management supportbegroting.be/nl/documents/practicalguide-internalcontrol.pdfinternal control...
TRANSCRIPT
1
Public Federal Service Budget and Management Control
Practical Guide for the
Development and
Maintenance of an Internal
Control System
Management Support
2
Foreword
Good management, quality service, effectiveness, efficiency and economy: over the last years,
these words have been constantly repeated in the permanent search for a highly efficient
administration. Resources have become more and more limited, while needs have become
more specific. The prolonged crisis and the resulting expenditure limitations have once again
highlighted the need for a well built and well documented internal control system. The
previous government had already given a strong signal through the appointment of a
government commissioner for internal audit; in its turn, the current government states equally
explicitly in its governmental agreement the need to strengthen internal control.
In order to reconcile the inherent needs of the institutions while also complying with the
provisions of the governmental agreement, the Management Support unit of the Public
Federal Service Budget and Management Control has put on paper the methodology that it
used for developing an internal control system; this resulted in a useful and user-friendly
practical guide. Such a guide was necessary, especially as it appeared in the framework of the
internal control network, facilitated by Management Support, at a time when the
implementation of an internal control system still raised problems.
We are particularly grateful to Mr. Ronny DAMOISEAU, administrative officer at Management
Support, who, as an expert in the field of internal control, was in charge with developing and
drafting the concept underlying this methodology.
We would also like to thank Renata FINESCHI, Katleen SEEUWS and Cédric VANBEGIN, all of
whom administrative officers at Management Support, for their constructive contributions to
the development and improvement of the Diabolo tool, which plays a significant part in
building an internal control system.
All questions or comments regarding this guide or the development of an internal control
system should be addressed to Management Support ([email protected]).
We wish success to our readers and the users of this methodology in the application of the
principles described in this guide.
Alfons Boon Karel Hauman
Director SPF B&CG Management Support Adviser
3
Table of Contents Foreword ....................................................................................................................................... 2
Management Support: at your service ......................................................................................... 5
Executive summary ....................................................................................................................... 7
The advantages of internal control ............................................................................................... 8
Legal reference framework ......................................................................................................... 11
The core of the Management Support Methodology ................................................................. 13
The planning phase (PLAN) ......................................................................................................... 18
Phase PLAN – Step 1: objectives, means and activities .......................................................... 18
Phase Plan - Step 1 in practice: objectives, methods and activities ....................................... 20
Phase PLAN - Stage 2: Indicators and standards ..................................................................... 29
Phase PLAN - Stage 2 in practice: indicators and standards ................................................... 30
Phase PLAN – Step 3: ex ante evaluations .............................................................................. 33
Phase PLAN - Step 3 in practice: ex ante evaluations ............................................................. 34
The implementation phase (DO) ................................................................................................. 35
Phase DO - Step 4: activities ................................................................................................... 35
Phase DO - Step 4 in practice: activities .................................................................................. 35
Phase DO - Step 5: measurement and monitoring ................................................................. 36
Phase DO - Step 5 in practice: measurement and monitoring ............................................... 36
Phase DO - Step 6: recording incidents ................................................................................... 36
Phase DO - Step 6 in practice: recording incidents ................................................................. 37
Verification phase (CHECK) ......................................................................................................... 38
Phase CHECK - Step 7: performance analysis .......................................................................... 38
Phase CHECK - Step 7 in practice: performance analysis ........................................................ 39
Phase CHECK - Step 8: identification of risks .......................................................................... 40
Phase CHECK - Step 8 in practice: identification of risks ........................................................ 40
Phase CHECK - Step 9: risk analysis ......................................................................................... 42
Phase CHECK - Step 9 in practice: risk analysis ....................................................................... 42
The adjustment phase (ACT) ....................................................................................................... 46
Phase ACT - Step 10: analysis of measures ............................................................................. 46
Phase ACT - Step 10 in practice: analysis of measures ........................................................... 46
Phase ACT - Step 11: validation of measures .......................................................................... 50
Phase ACT - Step 11 in practice: validation of measures ........................................................ 50
4
Phase ACT - Step 12: application of measures ........................................................................ 50
Phase ACT - Step 12 in practice: application of measures ...................................................... 51
Reporting: the beginning of a new cycle ..................................................................................... 53
Conclusion ................................................................................................................................... 56
Glossary ....................................................................................................................................... 58
5
Management Support: at your service
Management Support is one of the units of the Public Federal Service Budget and
Management Control (Service public fédéral Budget et Contrôle de la Gestion, SPF B&CG). Its
task is to provide guidance in the field of internal control for the entire federal administration.
In accordance with its establishment decree of 15 May 2001, as a horizontal public federal
service, SPF B&CG constitutes a privileged partner for other federal and programming public
services, as well as for social security federal and public institutions. It is in this context that
the Management Support unit was founded in 2002. Its role was further strengthened by the
royal decrees of 17 August 2007 concerning the internal control system and the internal audit
activities. They established the role of SPFB &CG in providing methodological support for the
development of internal control and internal audit, without the right to conduct internal audits
itself. However, at the request of relevant officials from each service, SPFB&CG can be tasked
with guidance missions in this field.
