How Can a Board Gain Assurance on its Systems of Internal Control? - Mazars - Ireland

In accordance with the Code of Practice for the Governance of State Bodies(2009), the Board of a State body is responsible for its system of internal control and should review annually the effectiveness of this system.

Internal controls does not only refer to financial controls, but include operational and compliance controls, and risk management.  But how does the Board ensure that it obtains adequate assurance over internal controls of the body as a whole and where does the assurance come from?  There are a number of key elements which contribute to the overall assurance framework of a State body, as follows

Risk Management – The risk register is an extremely useful tool and provides a snapshot of an organisation’s key risks, the internal controls in place or required to manage these risks, responsibility for its implementation and how assurance over the effectiveness of controls will be gained.

The Board and its sub-committees – Each Board committee should have a clearly defined terms of reference which details its particular role and responsibilities for the implementation, management and monitoring of internal controls, and reporting to the Board.  Specifically the Audit Committee will in many organisations have a clear responsibility for review of risks, controls and assurances.  The responsibilities of the Accounting Officer should also be clearly differentiated from that of the Board.

Management – The Management team of a State body is generally directly responsible for implementation of policies, procedures and practices across the organisation, as well as identification of risk exposures.  Management should provide regular reporting to the Board and its sub-committees over whether adequate controls are in operation and whether risks identified are being managed in accordance with expectations.

Audit – Both internal and external audit functions provide a structured and risk based review of a State body’s key controls and activities, and contribute significantly and directly to assurance provided to the Board.  Therefore, these functions should be adequately resourced and managed effectively to ensure assurance can be maximised.

Other assurance functions – Some State bodies may have a Quality Assurance or Compliance Function, or may from time to time commission organisational or value for money reviews.  While this work may not be primarily directed at providing assurance over controls, it may contribute to the identification of significant gaps in controls or help to identify key risks.

It is therefore clear that there is no single source of assurance for the Board in its consideration of the adequacy of a State body’s system of internal control, but that a number of sources are required to provide this assurance in a collaborative manner.

For more information please contact Corné Mouton, cmouton@mazars.ie

Corné Mouton is a Partner within the Mazars governance, risk and internal control division, with particular responsibilities in the areas of corporate governance, risk management, internal audit, IT audit, regulatory compliance and special investigations.