas that are particularly exposed to risk so that the intentions in the
1996 total defence resolution can be realised.

Accomplishments to Date

Number of shelter places prepared in conjunction with new,

extended and reconstructed facilities, by county.
Number of places
8,000

7,000

6,000

5,000

4,000

3,000

2,000

1,000

0
AB C D E F G H I K M N O P R S T U W X Y Z ACB D
Counties

31SEITE
72. The Swedish Rescue Services Agency example also graphically compares numbers of new
shelter places and unmet shortages for four years, as well as the cost per shelter space.

The Swedish Rescue Services Agency

1997 Annual Report

Total number of shelter places prepared in conjunction with

new extended and reconstructed facilities and shelters concerning
the shortage of places and large shelters.
Places

80,000

70,000

60,000

50,000

40,000

30,000

20,000

10,000

0 Year

93/94 94/95 95/96 1997

New Shortage/LS

Costs (Swedish Kroner) per shelter place in conjunction with new,

extended and reconstructed facilities including shelters concerning
the shortage of places and large shelters.

SEK/place
14,000.00

12,000.00

10,000.00

8,000.00

6,000.00

4,000.00

2,000.00

0.00
Year
93/94 94/95 96/97 1997

New Shortage/LS

32SEITE
73. In another example, the Corporation of Social Security of the Kingdom of Jordan shows its
progress towards one of its mission statement objectives, “establishing a saving mechanism
to contribute to the financing of the investment projects in Jordan, and achieving higher
growth rates that improve the standards of living at all levels of the society.” The following
table shows the investment in projects by the corporation as a percent of GDP.

The Corporation of Social Security of the Kingdom of Jordan

The Contributions In Jordan’s Economy For Years 1995 Through 1999.

Year 1995 1996 1997 1998 1999

Investment rate to
16.3% 18.29% 19.98% 20.89% 24%
(GDP)

Present in the Context of Expectations

74. An important aspect of assessing performance is being able to compare achievements to

expectations. Knowing the intentions, or plans, of government entities is a critical part of the
accountability cycle. It provides users of accountability reports with a basis for assessing the
results subsequently achieved. Readers of the report should be informed, therefore, about
both planned and actual performance. Expectations however may not necessarily be set by
the government entity itself. They may be set by, or at least in conjunction with, the
legislative process that provides the entity with the resources it needs to operate.

75. In addition to reporting actual performance results, government entities should provide
explanations for significant performance variances, as well as information on what action is
being taken when performance has not met expectations.

33SEITE
76. An example of reporting performance targets and results in narrative and table form was
summarized from the MD&A of the Canadian 1998 Export Development Corporation (EDC)
annual report.
Export Development Corporation (EDC) (Canada)
1998 Financial Report

EDC’s corporate objectives of doing more business with more customers and taking on more risk on behalf of
those customers, in a financially sound manner, are tracked by way of a number of performance measures.

Customers Served – The number of companies benefiting directly or indirectly from EDC services increased by
13%, short of the Corporation’s target of 16.5%. EDC did not meet the target in part because a new telemarketing
campaign, introduced in 1998, did not generate the expected number of new customers. Of the customers served,
88% were small – and medium-sized enterprises, a priority customer segment for EDC. In 1999, EDC’s strategic
focus will be to increase the awareness of the Corporation’s services among Canadian companies, which should
serve to increase EDC’s customer base.

1999 Target 1998 Actual 1998 Target 1997 Actual

Customers served 5,100 4,183 4,325 3,711

Business Volume – A measure of the Corporation’s success in meeting the financial needs of its customers is the
volume of business concluded during the year. The volume supported under each of the Corporation’s programs
increased in 1998, for a total increase of 21% over 1997 and 6% over the 1998 target. Included in the volume for
1998 was $8.9 billion in higher risk markets. This met the 1998 target and was a 14% increase over the 1997
higher risk market volume. As a result of the current economic turmoil and uncertainty in the markets, EDC is
projecting a more modest overall increase of 6% in business volume for 1999, of which $8.5 billion is expected to
be in the higher risk markets.

($ in billion) 1999 Target 1998 Actual 1998 Target 1997 Actual

Short-term 26.0 24.0 23.3 20.3
Medium- and long- 11.0 10.8 9.4 8.3
term
Total $37.0 $34.8 $32.7 $28.6

34SEITE
77. In addition, the following example from the 1998 U.S. Department of Interior Accountability
Report shows how it links mission goals, performance goals, and performance measures:

U.S. Department of the Interior

1988 Accountability Report
Bureau of Land Management (BLM)

Performance Goals and Measures

BLM Mission Goal: By 1999, 250,000 acres of vegetation communities are improved through
the use of wildland and prescribed fire and other land treatment tools.

BLM Performance Measure: Acres of vegetation communities improved.

AcresofVegetationCommunitiesImproved

Number
300,000
250,000
250,000
200,647
200,000

150,000

100,000
62,680

50,000

0
1997 1998 Planned1999
Years

Relate Costs to Results

78. Efficiency and effectiveness are important elements of performance measurement, and
measuring cost is an integral part of assessing the efficiency of programs.

79. Cost information is important in order to help accountability report users understand whether
entities are achieving results at reasonable cost. Many government entities, while they report
performance information on a regular basis, do not yet have the capability to link
performance to the related cost information. As better cost accounting capabilities are
developed, this linkage will become easier to achieve.

35SEITE
80. As shown in the following example, the use of planned versus actual cost information helps
show how efficiently an organization is meeting its program goals and managing its
resources:

Department of the Treasury (U.S.)

Bureau of Engraving and Printing
FY 1998 Accountability Report

Goal: Improve the efficiency of production operations

The following program performance measure, which reflects the efficiency of organizational
performance, is used to monitor progress towards established goals:

Manufacturing Cost for Currency (per 1,000 notes)

Dollars
30

23.8 24.34
25
20.03
20 18.65

15

10

0
1996 Actual 1997 Actual 1998 Planned 1998 Actual
Fiscal Years

Currency spoilage was higher than planned in 1998 as a result of higher than anticipated rejection rates
during the transition to new electronic inspection equipment. This higher spoilage as well as
unanticipated wage increases resulting from the resolution of wage negotiations contributed to
manufacturing costs being higher than planned.

36SEITE
Governance Information

81. The MD&A may also include governance information to help provide a context for the
financial and performance information included in other sections of the MD&A55. Examples
of the types of governance information that could be included are:
- a high-level discussion of the entity’s systems and controls
- a reporting of and discussion about compliance with laws and regulations (often
presented on an exception basis)
- a comparison and discussion of budgeted to actual amounts.

82. The MD&A should be clear about the sources of the information presented. For example,
governance information may include findings from an audit report as well as actions
undertaken by management to correct deficiencies. However, the presentation should clearly
distinguish the audit finding from the related management discussion.