As set out in the management plan 2010-2015, SPF B&CG assumes a laboratory function for
the various modernisation projects within its scope. This allows testing methodologies and
developing instruments that can subsequently be made available to all interested parties. In
this context, in 2011, Management Support started to implement an internal control system
that was developed and documented within the SPF B&CG. At the beginning, the project was
chosen to be piloted within the same SPF. In light of the numerous bilateral discussions with
the services concerned, a solid foundation could be established in terms of approach, as well
as for optimizing the application created by the unit. By describing in detail its practical
approach, its experiences and the instrument used, Management Support has aimed at
providing a practical aid for the implementation of effective internal control.
Nevertheless, internal control is not an exact science, but an art. Nobody can claim to posses
the only valid methodology. Management Support has tried to develop a simple, adequate,
effective and powerful internal control system applicable to all public organisations. In fact,
the unit is specifically designed to assist – throughout the processes – the departments,
institutions and organisations that aim at improving their management.
In order to implement an effective and appropriate internal control system, it is necessary first
to ensure unconditional support at the highest hierarchical level, especially by means of
reporting to the management board. It is essential that the management engage officially
through a decision based on the reports.
The principles for the development and maintenance of an internal control system presented
in this guide are independent of the instruments used. The applications described below, such
as Diabolo, as well as the risks diagram associated to it, were developed by Management
Support and provide a good basis for any public organisation that lacks the necessary tools. For
the development of these tools, Management Support has only used standard computer
applications in the interest of flexibility, compatibility and fast deployment.
6
Management Support currently enjoys a limited capacity and has to become creative in order
to accomplish its support task based on the available resources. Thus, each month, it organises
an internal control networking meeting. Through the exchange of ideas, experiences and
knowledge with other institutions, the unit provides information to those who are still in the
early stages of establishing an internal control system. It also offers training in internal control
at the Federal Government Training Institute (Institut de Formation de l’Administration
fédérale, IFA). It can also, at the request of specific services or institutions, provide in-house
training in the field.
The establishment of the Federal Administration Audit Committee (Comité d’audit de
l’Administration fédérale, CAAF) in the spring of 2010 provided a major impetus for the
integration of the principles of good governance in the federal administrative apparatus. Since
then, the institutions within the scope of audit are required to prepare an annual report on the
state of their internal control system in the previous year. The report must be submitted to the
CAAF no later than February 15 of each year. These reports further constitute the basis of
CAAF’s mandatory reporting to the relevant minister, as well as to the Council of Ministers. In
this context, Management Support has also created a handbook addressed to institutions and,
in collaboration with the secretariat of CAAF, has prepared guidelines to assist them in drawing
up the report.
Once the CAAF manages to obtain political support for its view on the organisation of the
internal audit function, and as soon as the audit services are established, the need for more
elaborate internal control systems shall become even more stringent. Moreover, internal
control cannot be fixed; it has to be continuously reworked. A regular reassessment and
updating of the system is therefore essential.
This practical guide constitutes a first outline for the establishment of an internal control
system. If you wish to receive assistance in this matter, please contact the Management
Support unit of the SPF B&GC. Following a first, orientation interview, we will decide together
on the best method to meet your needs.
You can reach us at the following address:
SPF Budget et Contrôle de la Gestion
Management Support
Rue Royale, 138/2
1000 Brussels
Email: [email protected]
7
Executive summary
The biggest challenge in developing an internal control system is the creation of a balanced
structure and the cohesion of its various components. Once the design phase is completed, it
is necessary to focus on the maintenance, adaptation and further development of the system.
Management Support has adopted an approach that completely integrates the risk cycle and,
by extension, the maintenance of the internal control system into the four phases of the
management cycle (Plan – Do – Check – Act, cf. Deming), in twelve steps.
During the planning phase (Plan), the organisation defines the periodic expectations
concerning the services to be provided, as well as the necessary resources. The measuring
system, comprised of a set of indicators and reports, takes into account the results of the
periodic monitoring.
The execution phase (Do) includes the “regular” activities of the organisation. During this
phase, basic information is collected in order to be examined in the analysis phase. The
management ensures the proper execution of activities and the adequate application of the
measuring system.
During the analysis phase (Check), the results obtained are assessed and discussed. This is one
of the most important aspects of management control; in this stage the internal control
system begins to be updated based on the events that occurred during the execution phase.
To this end, Management Support created an intuitive tool, Diabolo, which serves as a process
sheet and contains a complete risk module. It facilitates the identification and assessment of
risks. The control measures can then be evaluated, which reduces the organisation’s
vulnerability to risks. Risk exposure is an indication of the possible need to deal with a priority
risk.
During the reaction phase (Act), appropriate measures are developed so as to address a risk.
Good support is required to ensure that the measures taken are properly implemented.
Policy-related risks have to be indicated separately because they are related to longer-term
objectives in the management plan or the governmental agreement. Their monitoring requires
a lower frequency than the monitoring of management risks. They can be estimated during the
planning phase, by means of a SWOT analysis, with a view to possible strategic or operational
rectifications. Periodic reporting from the management cycle provides a valuable contribution
in this case.
