Statement Internal Control
Statement Internal Control
Statement Internal Control
MANAGEMENT
AND GOVERNANCE
PRACTICE
JANUARY 2010
The Statement on Internal Control:
A Guide for Audit Committees
The National Audit Ofce scrutinises public spending on behalf of
Parliament. The Comptroller and Auditor General, Amyas Morse, is an
Ofcer of the House of Commons. He is the head of the National Audit
Ofce which employs some 900 staff. He and the National Audit Ofce
are totally independent of Government. He certies the accounts of all
Government departments and a wide range of other public sector bodies;
and he has statutory authority to report to Parliament on the economy,
efciency and effectiveness with which departments and other bodies
have used their resources. Our work leads to savings and other efciency
gains worth many millions of pounds: at least 9 for every 1 spent
running the Ofce.
Our vision is to help the nation spend wisely.
We promote the highest standards in nancial
management and reporting, the proper conduct
of public business and benecial change in the
provision of public services.
The Statement on Internal Control:
A Guide for Audit Committees
FINANCIAL MANAGEMENT AND GOVERNANCE PRACTICE
JANUARY 2010
2 The Statement on Internal Control: A Guide for Audit Committees
In the current climate of scal restraint and declining
availability of resources, it is important that central
government bodies can demonstrate the resources
that they are responsible for are appropriately
managed and controlled.
For further information, please ask your
usual NAO contact or Client Director:
National Audit Ofce
157-197 Buckingham Palace Road
Victoria
London
SW1W 9SP
Tel: 020 7798 7000
Email: Z5-FMGP@nao.gsi.gov.uk
National Audit Ofce 2010
Contents
Introduction 4
Part One
The purpose and content
of the SIC 5
Part Two
The NAOs approach to the audit
of the SIC 7
Part Three
How can the Audit Committee
add value? 8
Appendix One
Contents of the SIC 12
Appendix Two
Roles and responsibilities in
preparing the SIC 15
4 The Statement on Internal Control: A Guide for Audit Committees
Introduction
In the current climate of scal restraint and declining availability of resources, it is
important that central government bodies can demonstrate the resources that they are
responsible for are appropriately managed and controlled. High quality and proportionate
internal control systems will help organisations achieve their aims. The Statement on
Internal Control (SIC) is a public accountability document that describes the effectiveness
of internal controls in an organisation.
This guide sets out the NAOs approach to considering the SIC as part of our annual
audit of the nancial statements. In particular, it provides guidance to Audit Committee
members on how they can add value to the risk management, governance and internal
control processes within their organisation through effective challenge of the disclosures
made in the SIC.
As part of our audit approach, the NAO engages with senior executives early on in the
reporting period and subsequently challenges the disclosures made in the SIC if these
do not provide transparent information to Parliament, or the underlying processes are
inadequate. Where we do not see appropriate disclosures in the SIC, we may make use
of our powers to report to Parliament.
A wide variety of governance models exist within the central government sector and,
although the principles detailed in this guide are intended to apply throughout, some
exibility in their interpretation will be necessary.
I hope you will nd this guide useful and informative.
Andrew Baigent
Director General, Financial Audit
The Statement on Internal Control: A Guide for Audit Committees 5
Part One
The purpose and content of the SIC
What does the SIC tell us?
The Statement on Internal Control (SIC) is the means by which the Accounting Ofcer
declares his or her approach to, and responsibility for, risk management, internal control
and corporate governance.
1
It is also the vehicle for highlighting weaknesses which exist
in the internal control system within the organisation. It forms part of the Annual Report
and Accounts.
Why do we have a SIC?
Public bodies must provide assurance that they are appropriately managing and
controlling the resources for which they are responsible. The SIC is an important
accountability document in communicating these assurances to Parliament and citizens.
The SIC is a mandatory disclosure for all central government entities that comply
with the Financial Reporting Manual (FReM). It is a primary accountability document.
The external auditors do not provide an explicit audit opinion on the content, but it is
subject to external audit review to ensure that it has been prepared in accordance with
Government guidance and that it is consistent with the auditors knowledge of the entity.
What does a SIC disclose?
The Financial Reporting Manual sets out the expected form and content of the SIC.
This is a mix of prescribed text and sections where Accounting Ofcers are expected to
describe the particular arrangements in their organisations.
1 The Accounting Ofcer usually holds the post of Permanent Secretary or Chief Executive. The Accounting Ofcer
is the senior ofcial in the organisation and he or she may be called to account in Parliament for the stewardship of
the resources within the organisations control.
6 The Statement on Internal Control: A Guide for Audit Committees
The SIC should contain disclosures under the following headings:
Scope of responsibility;
Review of effectiveness.
More detail on the information to be disclosed under each heading is set out
at Appendix One.
What are the roles and responsibilities?
The Audit Committee plays a key role in the production of the SIC. It supports the board
and Accounting Ofcer by reviewing the comprehensiveness of assurances in meeting
the board and Accounting Ofcers assurance needs, and reviewing the reliability and
integrity of the assurances. The Audit Committee also advises the board and Accounting
Ofcer of any control issues that could be considered signicant and are therefore
appropriate for disclosure in the SIC. Fuller information on the roles and responsibilities
involved in the production of the SIC is set out at Appendix Two.