Systems and Controls

83. An MD&A section on systems and controls could discuss internal accounting and
administrative controls, sometimes referred to as management controls, and whether they are
adequate to ensure that:
- assets are properly acquired and safeguarded to deter theft, accidental loss or
unauthorized disposition and fraud,
- transactions are executed in accordance with budgetary and financial laws and other
requirements, consistent with authorized purposes, and recorded in accordance with
recognized accounting standards, and
- performance information is based on reliable data.

84. A Government entity’s ability to prepare auditable financial statements and other reliable
management reports from the entity’s books and records is a positive signal about the finance
related systems and controls of that entity. To convey this message, the MD&A could
include information such as a summary of audit reports on controls (and reported
weaknesses) and compliance, and the corrective actions taken or planned pursuant to legal
requirements.

5
Although the inclusion of governance information in the MD&A is not a universal practice, it does help provide
accountability report users additional insight about the context of the discussion of the financial and performance
information presented.

37SEITE
85. The following systems and controls discussion from the Fiscal Year 1999 SSA
Accountability Report includes a control certification by the SSA Commissioner as well as
comments about a control audit finding.

Social Security Administration (U.S.)

Systems and Controls
FMFIA Assurance Statement Fiscal Year 1999

On the basis of SSA’s comprehensive management control program, I am pleased to certify, with reasonable
assurance, that SSA’s systems of accounting and internal control are in compliance with the internal control
objectives in OMB’s Bulletin Number 98-08, as amended. I also believe these same systems of accounting and
internal controls provide reasonable assurance that the Agency is in compliance with the provisions of the
Federal Managers’ Financial Integrity Act.

Kenneth S. Apfel, Commissioner of Social Security

Finding 1, SSA Needs to Further Strengthen Controls to Protect Its Information

In the audit report for FY 1998, the contractor noted that SSA made significant progress in strengthening
controls to protect its information in the automated mainframe environment and recommended additional
attention to the distributive environment. SSA completely or partially addressed 15 of the 26 recommendations
in this finding and continues work on the remainder.

In the audit report for FY 1999, the auditor stated that SSA continued to make “notable” progress in addressing
the information protection issues raised in prior years, but the information control structure needs improvement.
Since many of the recommendations in the FY 1999 report are variations of recommendations in the auditor’s
previous audit reports, SSA has been addressing those issues on an ongoing basis and will continue to work on
them until completed.

38SEITE
Compliance with Legal Requirements

86. Compliance reporting provides management an opportunity to comment on the government

entity’s compliance with (1) its legal authority to spend, borrow, and raise revenues, and (2)
related laws and regulations. For example, in many countries legislatures may have decided
that certain taxes paid by citizens are to be used only for specified purposes. A failure to
comply with such a restriction may require an explanation by the government’s management.

87. Compliance reporting in the MD&A is often only reported on an exception basis. This
means that authority, such as specific uses of appropriations, that has been used according to
legal requirements need not be mentioned specifically. However, exceptions to compliance
with legal requirements should be reported in the MD&A when specified limits have been
exceeded, or where a material violation of rules has occurred. Exception descriptions could
include narrative explanations of the individual authorities granted and reasons for significant
differences with the authorities.

88. In addition, compliance reporting in the MD&A may be restricted to those laws and
regulations that are applicable to financial matters. In some governments, the reporting of
legal compliance with budget restriction laws as well as other regulations and conditions may
be required by law, which may result in extensive legal compliance reporting.

39SEITE
Budget to Actual Comparisons

89. The MD&A may include a comparative analysis of the reporting entity’s actual results with
related budget projections. Such analyses may be presented in terms of revenue in total and
by source, expenditures in total and by program or function, and the overall surplus or deficit.
A narrative could be used to explain any significant differences between budget and actual
amounts. However, if budget comparisons are presented in the financial information part of
the MD&A, they typically would not be repeated again.

90. The following example of a comparison of budget and actual revenue and cost is summarized
and taken from the New Zealand Department of Corrections’ Annual Report for 1997/1998.
This is one of eight cost classes for which such comparisons were made.

New Zealand Department of Corrections

Annual Report 1997/1998

This class of outputs contributes to the Government’s objectives in the area of safe communities through
the provision of rehabilitative programmes including the provision of clinical treatment services to Public
Prisons.

Output Statement: Rehabilitative Programmes for the year ended 30 June 1998

Actual $000 Budget $000 Variance $000

Revenue:
Crown 35,570 35,570 0
Other 14,404 13,018 1,386
Total revenue 49,974 48,588 1,386
Total expenses 48,411 48,588 177
Net Surplus/(deficit) 1,563 0 1,563

40SEITE
Forward-Looking Information

91. To help users forecast the effects of the government’s activities, the MD&A should also
include forward-looking information on the current status of, and possible future effects of,
currently-known demands, risks, events, conditions, and trends. For example, discussions
about the future effects of programs such as social insurance and government loan guarantees
– including such factors as trends, risks, and assumptions, would provide users with a basis
for understanding significant uncertainties related to these programs in the future.
Information related to these factors may include both descriptions of the existing conditions,
such as demographic characteristics, as well as expected future conditions.

92. In many cases, forward-looking information may be integrated with other MD&A
information. For example, a discussion about historical costs in the financial highlights
section of the MD&A could also include forecasted future costs. Such information would
typically not be repeated in this section.

93. Forward looking information may also include information about, and the sources of major
economic and other assumptions used to prepare any forecasts presented.

94. The following example from the 1998 U.S. Social Security Trust Fund’s Accountability
Report depicts in both narrative and graphic terms a future condition that may be
encountered:

U.S. Social Security Administration

Trust Fund Balances

While the Social Security trust funds are currently building large reserves, long-range projections are that in the
year 2013, Social Security benefit payments will begin to exceed tax collections and that by 2032, the trust funds
will be exhausted. If these projections hold true, income to the system in 2032 will only be enough to meet _ of
benefit obligations—if nothing is done.

Social Security Trust Fund will be Exhausted in Fiscal Year 2032

($ trillions)

4
In 2013, benefit payments will
3.5
begin to exceed tax
3 collections.
2.5
After 2032, only about 3/4 of
2 benefits would continue to be
1.5 paid based on incoming
revenues.
1
0.5
0
2000

2005

2010

2015

2020

2025

2030

2032
1998

41SEITE
95. Generally, if there is a reasonable prospect of a major effect on the reporting entity from any
anticipated future condition, this information may be appropriate to discuss in the MD&A.