The structured and integrated approach of Management Support paves the way for a better
management and at the same time increases the chances for the successful implementation of
the desired policy.
8
The advantages of internal control
As federal adviser and coordinator of the federal internal control network, Management
Support is often faced with the same three questions:
1. Where to start internal control?
2. How does this kind of system work?
3. How detailed should it be?
The answer to the first question often surprises people: in fact, you are already doing it.
However, control activities are often not entirely systematized.
This brings us to the second question, how to design and manage such a system. This will be
explained in the following chapters.
As for the answer to the third question, which is probably the most important, here it is:
internal control must be as detailed as your organisation, including the stakeholders, considers
necessary in order to ensure and justify satisfactory results. To justify is to explain and for that
we need information. To measure is to know.
In order to verify the degree of control, it is necessary to first measure and assess the actual
results, which requires a performance analysis. In fact, this is part of business control (Néerl:
beheerscontrole)1 and consists in the comparison of the measured performances and the pre-
established objectives.
The objectives originate in the management plan or the governmental agreement, but also
take the budget into account. The first aspect refers to the outputs or, in other words, the
services that the organisation must provide to its customers: citizens, enterprises, institutions
and other public authorities. The second aspect concerns the resources available to the
organisation in order to achieve its outputs.
In the private sector, the more profit margin a manager creates, the more successful he/she is.
This maximizes revenue and minimizes production costs.
In the private sector, a good policy implies that the product meets the customer's
requirements. This is evidenced by the turnover, i.e. the number of units sold multiplied by the
selling price.
The success of a sales manager, the effectiveness of his/her management and control of the
organisation are measured in terms of the difference between the selling price and the unit
cost of the services or products provided. The higher the margin, the greater the potential
value of the organisation. The more attractive to investors a company is, the less chances are
to change the captain of the ship.
1 Management control should provide the executive management, on an ongoing basis, with all the
information required to make decisions on a sufficiently substantiated basis and to efficiently follow the workflow within the company. (Source : M.J. De Samblanx, in monKEY.be, Kluwer)
9
In the public sector, a director has less freedom of movement than the sales manager since the
turnover is not materialized. As long as service units do not have a nominal value, the official
lacks an important leverage in presenting the profit margin figures.
The quantifiable parameters for which the public official has an “output” aspect are generally:
- the different types of products, services and benefits offered;
- the number of services offered;
- their quality, and
- the compensation required for them (in some cases).
Most public institutions have the specificity that the customer is in fact a shareholder. The
customer does not buy the service, even if he/she is sometimes required to pay a small fee.
That is because he/she (pre-)funded the production of that particular service. The lower the
cost of production, the happier the customer is. This simple principle lies at the core of an ever
growing social and, consequently, political need for an effective public administration.
The customer’s satisfaction with the quality of the service provided by the public service is an
indicator of the policy’s success. If, in addition, the customer is happy with the cost of the
service, then we can speak of successful management.
In a public institution, a high margin or efficiency can be obtained solely by:
- a higher output for the same input, or
- the same output for a smaller input, or
- a clearly higher output for a slight increase in input, or
- a slightly lower output for a significantly lower input.
Hence measuring performance implies regularly monitoring both the output and the input,
comparing the different periods between them. As mentioned earlier, this is part of business
control.
Just like in a commercial organisation, the financial input is represented by the unit cost of the
service. This includes all direct and indirect costs incurred in the production of an output:
- offices,
- equipment,
- staff, and
- all resources required to maintain the three parameters above as productive as
possible.
Nowadays, public institutions have the basic information necessary to calculate, at least
approximately, the unit cost of a service. The more detailed the cost accounting, the more
accurate the calculation is.
10
In brief:
In the past, politicians were concerned above all with the quality of the policy led or, in other
words, with the successful achievement of the policy’s objectives. At present, they are
increasingly interested in the quality of management, in other words, the effective execution of
the chosen policy.
The success of the public administration manager is measured in terms of whether he/she
succeeds in convincing the relevant minister that the needs of the electorate will be satisfied by
a high quality service at a unit cost as low as possible.
Internal control is the process comprising all the activities and measures that an organisation
has to accept, in economic and management terms, in order to optimize the output quality and
minimize its unit costs.
11
Legal reference framework
Whereas internal control is already implemented in most organisations, a systematic approach
is essential to effectively contribute to its result. The Royal Decrees of 17 August 2007 are
designed to achieve this goal:
Royal Decree of 17 August 2007 concerning the internal control system within some services of the federal executive.
Royal Decree of 17 August 2007 concerning the internal audit activities within some services of the federal executive.
Royal Decree of 17 August 2007 establishing the Federal Administration Audit Committee (CAAF).
Although at present the scope of these decrees is limited to 22 institutions2 and does not
include any federal authority, the tone is set. Similar initiatives to strengthen the internal
control system are being implemented especially within social security institutions.
The Royal Decree concerning internal control specifically mentions that each staff member
contributes, at his/her own level, to the functioning of the internal control system. However,
the ultimate responsibility devolves upon the head of the organisation, who appoints a person
to keep an inventory of the documentation concerning the institution’s internal control
system.