The Statement on Internal Control: A Guide for Audit Committees 7
Part Two
The NAOs approach to the audit of the SIC
To provide assurance to Parliament that public bodies are appropriately managing and
controlling the resources for which they are responsible, the NAO reviews SICs to ensure
they are supported by robust evidence and the underlying controls are sufciently reliable.
Although we also have a professional responsibility to review the SIC under ISA 720
as it is information published with the audited accounts, our engagement will begin
much earlier in the reporting period.
2
Assignment Directors and Managers will engage
with senior executives, including the Accounting Ofcer, to discuss the risks facing the
organisation, the adequacy of the underlying controls and the transparency of reporting
in the prior year. We will also consider the governance processes in place over the
production of the SIC.
We expect Accounting Ofcers to reect weakness in internal control identied by other
reports on their organisation published during the year within the SIC, for example,
select committee reports or NAO VFM reports.
At the Audit Committee, we will discuss the disclosures made in the draft SIC and raise
any concerns we have over the transparency of reporting or sufciency of the underlying
controls and assurances. In addition, our professional responsibilities require us to
consider whether the SIC is:
Produced in accordance with HM Treasury requirements; and
Consistent with our understanding of the position based on the information that we
are aware of from our work on the nancial statements and other work.
In cases of non-compliance with HM Treasury requirements or where we consider that
a signicant issue has not been adequately reected in the SIC, we will consider the
implications for our audit opinion. In these instances, we modify our audit opinion and/or
issue a separate report to Parliament.
To enable change and help audited bodies benet from our cross-government
perspective, we will publish digests of best practice from our work on SICs.
2 International Standard on Auditing 720 (Revised) Section A Other Information in Documents Containing Audited
Financial Statements.
8 The Statement on Internal Control: A Guide for Audit Committees
Part Three
How can the Audit Committee add value?
To assist Audit Committees in their challenge function we reviewed a wide range of SICs
to identify good practice in corporate governance, risk management and internal controls,
and the disclosure of these, within the SIC. The results are set out below broken down
by key SIC heading. The table is not intended to be a comprehensive list, but a useful
tool to help Audit Committee members identify where their organisations processes and
procedures could be strengthened or additional disclosure would be valuable. All good
practice areas should be considered in two ways; rst to see if there are appropriate
policies and procedures in place and secondly to see if this is working in practice.
Management should have evidence that these systems and processes are working,
and may use internal audit or other assurance providers to give some of this assurance.
Capacity to Handle Risk
Key theme Area Good practice
Leadership Risk
management
policy
Sets out the commitment, processes and
Description of
responsibilities
Clear chain of accountability for risk from the
partners on risk
Staff training Risk management
tools on intranet
Risk management support and guidance made
internal audit
Risk
management
maturity
Benchmarking of the organisation against a risk
Board level
Sets clear accountabilities for action
business processes
Management controls ensure quality processing
different risks
10 The Statement on Internal Control: A Guide for Audit Committees
Key theme Area Good practice
Embedding risk
management
Culture of risk
management
throughout
organisation
Every significant risk is assessed and ranked
on key risks
Evidence of Effectiveness
No significant internal control failures occurred in year
Evidence that the risk and control framework identified and managed changes in the risk
the organisation
Discusses the effectiveness of internal controls
internal controls
Considers the coverage of the Internal
Audit programme
Reviews progress on implementing Internal Audit
improvements necessary
Internal audit Annual work programme is risk-based.
Accounting Officer
The Statement on Internal Control: A Guide for Audit Committees 11
Key theme Area Good practice
Other
assurance
mechanisms
Management Accounts Monthly review by budget holders
Quarterly re-forecasts
Management
assurance statements
Set out the governance, risk and control
recommendations
Evidence of Effectiveness
Evidenced-based assurances over the effectiveness of internal controls and their coverage of risks
are reported
Prior year issues Follow up reporting on all prior year significant
original timescales
Evidence of Effectiveness
Significant internal control issues have not arisen in subsequent years
failure; it cannot eliminate all risk and therefore only provides a reasonable and not
absolute assurance of effectiveness.
Conrms whether the system of internal control was in place for the whole of year
equipped to manage risk and how the organisation learns from good practice.
NAO Comment
This section should provide details of how the organisation has adapted to changes in
the risk environment.
The Statement on Internal Control: A Guide for Audit Committees 13
The risk and control framework
Describes the key elements in the risk management strategy, including how risk
is identied, evaluated and controlled. This section must explicitly include the
management and control of information risk.
Describes how risk appetites are determined.
Describes how public stakeholders are involved in managing risks which affect
appropriate) have advised the Accounting Ofcer on the implications of the results
of the review.
Conrms a plan is in place to address weaknesses and ensure
continuous improvement.
Comments on the role of the board, Audit Committee, risk committee/managers
control issues.
NAO Comment
Organisations should demonstrate how they have been responsive in reacting to risks
and that they are not tied to a process-driven mentality.
14 The Statement on Internal Control: A Guide for Audit Committees
Signicant internal control issues
As part of the review of effectiveness, Accounting Ofcers must disclose the actions
taken/proposed to deal with any signicant internal control issues. While it is for
Accounting Ofcers to judge whether a matter is signicant, Managing Public Money,
suggests the following tests that might indicate a signicant internal control weakness:
3
Might the issues seriously prejudice or prevent achievement of a PSA target?
Could the issue divert resources from another important aspect of the business?
Could the issue, or its impact, attract signicant public interest, or seriously