42SEITE
Attachment 1 Attachment 1

Sources for Additional Information and Examples of Governmental Reports Including

MD&As

Australia

1. The Commonwealth Government Entry Point

www.fed.gov.au

2. Australian Department of Finance & Administration Publications

www.dofa.gov.au/scripts/pubs.asp

3. Australian Department of Finance & Administration Annual Report 1998-99

www.dofa.gov.au/scripts/annual_report98-99.asp

Canada

1. Departmental Performance Reports for the period ending March 31, 1999

www.tbs-sct.gc.ca/rma/dpr/98-9899dpre.html

2. 1997-1998 Part III – Departmental Performance Reports

www.tbs-sct.gc.ca/tb/estimate/p3b9798e.html

3. Public Accounts of Canada for 1999

www.pwgsc.gc.ca/text/pubacc-e.html

4. Treasury Board of Canada Secretariat – Reports and Estimates

www.tbs-sct.gc.ca/repsproj_e.html

43SEITE
Japan

1. The Organization Of Japanese Central Government (links to Japanese government offices)

http://www.kantei.go.jp/foreign/server-e.html

2. Audit Report (Board of Audit : the Supreme Audit Institute of Japan)

http://www.jbaudit.go.jp/engl/engl1/index.htm
(http://www.jbaudit.go.jp/engl/index.htm)

3. The Japanese Budget In Brief 2000 (Ministry of Finance)

http://www.mof.go.jp/english/budget/brief/2000/brief01.htm
(http://www.mof.go.jp/english/index.htm)

4. Central Government Reform of Japan in 2001

http://www.kantei.go.jp/foreign/central_government/index.html

5. Annual Review 2000 of Bank of Japan (Central Bank)

http://www.boj.or.jp/en/seisaku/01/seisak_f.htm
(http://www.boj.or.jp/en/index.htm)

6. Administrative Evaluation and Inspection

http://www.sumu.go.jp/kansatu/index.htm (Japanese only)

United States of America

1. Federal Accounting Standards Advisory Board – Statement of Federal Accounting Concepts

(SFFAC) and Standards (SFFAS)
SFFAC 3 – Management’s Discussion and Analysis – concepts
SFFAS 15 – Management’s Discussion and Analysis – standard
www.financenet.gov/financenet/fed/fasab/concepts.htm

2. U.S. General Accounting Office

http://www.gao.gov/acreport.pdf

44SEITE
3. Government-wide Financial Report

http://www.fms.treas.gov/cfs

4. Department of Agriculture Financial Statements

http://www.usda.gov/oig/auditrpt/50401-30-FM.pdf

5. Department of Commerce Financial Statements

http://www.oig.doc.gov/reports/1999-3/1999-3-10899-01.pdf

6. Department of Energy Accountability Report index

http://www.cfo.doe.gov/ficor/index.htm

7. Health and Human Services Accountability Report index

http://www.hhs.gov/of/reports/account

8. Housing and Urban Development Accountability Report

http://www.hud.gov/cfo/cfoacct.html

9. Department of Interior Accountability Report index

http://www.doi.gov/pfm/deptrept.html

10. Department of Labor Accountability Report index

http://www.dol.gov/dol/ocfo/public/publications/main.htm

11. National Aeronautics and Space Administration Accountability Report

http://ifmp.nasa.gov/codeb/about/excellence.htm

12. Nuclear Regulatory Commission Accountability Report

http://www.nrc.gov/NRC/planning.html

13. Social Security Administration Accountability Report index

http://www.ssa.gov/finance/finance_intro.html

45SEITE
14. Department of Treasury Accountability Report

http://www.ustreas.gov/tcfoc/finrep.htm

15. Tennessee Valley Authority Annual Report

http://www.tva.gov/finance/reports/annualreport_99/index.htm

16. Veterans Administration Accountability Report index

http://www.va.gov/cfo/pubs.htm

46SEITE
Attachment 2 Attachment 2

Illustrative Accountability Report

Table of Contents
Pages
A Message from the Chief Operating Officer

A Message from the Chief Financial Officer

Management Discussion & Analysis

Mission and Organization Structure Information

Mission
Major Programs, Functions and Activities
Organization Structure
Operating Environment

Financial Information
Financial Highlights
Financial Condition
Sources of Financing – Taxes and Other Receipts
Financing Provided by Debt and Debt Management

Performance Information
Results and Achievements
Expectations
Costs versus Results

Governance Information
Systems and Controls
Compliance with Legal Requirements
Budget to Actual Comparison

Forward Looking Information61

Independent Auditor’s Report27

Financial Statements

Compliance Information83

Performance Information

6
A separate Forward Looking Information section may not be necessary. Instead, such information may be more
meaningful if it is incorporated with other appropriate sections.
7
The Independent Auditor’s Report may include separate sections for different types of reporting. For example, in
addition to financial reporting, other sections may report on compliance and controls.
8
As illustrated in the Accounting Standards Framework Implementation Guide for SAIs, management may prepare
a separate report on Compliance Information. Management’s compliance information typically might include
budget to actual comparisons to demonstrate whether or not compliance with authorized amounts was achieved.
47SEITE
INTOSAI GOV 9230
The International Standards of Supreme Audit Institutions, ISSAI, are
issued by the International Organization of Supreme Audit Institutions,
INTOSAI. For more information visit www.issai.org

INTOSAI Guidance on
Definition and
Disclosure
of Public Debt
 I NT OS AI P r ofe ss i o n a l S t an d ar ds Co m mi t te e
PSC-Secretariat
Rigsrevisionen • Landgreven 4 • P.O. Box 9009 • 1022 Copenhagen K • Denmark
Tel.:+45 3392 8400 • Fax:+45 3311 0415 •E-mail: [email protected]

INTOSAI

EXPERIENTIA MUTUA
EXPERIENTIA MUTUA

OMNIBUS PRODEST
OMNIBUS
PRODEST

INTOSAI General Secretariat - RECHNUNGSHOF

(Austrian Court of Audit)
DAMPFSCHIFFSTRASSE 2
A-1033 VIENNA
AUSTRIA
Tel.: ++43 (1) 711 71 • Fax: ++43 (1) 718 09 69

E-MAIL: [email protected];
WORLD WIDE WEB: http://www.intosai.org
 INDEX

FOREWORD

PART I: INTRODUCTION

PART II: THE ROLE OF THE SAI AND RELATED CONTEXT

PART III: GENERAL GUIDANCE ON DEFINITION

PART IV: GENERAL GUIDANCE ON DISCLOSURE

PART V: THE MEDIUM FOR DISCLOSURE

APPENDIX A

PUBLIC DEBT COMMITTEE

3
FOREWORD

Public debt has always been a useful source of funds for financing the economic and social
development of nations. Governments have often resorted to borrowing to finance budget deficits
and large infrastructure projects. It as also been used to balance external accounts and as an
instrument for monetary policy. Increasingly however, public debt has been seen as a real threat to
the economic stability of growing number of countries.

This threat has ben recognised by SAIs but for most of us the audit of public debt is still a new area
of interest and there is a perceived need for guidance and the development of methodology and
techniques. In response, the Governing Board of INTOSAI established in 1991 a Public Debt
Committee to develop guidelines which could be used by SAIs to encourage the proper reporting
and sound management of public debt. The Committee comprises representatives from the SAIs of
Argentina, Canada, Portugal, the United Kingdom and the United States and is chaired by Mexico.
The Committee also counts on the support of the SAIs of Chile, Finland, Gabon, Jordan, Korea, and
Sweden.