The decree further stipulates that the director of each organisation shall present each year a
report on the operation of the internal control system, also including the intended
improvements. The annual report will be submitted to the Federal Administration Audit
Committee no later than 15 February of each year; a copy of the report will be transmitted to
the Minister in charge of the service concerned. The Minister then has the opportunity to send
possible comments concerning the report to the Audit Committee.
On the basis of the annual reports, the Audit Committee submits its report to the government
and to each minister before July 31 of each year. These reports should provide the government
with an overview of the state of the internal control systems used in the various public
services. Since the Audit Committee was established in the spring of 2010, the institutions
within the scope of audit completed their first exercise in 2011.
The reports have undoubtedly raised the interest in a well built and documented system of
internal control within the public bodies. In addition, the need for such a system will perhaps
become more stringent once the internal audit activities are performed in accordance with the
Royal Decrees regulating them.
The reference framework for the development of an internal control system is based on the
COSO model3, established in 1992 in response to numerous corporate scandals that appeared
2 This includes all the federal and programming public services, the Ministry of National Defence, the
Régie des bâtiments, the Federal Agency for Food Chain Safety, the Federal Agency for the Reception of Asylum Seekers, the Public Pensions Service and the Federal Agency for Medicines and Health Products.
12
in the United States in the late eighties. Subsequently, the model was adapted for the public
sector as an INTOSAI model4 (see Figure 1). Meanwhile, the aspect of “risk analysis” has
become increasingly important, which led to the creation of the COSO-ERM device, where the
concept of Enterprise Risk Management plays a prominent role.
Figure 1: the COSO/INTOSAI cube
Definition of internal control according to INTOSAI
“Internal control is an integral process that is effected by an entity’s management and personnel and is designed to address risks and to provide reasonable assurance that in pursuit of the entity’s mission, the following general objectives are being achieved:
• executing orderly, ethical, economical, efficient and effective operations; • fulfilling accountability obligations; • complying with applicable laws and regulations; • safeguarding resources against loss, misuse and damage.”
We do not intend to deal in this guide with the COSO, COSO-ERM and INTOSAI reference
frameworks and the differences among them. On this subject reference is made to the existing
literature in the field. It is more important to notice that they all advocate focus on the result
as one of the generic objectives of internal control.
3 Committee of Sponsoring Organisations of the Treadway Commission.
4 International Organisation of Supreme Audit Institutions.
13
The core of the Management Support Methodology
This document clearly places the emphasis in the achievement of good results. The other
general objectives of internal control are also important but we consider them, in this context,
as subordinate to the results. It is true that one cannot speak of good management if, for
instance, the requirements in terms of compliance and assets protection are not met.
Structure
This pragmatic methodology enables the creation, as quickly as possible, of an integrated
system with a minimal workload. This means that consistency, that is, the effective integration
of the various components of the system, prevails over details. First, the organisation will seek
to establish a balanced structure of its components. Then, these elements can be detailed
according to the needs and opportunities of the organisation.
The framework of the internal control system consists of three pillars:
- Establishment and follow-up of periodic results (objectives)
- Management of activities (processes/projects)
- Measuring system (monitoring)
Figure 2: The three pillars of the internal control system
On the one hand, the risks are related to the components proper, that is, they are related to
the definition of their content. On the other hand, the risks are related to the interaction
between these components.
14
This framework covers all aspects of the COSO / INTOSAI reference frameworks. Only the
“control environment” component remains neglected – at first sight.
Improving the control environment
In order to address the control environment simultaneously in all its dimensions and across the
whole organisation, it is necessary to adopt a holistic approach. To this purpose one or several
working group(s) made up of representatives from across the organisation are created. The
groups aim at developing an improvement plan that incorporates enhancement measures or
projects identified through a series of workshops starting from a list of critical issues, incidents
or undesirable situations. This approach has been successfully tested by Management Support
but still requires a lot of work. It takes some time before the improvement projects generate
visible results. Therefore, there is a risk that, within the organisation, employees would
consider internal control as an additional workload without any real added value.
Although the control environment is the foundation of a harmonious system of internal
control, the latter can be faster and more efficiently developed by focusing on the mentioned
framework. Indeed, these activities (including the information and communication related
thereto) automatically lead to the improvement of certain aspects of the control environment.
The purpose of an internal control system is to ensure the accomplishment of the generic
objectives or, in other words, that good results are achieved. However, the chances of
reaching these goals increase when risks are better controlled. The maturity of the control
environment is facilitated by systematic risk monitoring in the context of the results to be
achieved, by introducing the necessary control measures and improving the measurement
system.
In the medium term, it is recommended to address the remaining issues that cannot be solved
through individual processes by relying on a group approach in order to achieve a harmonious
system of internal control.
Starting point of the methodology
An internal control system is designed to increase the chances of reaching the objectives,
among others, by controlling risks. Therefore, objectives occupy a central place and must be
sufficiently detailed. This involves a SMART formulation, determining the underlying and
supporting standards, etc.
Since the risks are always connected to the objectives, in order to control them it is
recommended to address the risks while assessing the results obtained.
The success of an administration is determined by the extent to which objectives are achieved
while preserving expenditures within the established limits. A thorough analysis of the
“management gap”, that is, the difference between what was accomplished and what was
foreseen, is an absolute requirement.
15
The “management gap” is progressively reduced with the development of the internal control
system.
During the periodic analysis of this “gap,” the points where the objective has not been fully
achieved must be carefully considered. The differences are usually the result of incidents that
occurred because the risks were not sufficiently covered.
The approach adopted by Management Support implies that the risk pattern and, by extension,
the twelve steps of the internal control system are fully integrated into the four phases of the
management cycle (PDCA, cf. Deming).
Figure 3: Integration of the internal control system within the management cycle
In Figure 4 below, these phases are described in more detail and are connected to the
maintenance activities of an internal control system. There are twelve steps.
16
DOPLAN
CHECKACT
7. analyse:performance analysis
8. analyse:risk identification
9. analyse:risk analysis
11. act:validation of measures
12. act:application of measures
10. act:measures analysis
5. do:measure and monitoring
6. do:incidents recording
4. do:activities
3. plan:ex ante evaluations
1. plan:
objectives, means & activities
2. plan:indicators & standards
Figure 4: Synchronization of the internal control system with the management cycle, in twelve
steps
17
It goes without saying that the internal control system must receive the basic information
before the cycle presented above can be first initiated. Preliminary information to supply the
system is collected during the planning phase. In its turn, the planning phase is divided into
three phases:
- Phase 1: description of the process for an early identification of risks.
- Phase 2: identification and analysis of risks and the control measures.
- Phase 3: development of the measuring and reporting system.
Figure 5: The planning phase of an internal control system
Consequently, the planning phase is designed to build the three pillars of an internal control
system.5 When the system has a balanced structure, internal control is a process that runs at
the same time with the management cycle. With each cycle, the system extends and becomes
even more detailed. However, the basic rule according to which the consistency of the
components prevails over their accuracy remains valid. Indeed, the objective is to obtain an
integrated system, not exhaustive lists.
The four phases of the management cycle are divided into 12 steps, as shown in Figure 4.
These will be further analysed in the following chapters.
5 See Figure 2: The three pillars of the internal control system.
18
The planning phase (PLAN)
PHASE / STEP ACTORS
Plan 1 - objectives, methods and activities Management, central collaborators Plan 2 - indicators and standards Management, central collaborators Plan 3 - ex ante evaluation Central collaborators
The relationship between the mission, objectives, activities, outputs and indicators is
established during the planning phase. Generally, the management plan or, where
appropriate, the governmental agreement, constitutes a good starting point.
The planning phase is to be given due consideration at two key moments:
MANAGEMENT PLAN WHAT BASIS
New multi-year design Establishing parameters, alignment
Legal framework, ex ante evaluations, history, internal reporting, reports by external control authorities
Annual adjustment Refining existing parameters, alignment of new parameters
Decisions of the phase “Act”, strategic adaptation, ex ante and ex post evaluations.
Phase PLAN – Step 1: objectives, means and activities
In public services, the objectives are often numerous and various depending on the different
hierarchical levels. This can sometimes lead to lack of cohesion.
Consistency in objectives and outcomes can be enhanced by improving the dialogue between
the different hierarchical levels. This will enable a clear formulation and explanation of the
services provided.
The diagram below can serve as a guideline. The direction is “top down,” which means that it is
the higher level that clearly indicates the framework of objectives. These materialize in
objectives for the lower level. The lower level thus has two goals: first, it must meet its own
objectives, and, second, it must contribute to reaching the specific objectives of the upper
level. The contribution is “bottom up,” because it is the lower level that is required, based on
the reporting needs expressed by the upper level,6 to make its contribution.
6 See also phase ‘CHECK’ - Step 9: risk analysis
19
Figure 6: Consistency in Management and Reporting
Good cohesion facilitates the definition and evaluation of the results. To focus on the results,
one begins by defining clear objectives.
In addition to the explicit communication of the services to be delivered, it is also necessary to
specify the resources required in order to achieve both effectiveness and efficiency.
During the phase PLAN, the manager defines his/her periodic expectations concerning the
services and resources based on the annual management plan and the appropriations
provided. The desired schedule for the analysis phase is also set at this time, as it is crucial for
the correct definition and standardization of the indicators.
Generally, we recommend monthly monitoring, although this may be limited at first to
quarterly reporting or even biannual reporting. Consequently, this implies communicating
details about the objectives and resources at the same intervals.
20
The executive determines the detail degree of each report heading and the reporting schedule
taking into account the organisation's possibilities in terms of evaluation and monitoring.
The main basic data of a periodic report are, on the one hand, the achievements expected and,
on the other hand, the necessary resources to this end. Depending on the relevant factors
considered and the measuring instruments used, the basic data provides insight into the
performance standard, the productivity or the cost structure.
This step also includes the activities set out in the process and in the projects. The way in
which an objective is achieved is, indeed, crucial for the effectiveness and efficiency of the
operations carried out to this purpose. In practice, internal control begins with the precise
drafting of the organisation’s objectives and the description of activities.