This current Guidance on Definition and Disclosure of Public Debt was approved by the General
Assembly of INTOSAI at its Congress in Cairo in 1995. The Public Debt Committee hopes that
these first results of its work will contribute towards a better understanding of this complex aspect
of public finance. Because of the diversity of the political and administrative structures in which the
SAIs of INTOSAI operate, the guidance has been drawn up in general terms wich nevertheless the
Committee hopes SAIs will find informative and update the Committee will continue to revise and
update the guidance from time to take account of new ideas and experiences.

Finally I should like to thank my colleagues on the Committe for their ethusiasm and dedication
which made possible this first contribution to the work of our Organization.

JAVIER CASTILLO AYALA

Contador Mayor de Hacienda
de Mexico and Chairman of the Public Debt Committee.

4
PART I: INTRODUCTION

1. Background

The Governing Board of INTOSAI established the Public Debt Committee with the following
general objectives:

"To publish guidelines and other informational materials for use by Supreme Audit Institutions to
encourage the proper reporting and sound management of public debt."

The Committee’s first task was to produce and issue to all Supreme Audit Institutions (SAIs) a
questionnaire designed to obtain information about the following public debt issues:

Definition
Planning
Management and Control
Measurement
Disclosure

The Committee analyzed responses to the questionnaire and prepared an Interim Report which
summarized the questionnaire findings and offered preliminary conclusions. The report was
distributed to all SAIs in April 1994.

The Committee believes that adoption of an appropriate definition is a pre-requisite for the study of
any aspect of public debt. The choice of definition depends, at least to some extent, on the context
within which it is used. Accordingly, this document considers together the related matters of
definition and disclosure of public debt.

The current document provides more detailed guidance to SAIs on two of the issues included in the
questionnaire and related Interim Report, namely definition of public debt and disclosure of public
debt.

Additional guidance to SAIs on other aspects of public debt will be developed and issued separately
in future years.

2. Other Studies Consulted

In considering these two matters, the Committee has taken into account work already done by the
INTOSAI committees on internal controls, accounting standards, and auditing standards. The
Committee has also consulted a number of international organizations with an interest in public
debt matters, including the World Bank, the Inter-American Development Bank, the Organization
for Economic Cooperation and Development (OECD), the United Nations, and the European
Union.

The Committee has also examined the definition of public debt developed and used by the
International Monetary Fund (IMF). This is reproduced in Annex 2 of the Committee’s April 1994
Interim Report.

5
And finally, the Committee has taken into account studies published by the Public Sector
Committee of the International Federation of Accountants. These studies also examine the
definition of public debt, including different ways of recording it which arise from the adoption of
various bases of accounting ranging from modified cash to modified accrual and full accrual.

The conclusions on definition and disclosure of public debt drawn by the Committee from
considering these various sources are presented in the remainder of this document.

Additional guidance to SAIs on other aspects of public debt will be developed and issued separately
in future years.

PART II: THE ROLE OF THE SAI AND RELATED CONTEXT

In an overall sense, the Committee believes that proper reporting and sound management of public
debt are matters of great importance in virtually all countries represented in INTOSAI. In this
respect, the Committee believes that SAIs should do whatever they can, within the limits of their
powers and responsibilities, to encourage the governments they audit to adopt sound and
appropriate definition and disclosure practices for public debt.

The Committee recognizes that the amount of public debt that may be incurred and the purposes for
which related proceeds may be used are generally matters of policy determined through normal
constitutional or policymaking processes within of the country concerned.

In addition, some of the decision taken by governments in raising and managing public debt may
well be based on policy judgments which are not readily distinguishable from purely financial
considerations. In most countries, there is some limitation on the right of the SAI to examine or
question policy judgments, although the nature and extent of the SAI’s powers and responsibilities
in this regard will depend on the political and constitutional circumstances in the country
concerned. SAIs will therefore need to exercise their own judgment when considering the nature
and extent of the examinations that they can undertake and the reports that they can prepare on
public debt matters within their countries.

While the SAI may have no direct part to play in deciding the level of the purpose of public debt,
the SAI may nevertheless have a role in helping to ensure that decisions with respect to public debt
are based on the disclosure to all affected parties of complete and reliable information on the likely
effects of the proposed borrowing.

After funds have been borrowed, the SAI is also likely to have some responsibility for helping to
ensure the publication of complete and reliable information on the government's performance in
raising and subsequent management of public debt.

The examination of matters related to public debt may present SAIs with unique problems due to
the technical complexity of the subject. This may require, for example, the engagement of
individuals with specialized know-ledge or expertise not available presently within all SAIs.
Although outputs of this Committee should assist SAIs, they may nevertheless be required to
provide specialized training to existing staff or perhaps hire additional staff with the necessary new
skills.

6
In summary, there are a number of possible roles for SAIs with respect to the definition and
disclosure of public debt.

Auditing disclosed debt information: As reported in the April 1994 Interim Report on the survey,
most SAIs fulfill this primary role.

Encouraging improvements in disclosure: Where debt disclosure is incomplete, the SAI may
wish to identify additional elements of debt that should be disclosed and actively encourage the
government to make such disclosure.

Commenting on the fiscal and economic implications: In addition, the SAI may undertake
independent analyses of the data disclosed to foster improved management of the debt and
improved understanding of the current and future implications of public commitments.

Additional information with respect to the role of SAIs in examining and reporting on the definition
and disclosure of public debt is set out in Part V of this document that deals with the medium for
disclosure.

The remainder of this document identifies a number of factors that SAIs should consider in making
judgment as to the nature and extent of their examinations and reports on the definitions and
disclosure of public debt. This guidance is in the form of broad principles. These principles do not
prescribe or identify definitions of public debt. Rather, they identify various elements which may
constitute liabilities of public bodies and the circumstances in which it would be appropriate to
disclose them as part of public debt.

Similarly, the guidance provided in this document does not prescribe one basis of accounting or one
type of report to be used for disclosing information about public debt. The Committee recognizes
that information about public debt may be provided through general purpose financial statements,
but also through reports on compliance, performance and individual government departments and
agencies.

The guidance in this document will be update and expanded from time to time as additional works
is carried out by the Public Debt Committee and by other standing committees of INTOSAI.

PART III: GENERAL GUIDANCE ON DEFINITION

As a pure semantic exercise, the definition of public debt may be of little consequence. However,
the use of an appropriate definition in the compilation of the various types of government financial
reports referred to above is of considerable practical importance. The reliability of these reports
depends to a large extent on the soundness of the definitions used in preparing them. The main
requirements for a sound definition include

* precision to avoid doubt or dispute about the inclusion or exclusion of particular elements;

* clarity to make the reports readily understandable by users;

* consistency from year to year, with other financial statistics or accounting records within a
particular country and, where relevant, between countries;

7
* appropriateness for the purpose the criteria for inclusion of particular elements should be based on
their relevance to the objectives that the reports are designed to satisfy;

* comprehensiveness to ensure that all particular elements of debt are brought within the scope of
appropriate approval, planning, management and control procedures.