For the development of a system of internal control, the phase of the management cycle under
which the organisation falls is not significant. Any arbitrarily chosen moment is suitable to
describe and document the process. However, if the organisation already possesses this
documentation, the PLAN phase of the management cycle is the perfect time to update it.
In this case, in practice an overlap with the previous phase, the action phase (ACT), can be
noticed. The need to update or change a process or a procedure derives in fact from a
measure to be taken following the observations made during the execution and analysis
phases. In other words, it is sometimes better to adapt or restructure the activities themselves
than to burden the process in place by all kinds of control measures.
Phase Plan - Step 1 in practice: objectives, methods and activities
A. Identify the objectives
Principle: each output, hence every activity of the organisation should be connected to at
least one of the objectives.
If no output or process is connected to a specific objective, it is worth asking whether the
objective is really important. If this is indeed the case, the objective should be better
formulated and at least one measurable output must be connected to it. Conversely, if an
output cannot be directly linked to at least one objective, it is worth questioning whether
it is indeed necessary to continue producing the respective output. If there is a real
demand, the objective should be reformulated so as to better quantify and control the
respective output.
To ensure the quality of the services provided and the proper monitoring of activities, all
objectives should be formulated according to the SMART method.
21
What is SMART?
Letter Description Meaning
S Specific The aim should be described in a concrete, clear and unambiguous manner. It is not subject to interpretation.
M Measurable The objective is inherently quantifiable and standardized. A Acceptable Sometimes also referred to as admissible, ambitious or
agreed. It must receive enough support. R Realistic Sometimes also referred to as relevant or attainable. The aim
may well be ambitious, but it must remain achievable. T Temporal Sometimes also referred to as tangible. The objective has to
include a deadline or a time range.
Steps:
1. Formulate or reformulate all objectives according to the SMART method
2. Establish clear links between mission, strategic objectives and operational
objectives
3. Associate each of these objectives with one or several processes and projects
4. Also formulate the goal of a process or project according to the SMART method
5. For each of the processes and projects, determine at least one final product
6. Set the reporting frequency. If quarterly monitoring is chosen, the production
units and the suggested indicators should be aligned to that frequency.
Historical example of a SMART objective:
JFK speaking about the NASA space program in the '60s: “our goal is to put a man on
the surface of the moon and bring him back to Earth by the end of the decade.”
S “our goal is ...” the overall objective is clearly stated and specific
M “... on the moon and back to Earth ...” 2 concrete and measurable outputs
A challenging and accepted by all because of a national feeling of “revenge” due
to the fact that the USSR had beaten the U.S. twice in the race for space
dominance
R considered feasible by experts and advisers
T “by the end of the decade”, so no later than 1969.
22
B. Provide the means
Principle: Services may remain below expectations due to a deficit at the level of inputs.
The input required may be too low or not available at the time, thus preventing the output
to be produced properly. In addition, the input may also be too high, which means that
resources are wasted. Efficiency is the ratio between output and input. Efficiency gain
means improvement compared to a previous period. This explains once again the need to
regularly monitor both the output and the input.
In the allocation of resources, we first and foremost look for economy or input efficiency.
For an effective implementation of activities, it is also necessary to consider process
control and professional project management. In addition, to obtain a real picture of the
expenditures per objective and of the cost structure, introducing analytical accounts is
essential.
Due to these continuous improvements, it will become easier to efficiently correlate costs
with the pre-established objective and/or the actual achievements.
C. Identify activities
It is impossible to achieve effective and efficient activities unless these activities, as well as
the objective to be achieved, were correctly described. During the annual adjustment of
the management plan, it is recommended to study the potential impact on the processes
and, in particular, on their objectives, descriptions and indicators. This does not mean that
the flowcharts and the flow process diagrams should all be rewritten each time. Generally,
it is enough to study the process sheet and update it if necessary.
Steps:
1. Allocate the resources as exhaustively as possible. If the management aims to
monitor the performance targets quarterly, the resources should also be
allocated and monitored at the same intervals.
2. Use each progress report to further improve the organisational model. For each
loop in the management cycle, proper monitoring and reporting of activities and
services will systematically improve the resources allocated at the output level.
Eventually, this will enable the calculation of production costs.
23
The tool Diabolo (Fig. 7), developed by Management Support, functions as a process sheet
linking the information on the processes to the organisational goals. In addition, it is used
to describe the process proper and constitutes the risk control basis.7
Advantages of the tool Diabolo
Diabolo is an in-house developed tool, simple, intuitive and perfectly adapted to non-
specialists who do not own specialized software. It requires very limited training in
order to learn how to use it, it brings clarity and transparency.
This pragmatic approach provides a description of activities dictated by the staff’s role.
Focus is placed, for each individual staff member, on their own role within the
organisation, which leads to a more dynamic and active course of discussions on the
process and its underlying risks. Risk identification is considered from each individual’s
“own” point of view, which meets the principle that internal control is everyone’s
business.
Diabolo provides a very quick overview of:
- each individual’s role within the organisation;
- their activities;
- the necessary inputs;
- the outputs to be provided;
- the objectives;
- its place within the organisation.
Due to its clarity, it is easy to translate the Diabolo into workflow with the help of more
technical computer tools such as Visio; it can also be transposed into an application of
the database type, which may be extended to the risks, indicators, etc.
It can be considered an object-oriented tool. This means that the various processes are
described in small separate modules, which are inter-connected. Therefore, it is easy
to provide a description based on workflow by restructuring Diabolo (e.g. if the focus
changes and the goal becomes a BPR8, if a high level view or a more limited number of
processes is preferred).
The figure below provides a “description” of the tool Diabolo. This part is used to
represent the processes in a more intuitive way and to fit them into the organisation. It is
designed so as to allow the staff to describe a process quickly and without specialised
knowledge, without resorting to external experts.
7 See below
8 Business process re-engineering: process reform
24
Figure 7: Diabolo
The principle of transparency and clarity in formulation must be applied both to processes and to their
inherent risks. A process sheet begins with a clear designation of the process. It is advisable to use a
noun and a verb, such as, for instance, “assign a permit” or “calculate a pension”.
The reference box in the top-right corner is used to codify the process. This code can be implemented,
for example, at DG level, where all procedures of the DG1 would be assigned a single number sequence:
e.g. the process “assign a permit” would receive the referencing code DG1.01.
Diabolo is made up of three main blocks:
1) General information on the process (Why is it necessary?);
2) The progress of the process (How is the objective achieved?);
3) The resources (What is needed to carry out this process?)
1. General information (Why is the process necessary?)
This section includes the objective of the process also linked to the objectives in the management plan
or the governmental agreement. It also includes an overview of the stakeholders, the regulation and the
previously occurred incidents.
25
In the “P” box the objective of the process is indicated. Its formulation, as in the case of any valid
objective, must comply with the SMART principle. Sometimes, listing the various criteria the output has
to comply with and examining the expectations of the various stakeholders may turn out helpful. In
order to establish the link with the management plan, space is provided to indicate the reference of the
underlying strategic and operational objectives in boxes “S” and “O”.
By mentioning the stakeholders, the process is clearly registered within its context, which facilitates the
correct formulation of the objective and the identification of the incidents or risks.
The “regulation” box covers especially the norms, the royal decrees, the ministerial decrees, circulars,
regulations, internal rules, etc. affecting the policy, the organisation and the process.
Incidents refer to past events. They are manifestations of risks compromising the achievement of
objectives. This allows, from the very stage of description, to already raise a series of thorny issues.
Listing the incidents will facilitate the identification of risks and will contribute to better determining the
detail level of the activities involved in the process. In fact, if a large number of incidents were identified
for a specific activity in the process, it may be desirable to describe this activity in more detail in a
second Diabolo. Thus, by adapting the process reference, it is possible to establish serial Diabolos (see
below).
2. The progress of the process (How should the objective be achieved?)
The box “Start” refers to the element that triggers the process (i.e., the trigger). This is usually an
application, a task, an e-mail, etc. It is important that the beginning should be traceable. Except for
specific management processes, an oral request does not constitute a sufficiently reliable trigger for an
injection of resources.
The box “End” contains the element that marks the end of the process. Most often, it indicates what
happens with the final product or output.
To describe the activities sequence of a process, it may be useful to start from its final output. Then, we
examine what activities are required to produce this output. It is also recommended to organize these
activities in blocks according to the intermediate outputs to be provided. Thus it will be easier to identify
the risks and to define the measuring indicators in order to ensure a better monitoring of the activities.
For each activity, who is in charge of this task can be specified in the field “Actor”.
Each block of activities or sub-process is completed, including its intermediate inputs. In this case, the
input should be considered as basic data without which the activity cannot be executed. In other words,
Example: The creation of an application file is an intermediate output to issuing a permit.
The issuance and signature of the permit itself represent the final product, but the
procedure comes to an end when the permit is actually sent to the client.
26
it is a blocking data. Just like the outputs, an input should always be a physical product, tangible hence
measurable: an application form, an order, a permit, a registered opinion, a validated decision, a
signature, etc. Again, this is important for the identification of risks, because, when the input is of poor
quality or is not received on time, the output of the respective activity will suffer the possible negative
consequences.
It is better to limit the number of activities per Diabolo, in order to preserve the clarity of the process
description and of the risks table associated with it. If more than 10 activities are included, this is too
much detail for a single document. However, the Diabolo can be developed en cascade, which means
that a complex block of activities can be divided, in more detail, into one or several Diabolos. By
incorporating references into the Diabolos, a direct connection is established between the descriptions,
as well as their hierarchy. The example below shows the electronic version of Diabolo and presents a
series of activities in the process SDBB 5.1.
Figure 8a: Example Diabolo
Activity no. 1, namely “prepare budget negotiations,” requires more information and is consequently
divided into several activities. To do this, a separate Diabolo, referenced SDBB 5.1.1 and entitled
“prepare budget negotiations” is created; this is called a vertical cascade (see Figure 8b). The reference
clearly indicates that this process gives an overview of the first activity of process SDBB 5.1.