The primary consideration is that the content of government financial reports be appropriate to the
purpose for which are prepared. Such reports may be prepared and used for a wide variety of
purposes, including those summarized below.

A. Certain reports may assist in the formulation and monitoring of:

* general economic policy, because of the effect of public borrowing on the use of resources;

* monetary policy, because of the effect of public borrowing on the money supply;

* fiscal policy, because of the need to balance the sharing of financial burdens between existing and
future taxpayers, and to ensure that the future cost of servicing and repaying outstanding debt will
be sustainable; and

* exchange rates and balance of payments policies if external public debt is a significant part of a
country’s total external debt, the division of total public debt between domestic and foreign
curreincies between internal and external creditors may influence exchange rate and balance of
payments policies.

B. Other reports may be used for a variety of international purposes. Some may fulfill obligations of
membership in bodies such as the IMF, the Word Bank, the OECD, and the European Union,
and should be compiled in accordance with the rules of the bodies concerned, including
definitions of public debt. Some may demonstrate a country’s credit-worthiness.

C. Of particular importance is the use of government financial reports in the rendering of

accountability such as that of the executive to the legislature for the exercise of borrowing
powers and the use of related proceeds.

D. And various financial reports may be used in the planning and control of a public body’s
borrowing programs.

In summary, the scope of financial reports on public debt and the nature or type of liabilities shown
will vary based on the differing purposes for which the reports are prepared. Different definitions of
public debt will be used for different purposes, and there are many instances of variations in scope
between the resulting types of reports. For example, reports produced for macroeconomic analysis
could well cover the whole of the public sector, whereas the scope of reports used to demonstrate
accountability of particular bodies of public administration might be much narrower. In addition,
the scope of reports might be quite different as between unitary and federal states. All reports
should disclose clearly their intended scope.

8
The Committee has not attempted to develop one or more model definitions of public debt. Rather,
the Committee has identified and defined various elements of public debt which could be
considered for inclusion in various types of reports.

Depending on the purpose for which a financial report is prepared, an appropriate definition of
public debt might include the following:

* Liabilities or other commitments incurred directly by public bodies such as

(a) a central government, or a federal government, depending on the manner of political

organization in the country;

(b) state, provincial, municipal, regional and other local governments or authorities;

(c) owned and controlled public corporations and enterprises; and

(d) other entities that are considered to be of a public or quasipublic nature.

* Liabilities or other commitments incurred by public bodies on behalf of private corporations or

other entities.

The appropriate treatment of borrowings by those central banks that are not considered public
bodies will depend on the precise status of the banks and their relationship with the public sector.

Elements of Debt to Consider

As summarized below, the various elements of liabilities and other commitments incurred by public
bodies or by corporations sponsored by such bodies may be thought of as lying on a spectrum that
extends from direct borrowing thought a range of other financial obligations from trade accounts
payable to various contingencies and commitments. These commitments may or may not be
recorded as liabilities in financial statements. However, they may have a significant effect on future
borrowing needs and, therefore, future demands on the country’s economic resources. These
commitments might include the following:

1. Securities. These include traditional borrowings from creditors, including those within
government, under formal agreements which normally specify the amount borrowed, the interest
rate charged or discount required, the security to be given ( if any), and the period over which
repayment is to be made. For purposes of this document, securities include those executed for the
short, medium and long term.

2. Bank loans

3. Loans from foreign governments or international bodies.

4. Proceeds of public savings schemes. These include amounts on deposit in savings banks operated
by a government and other similar programs.

5. Issues of national currency, notes, and coins. These include banknotes and coins issued by or for
a governments and in circulation.

9
6. Accounts payable for goods and services.

7. Taxation repayable.

8. Liabilities under long-term leases. Leases that extend beyond one year and that may be for either
capital or operating purposes

9. Pension liabilities and health care benefits for public employees.

10. Other benefits provided by public sector entities. These include social commitments that involve
explicit or implicit obligations by a government to pay future claims under a variety of programs.
While they may be difficult to quantify, they are almost always significant and should therefor
be considered, perhaps on a best estimates basis, in any assessment of public sector debt.

11. Guarantees to third parties. These would include, where appropriate, guarantees of borrowing,
both by other public sector bodies and by private or quasipublic bodies, together with guarantees
for a variety of other purposes such as financing for exports and exchange rates.

12. Indemnities.

13. Comfort letters or other forms of legally non-binding assurances.

14. Insurance and reinsurance programs.

15. Other Commitments. These are other obligations arising from existing contracts, agreements or
legislative enactments or regulations that could become actual liabilities upon fulfillment of
specified conditions.

Additional information with respect to the various elements of debt that may be shown under
different bases of accounting is provided in Statement 4 of INTOSAI ‘s Committee on Accounting
Standards.

While each SAI will need to exercise its own judgement on the appropriate content of reports on
public debt produced for particular purposes, those used to assist in the formulation and monitoring
of general economic and fiscal policies should normally cover all relevant items identified above. In
particular , SAIs should be aware that the existence of various contingencies and commitments such
as those described in items 9 through 14 above may well affect the ability of public sector entities to
meet future cash requirements. Such liabilities could derive from moral or social obligations in
addition to those of a strictly legal nature. The appropriate treatment of these liabilities will depend
on their materiality. Additional guidance on contingencies and commitments will be provided by
this Committee in future years.

The valuation of liabilities or other commitments included in any definition of public debt may be
applied to the total debt outstanding or to the net increase or decrease in debt during some period of
time. General guidance on disclosure of public debt is provided in Part IV of this document which
follows.

10
PART IV: GENERAL GUIDANCE ON DISCLOSURE

In an overall sense, regular disclosure of a country's public debt can reveal whether debt levels have
been kept within the country's ability to support them and can help ensure that potential problems
are visible. Moreover, such disclosure may provide the impetus to address potential problems
before they become crises.

One of the most troublesome issues in public debt disclosure is how to make it understandable, and
thus relevant to the reasonably informed and interested, but nonexpert, reader. In considering the
adequacy of disclosure, SAIs should look for and encourage the use of generally accepted ways of
bringing these huge numbers to life for affected taxpayers. There are a number of what might be
called “simple indicators” of a government’s overall financial condition that could be considered in
this regard. For such indicators are summarized below.

The interest bite. This is the percentage of interest costs on borrowed funds to government
revenues. It is somewhat analogous to a percentage frequently used by mortgage lenders in
determining whether or not an individual can afford to carry increased debt.

The expenditure ratio. This is the percentage of total government spending to total government
revenue. If this percentage is consistently greater than 100, the revenue shortfall is likely made up
by additional borrowings which, over time, could lead to financial instability unless corrective
action is taken.

The tax bite. This is the percentage of tax revenues to gross domestic product (GDP). Gross
domestic product is the value of goods and services produced within a country in a year. If the tax
bite increases year after year, it means that more and more of a country’s production is begin
diverted to government and away from reinvestment in the private sector.

Debt to GDP. This is the percentage of a government’s debt to the country’s GDP. If this
percentage increases year after year, it means that debt is growing faster than the economy, which
could lead to burdensome and perhaps unaffordable debt loads. Both the level of the government’s
gross indebtedness and that amount net of borrowing between public entities can be useful
indicators.

Indicators such as those outlined above should help interested individuals understand more clearly
the significance of their government’s debts and how their government compares with other levels
of government within the country and with governments in other countries.

Another useful report to help people understand debt levels and what caused them is a budget-to-
actual scorecard, comparing forecast deficit and debt levels with results achieved.

It would also be useful if the total indebtedness could be analyzed to distinguish between debt
incurred to finance revenue producing capital assets and that incurred to finance current account
deficits; and if the latter could be further analyzed to distinguish between cyclical deficits,
attributable to the national economy operating below normal capacity, and structural deficits,
reflecting a continuing imbalance between expenditure and revenue.

It is appropriate to note that indicators need to be exactly defined when used and their informative
value and limitations explained. And it should be stressed that in any international comparison,

11
indicators may be rooted in different basic concepts which may stand in the way of straightforward
comparison.

Information to Disclosure

In addition to these general considerations, there are also a number of more specific types of
information that SAIs should take into account when reviewing and commenting on the adequacy of
disclosure of public debt. These types of information are summarized below under the categories of
reporting elements used in Part III of this document.

This information should be presented separately for each public body and in aggregated and
consolidated form depending on the purpose of the report within which it is shown. In all cases,
consideration might be given to disclosing both total cumulative public debt as of the end of the
reporting period and new debt incurred during the period. Public debt should not normally be
reduced by related assets such as gold and foreign currency holdings or sinking funds.

In some cases it may be appropriate for these to be taken into account if they are freely available for
the redemption of debt, but not if they are retained for other purposes.

A. Securities, bank loans, from foreign governments or international bodies, and, proceeds of
public saving schemes.

1. The total amount due, showing separately the gross amount borrowed and the portion thereof
represented by borrowing of agencies included in the entity.

2. Amounts held by foreigners, where possible. This disclosure is important because the outflow of
interest and principal to other countries may limit the growth of the debtor’s economy. The
Committee recognizes that where public debt is issued through marketable notes, the nationality of
holders may not be known.

3. Amounts denominated in foreign currencies and the exchange rates used in its valuation. Debt
denominates in foreign currencies may be more volatile than debt denominated in the country’s
own currency because of the effects of changes in exchange rates.

4. New liabilities. For liabilities incurred during the period, disclosure would include the types of
lenders, the terms of the issues and loan agreements, and perhaps future disbursements.

5. Types and terms of instruments. For types of instruments, issued debt would be broken down
between various major classifications such as bills, notes and bonds. For terms of instruments, the
disclosure would set out information respecting maturities, callable features and the like. Other
useful information on maturities could be the consolidated amounts due in the short, medium, and
long term, and the long-term or average maturity of amounts outstanding.

6. Measurement bases. Both the bases of measurement and any changes since the prior report would
be disclosed. The use of different measurement bases can produce significantly different results.
For example, depending on the type of bond issue, the market value of bonds can fluctuate widely
with changes in interest rates. Different methods of amortizing premiums and discounts can affect
significantly the amount of disclosed debt service costs, and debt values may be restated if being
retired prior to maturity.

12
7. Principal repayments. Disclosure would include the amounts of principal repayments during the
reporting period, the means used to finance these repayments, and the effects on related sinking
fund balances.

8. Debt service costs. This disclosure would include interest payments and other administrative and
commission costs paid during the reporting period. In addition, the “interest bite” and the budget-
to-actual scorecard referred to in the preceding paragraph would be useful.

9. Restructured debt. Disclosure would include the results of any public debt renegotiations that
occurred during the period, together with the terms and conditions of the renegotiated debt.

10. The use of funds. When funds are borrowed for specific projects, details would be shown with
respect to the purpose and expected benefits of the projects. Where possible, information would
also be provided on expected revenue sources and cash flows to finance the debt and the
expected life of the project.

11. Actual levels versus estimates. Disclosure should include an appropriate comparison between
the forecasts and the actual levels of total debt, principal repayments, service costs, and interest
rates. Explanation for any significant deviation, where possible, should also be given.

12. Risk assessment. Information would be provided to describe potential vulnerabilities to

fluctuations in interest rates, currency values, or other factors that affect repayment costs. Debt
pegged to floating interest rates would be disclosed, for example. Information would also be
provided with respect to actions taken in derivatives markets, such as interest rate and currency
swap agreements, in order to limit such vulnerabilities. Because activities in derivatives markets
may be highly complex and technical in nature, care should be taken to ensure that the
information provided can be easily read and understood by individuals who may not have
specialized and technical knowledge of derivatives products.

13. Legal requirements and restrictions. All significant legal requirements and restrictions would be
appropriately disclosed. The information provided should be sufficient to demonstrate that all
such requirements have been satisfied. In considering what to disclose, a number of sources
could be reviewed appropriate, including constitutional and other legal limits on the amount of
public debt or debt service costs; limits on the uses of proceeds of borrowed funds; regulations
specifying who may borrow on behalf of a public body; laws outlining the public bodies which
are responsible for public debt incurred by others; and requirements regarding the currency in
which public debt may be held or the lenders who are to be used.

If liabilities were incurred by one public body on behalf of another, disclosure would be limited to
the amount of debt, the types of instruments and the use of the proceeds. All other information
would be provided by the entity that received the borrowed funds.

B. National currency notes and coins.

Information would include banknotes and coins issued by the public body and in circulation as of
the reporting date, and whether they are backed by retention of separately earmarked holdings of
monetary assets. Generally speaking, currency is issued by a country’s central bank and the
relationship between a central bank and its government may vary from one country to another. Full
details regarding this relationship should be obtained and analyzed in order to determine whether it

13
would be appropriate to consolidate a central bank with its government for financial reporting
purposes.

C. Accounts payable for goods and services; liabilities under long-term leases; and pension
liabilities and health care benefits in respect of public employees.

These types of liabilities are often recorder in the accounts and reported on the financial position
statement or balance sheet of the public body to which they relate. For long-term leases and pension
and health care benefits, additional information can be provided in footnotes to the statement.

For leases, this information would include the operating and capital components of the liability and
minimum annual payments for each of the next five years. The liabilities for pension and health
care benefits are determined by actuaries. Details with respect to the actuarial approach followed
and significant assumptions used would be summarized and reported in the footnotes. Sensitivity
analyses, setting out the extent to which the recorded liabilities would vary if actuarial assumptions
were to change, would also be desirable.

D. Other benefits provided by public sector entities.

Disclosure would include the long-term fiscal effects of public pension programs as currently
defined and other similar long range commitments of public resources. A brief description of the
programs and their sources of financing would be provided as well as actuarial and economic
assumptions used, as appropriate, in determining best estimates of costs and benefits. In future
years, the Committee will study such disclosure further and provide additional guidance to SAIs to
the extent possible.

E. Guarantees, comfort letters, and other legally non-binding forms of assurances.

Disclosure with respect to guarantees can include a description of the policies and/or the programs
that underlie the guarantees; the maximum exposure to the public body that issued the guarantee,
including responsibilities for principal repayment and interest costs, commissions, and exchange
rate risks, if applicable (subdivided into domestic and foreign currency denominated
responsibilities); amounts paid during the period to honor guarantees; default experience in prior
periods; and, where possible, forecasts of amounts that are likely to default in future periods. With
respect to comfort letters and other similar instruments, disclosure can include a description of the
nature and extent of the assurances; the policies and/or programs that underlie them; amounts paid
under them during the reporting period; and, if possible to forecast, amounts that are likely to be
paid in subsequent periods. The exchange rates used in the valuation of these liabilities would also
be disclosed.

F. Indemnities.

Disclosure would include a description of the terms and conditions of indemnity agreements in
force; the conditions under which amounts are payable; the amounts paid under the agreements
during the reporting and prior periods; and, if possible to forecast, amounts that will likely be
payable in future periods.

G. Insurance and reinsurance programs.

14
Disclosure would include a description of the major features of each significant program, its
funding, trend information on claims paid and premiums received, and estimates of future losses.

If a fund is maintained, details respecting the value of the fund and its adequacy to cover losses
would also be provided.

H. Other commitments.

The nature and amount of each significant commitment or type of commitment would be
summarized and provided. These might include costs expected to be incurred to repair
environmental damage.

PART V: THE MEDIUM FOR DISCLOSURE

As explained throughout this document, financial information about public debt may be reported in
a wide variety of documents. General purpose financial statements and related notes could disclose
many of the items discussed above. In addition, information could be disclosed in financial reports
on compliance, performance and individual government departments, and agencies. Other public
documents could also be used, Including budgets, central bank bulletins, and a variety of other
reports to legislatures.

It would be helpful to disclose planned and actual public debt periodically as part of the ongoing
budget decisionmaking and accountability process.

Opportunities may also exist in the government's normal fiscal policymaking and reporting cycle
for reporting the elements of planned and actual debt.

For example, planned levels of debt could be disclosed in the budget, with the actual levels realized
periodically reported during the year as appropriate. In addition, a year-end accounting of debt
could be provided, possibly through audited general purpose financial statements and possibly
through other types of centrally provided reports. Attachment A to this document provides a
simplified illustration of what an overall reporting framework for public debt might look like.

As explained in Part II of this document, SAIs have many opportunities to examine and report on
issues related to the definition and disclosure of public debt. The extent of SAIs’ concern with the
form and content of reports on public debt will vary according to the purposes for which the reports
are produced and used. This variation is examined in items A thought E that are set out below and
with which this document concludes.

A. Reports produced by governments to assist in the formulation and execution of their economic,
monetary and fiscal policies. These reports may not be subject to formal verification by SAIs.
However, if they are submitted to the legislature to support budget proposals, the SAI might wish
to review the reports to determine whether they are compiled on an appropriate basis and whether
information is presented in an understandable and consistent manner.

B. Forecasts of annual changes that are expected to result from budget proposals. These reports
may not be subject to direct verification either, but the audit of subsequent results might provide
the SAI with an opportunity to comment on the bases used to prepare the reports.

15
C. Forecasts of the long-term impact on public finances of the future costs of servicing and
repaying outstanding debt. Although not subject to direct verification, SAIs might consider and
comment on the apparent relevance and understandability of the reports if they are submitted to
the legislature.

D. Reports on results, both with respect to changes in debt and with respect to debt outstanding, to
help ensure appropriate accountability of public bodies with borrowing powers. These “after-the-
fact” reports are likely to be subject to formal audit by SAIs, which provides an opportunity to
examine and comment on both the reasonableness of the bases on which the reports have been
compiled and their general understanbility and relevance.

E. Returns to international bodies. These returns are to be compiled in accordance with rules
prescribed by the bodies, which may also govern the possible involvement of SAIs.

APPENDIX A

Illustrative Model of Disclosure

An adequate flow of information is a crucial aspect of any effective control scheme for the
management of public debt. Disclosure could therefore, consider two factors: (1) the path of
information, e.g., who should inform whom within the government and who should inform the
public; and (2) what information could be included in each report and with what periodicity it could
be prepared.

A flow diagram is attached describing a possible scheme of debt disclosure, indicating typically
where each report originates and where they are utilized. Each report is labeled according to the
institution that prepares it, and its contents are described below under each label.

BRE [Budget of Revenues and Expenditures] (Annual). The government (Executive), through the
Secretary of Finance (Treasury), normally presents before each fiscal year a budget of expected
revenues and expenditures to the Legislature, which includes a proposal for fund allocations, as well
as where revenues will originate, and what debt is to be issued. Specific debt ceilings will be set by
the Legislature.

BREA [BRE Authorization] (Annual). The legislative body authorizes and publicly discloses the
maximum level of new net debt to be issued, as well as the approved application for such funds,
where applicable, as part of the general authorization of revenue and expenditure.

16
GD1 [Government Departments report 1] & GE1 [Government Entities report 1] (Monthly). This
report prepared by each government department or government entity holding public debt includes
the terms and amounts of the new debt contracted, as well as payments on loans existing, and
details on maturity dates, currency, amortization, and interest payment schedules.

GD2 [Government Departments report 2] & GE2 [Government Entities report 2] (Quarterly). This
report prepared by each government department or government entity summarizes accumulated
individual balances and payments made during the quarter on capital and interest, expressed in the
currency of origin as well as in local currency. A complete schedule of payments on capital and
interest should also be kept to the maturity of each instrument. A comparison between programmed
and actual amounts is presented here as well as an explanation of the variances with respect to the
previous quarter.

17
GD3 & GE3. (Annual). Each department & entity could prepare for the Secretary of Finance
(Treasury) a comprehensive closing report on its performance and finances for the year, which is
integrated by the Financial Authority into what is normally named The Public Account. This report
includes consolidated information on the state of each entity's debt holdings, describing the new
debt issues for the year, actual payments made on capital and interest, and their comparison with
estimates and the preceding year. A detailed explanation of any restructuring, assumptions,
transferences, adjustments and conciliations at closing, as well as an analysis of financial factors
affecting the cost of debt (e.g. domestic and foreign rates, exchange losses, etc.), as compared with
the expected outcome should also be included.

CB1. [Central Bank report 1] (Monthly) and CB2 [Central Bank report 2] (Quarterly). The Central
Bank could publicly disclose within its monthly and quarterly reports on economic, monetary,
financial and commercial performance, the Public Sector debt, as well as its impact on monetary
aggregates, reserves, and the capital balance. It also include an analysis of relative and nominal
deviations that have occurred during the previous three years.

CB3 (Annual). This report is prepared normally by Central Banks and disclosed to the general
public, and is a global account of the various economic aspects, including a description of the public
debt balance and its impact on the performance of various economic indicators (Public Deficit,
Balance of Payments, Economic Sectors Activity, interest rates, monetary aggregates and other
aspects indicative of the behaviour of the financial system). This report is usually used as a general
base for planning and analysis by financial authorities, the government in general, as well as by
economic consultants and business in general.

Specifically, regarding public dept, this report could analyze the behavior of the total average
balance, gross and net, foreign and domestic, for the year, with comparisons with respect to historic
trends in real terms, in absolute and relative to GDP levels, explaining for each type of debt the
main causes of the movements observed in the balance at closing.

Fin A. [Financial Agents] (Monthly, Quarterly and Annual). Through these reports, financial agents
inform the Secretary of Finance and the Central Bank, with varying degrees of detail, on the change
observed in market conditions that affect debt service.

Financial agents report on how outstanding debt notes are distributed among residents and non-
residents, and on loans contracted to fund the programs of the Development Banks, explaining
differences vs estimated figures.

ICI1. [Internal Control Institution report 1] and ICI 2 [Internal Control Institution report 2]
(Quarterly and Annual). The Internal Control Institution of the Executive validates in these reports
the information on public debt presented in the reports prepared by the Secretary of Finance for the
Legislature on a quarterly and annual basis.

S Fin 1 [Secretary of Finance report 1] (Monthly). In this report the Secretary of Finance should
inform the Central Bank on new debt issued in a foreign currency, the capital flow for each
currency should be calculated separately to allow the Central Bank to take into account this
component of the capital flow for monetary and exchange policy considerations and other strategic
aspects related to the management of reserves.

18
This report should also include estimates as to the holdings of government securities by residents
and non-residents, which the Central Bank would take into account for exchange risk measurement
and reserve management.

S Fin 2. (Monthly). This fundamental report is prepared by the Secretary of Finance for internal
use, and should constitute the cornerstone of the overall debt disclosure scheme. It is the first and
most detailed concentration of all of the relevant information related to public debt, and based on
this report, the rest of the reports prepared by the Secretary of Finance are assembled. Some of the
concepts included are the specific terms and conditions of each debt issue (outstanding balance,
interest rate, payments made on capital and interest, currency, exchange losses, etc.) and their actual
situation, as well as a comparative analysis with respect to estimates and previous years.

S Fin 3. (Quarterly). This report should be presented to the Legislative body, to the Internal
Control Office of the Executive and to the SAI. This report should summarize and aggregate
information on Public Debt with the necessary degree of detail to allow the members of the
Legislature to appreciate the state of the debt, its effect on the situation of the economy and on
government management. It should include a comparative analysis against the preceding quarter
and 12 month period, as well as actuals versus budget estimates. It could also include an
explicative analysis of the evolution of the financial markets during the quarter and how this
affected budget estimates. For the case of debt denominated in foreign currency, the variances
observed for each individual instrument should be explained, including exchange losses registered
per item and currency and country of residence of holder.

For the case of debt in local currency, its net balance, individual placements, the evolution of the
mix of instruments, and maturities and repayment profiles should be indicated, as well as the
approximate holdings by residents and non-residents.

Guarantees granted by the National Government in relation to debt contracted by State and Local
Governments might not be included if its repayment and service is adequately assured by the
Federal resources assigned to State and Local Governments (direct deductions are possible). When
this possibility does not exist, the guarantees should be included.

S Fin 4 (Annual). This public debt report is part of the overall Annual Public Account usually
presented by a Government to the Legislative Body, which is assembled by the Secretary of Finance
or the equivalent Financial Authority within the Government. This report should include a
consolidated description of the evolution of the balance of the debt and its service for the complete
year, in sufficient detail. It should also include an analysis of the variances observed with respect to
budget estimates and the preceding years, along with adequate explanations of the effects of public
debt on financial market performance.

SAI 1. (Annual). This report should be a part of the integrated report that the SAI presents to the
Legislature or the public on the general analysis and audit of the Annual Public Account prepared
by the government for the Legislature. This report should include an evaluation of general public
debt management performance, as well as its impact on public finance and the performance of the
economy for the year. The report could also include an analysis of new debt as a share of total
revenues, the terms of its issue in view of prevailing financial market conditions, and if the debt was
allocated as authorized in the budget.

On the other hand the SAI should pay special attention to public debt aspects of the financial audits
of entities holding debt, as well as that debt which is pegged to specific goals within government

19
programs. This information as contained in SAI reports to the Legislative body, should allow the
legislators to consider the public debt aspects when analyzing the next project to be presented for
budget approval.

The SAI would inform on irregularities and deficiencies detected in the managing of debt in the
process of its systems (internal controls) and financial audits, and on the efficiency, efficacy and
economy with which debt financed ivestments have behaved. Specific public works audits could
also provide additional support in this last case. The SAI should pay special notice to this appraisal
of the explanations on variances of actual vs budget presented in the Public Account.

SAI 2. (Annual). This is not a report in the strict sense of the term, but a document the SAI presents
to audited bodies in which it informs of irregularities and deficiencies found (when their nature
allows), as well as recommendations to correct them.

20
 PUBLIC DEBT COMMITTEE
Chairman
Javier Castillo Ayala
Contador Mayor de Hacienda de México

Members
Argentina Emilia Raquel Lerner
Auditoría General de la Nación

Canada Larry Meyers, Ron Thompson & Brian Pearce

Office of the Auditor General

México Fernando Marty

Contaduría Mayor de Hacienda

Portugal Teresa Nunes & Ana María Bento

Tribunal de Contas

United
Kingdom Wendy Kenway-Smith & Andrew Caddies
National Audit Office

USA Paul Posner, Barbara Bovbjerg & Hanna Laufe

General Accounting Officce

External Colaborators
Finland Tapio Leskinen & Timo Ankelo
State Audit Office

Gabón Gilbert Ngoulakia & Bibalou Moise

Chambre des Comptes

Jordan Abed Kharabsheh

Audit Bureau

Korea Young Joan Kim

Board of Audit and Inspection

Sweden Ian Häggkvist, Ian Hagrall, Lars Forslund, Ingerman

Segergren, Mats Wahsedt & Olle Nystedt
National Audit Office

This booklet has been prepared for official publication in separate english, french and spanish versions by the Public
Debt Committee of the International Organization of Supreme Audit Institutions (INTOSAI)

21