27
Figure 8b: Example of vertical cascade Diabolo
On the right hand side, there is room for output references, which refer to a possible horizontal
sequence. These references indicate, for a block of activities, for what other process – read Diabolo –
the intermediary output is the input. In the example above, the output of Activity 3, the “discussion
notes” serves as input to the process SDBB 7 (see Figure 8c).
Figure 8c: Example of horizontal cascade Diabolo
The same principle applies to the references input on the far left. In this example, the process SDBB 7
resorted, as an input for its first activity, to discussion notes produced in activity 3 of the process SDBB
5.1.1.
28
3. Resources (What is needed to run the process?)
The box “staff” offers the possibility to specify any distribution of roles for the various activities. If
desired, we could also indicate the specific skills required to perform a given activity. The other boxes
are more general. What information is required in this process? Is any specific equipment required? Do
we have any idea of the resources needed for this process, or is there any alternative form of financing?
In which sites or places are the activities performed?
We can illustrate the difference between information and input by the following example: a series of
data is required (name, address ...) to grant a permit to a client. This is the information that, in some
cases, is already in the file and, in other cases, has yet to be filled in. It is, however, possible that the
process, or a partial activity within it, cannot be launched if the activity requires a formal request in the
shape of a form. This request results from the necessary inputs.
Not all the fields in the resources block should be necessarily filled in; in fact, the tool is an aid, not an
end in itself. Diabolo contains only the information considered necessary by the user.
Misunderstandings concerning the process description
Diabolo is not a static document but a dynamic tool that can be modified whenever needed. This implies
that the current process descriptions are not definitive and can be changed at any time. The reasons are
numerous: for example, it is possible to discover, during the risk identification stage, that a given
process requires a more detailed description of the activities, because the same activity may include a
wide variety of risks. In this case, an additional Diabolo is made. New regulations may lead to the need
to create a new process or to completely revise an existing one. Activities that were not identified
during the first description can then be added, etc.
A good practice is to annually review the processes described by the services concerned and, if
necessary, to correct them. Generally, this can be done during the planning phase of the management
cycle or even during the analysis phase (Check) when specific problems originate in the activities of the
process.
The number of process descriptions of an organisation is not important. Of course, the goal is not to see
problems where there are none. This is why large organisations often focus on the core processes. The
process description is used to detect possible risks that may hinder the organisation from achieving its
objectives or calls them into question.
29
Methodology used to identify and describe the activities
Phase PLAN - Stage 2: Indicators and standards
In this stage, the monitoring parameters of the four generic goals of the COSO / INTOSAI framework as
regards the internal control are determined: outcome (effectiveness, efficiency, economy), compliance,
resource protection and responsibility.
The output-oriented parameters are:
PARAMETER STANDARDS (target) INDICATORS (KPI)
Activities What do we want to produce? (Technical) activity, output Resources What do we want to engage in this
production? Input
Objectives What is the desired effect of this production?
Effect (=outcome)
The other parameters (compliance, protection of resources and accountability) are more difficult to
define because they are not solely determined by the indicators and, therefore, they require a reference
framework.
As a result, achieving the compliance objective depends both on technical requirements and on cultural
values, since the observance of a code of ethics cannot be simply reflected by the indicators.
To achieve resource protection, it is necessary to add up the control measure, the limitations, the
requirements and the behaviour. To estimate the achievement of this generic objective, the
Steps:
1. First, the project must be clearly identified by the contact persons in the different
services. These individuals must be provided a concise report on the notion of “internal
control” in order to have a solid basis for their role within the project.
2. Then, the contact persons must draw up the list of their outputs and (core) processes.
Wherever possible, the main stages of the various processes should be specified.
3. On this basis, bilateral discussions take place between the person drawing up the
inventory of the processes and the contact person of each service. Diabolo can be filled
in directly on computer.
4. The Diabolo files are presented to the validation service.
30
organisation must use technical indicators measuring, among others, the efficient functioning of certain
control measures limiting the risks and the periodic use of the available funds, as well as assessments
and reports providing, for instance, insight into how knowledge is managed.
Finally, accountability is a generic objective including the interest and the accuracy of reporting. It
implies that the executive is responsible for obtaining good results and for reporting them correctly, so
that it can confidently delegate its managerial responsibility. This aims at empowering the executive of
the administration. In this case, gathering information is crucial because information contributes to a
better management of the organisation.
In the design phase, that is, during the development of an internal control system, the existing indicators
can be used at the beginning. During the next loop in the management cycle, attention is paid, in each of
the various phases, to operation-related aspects that have not been adequately measured or monitored
in order to estimate the services correctly and extensively.
Phase PLAN - Stage 2 in practice: indicators and standards
Input indicators
The following questions can help to define the indicators.
Legend: Input indicators
What resources do you intend to use in order to produce the desired output?
What do you need in order to produce the desired output?
How do you intend to measure the output?
The answer to the first question determines the resources released. This information is gathered from
the budget, the personnel chart, the management plan, etc.
The second question concerns the intermediate inputs, the intermediate products necessary to carry
out the activities. These are provided by the process. For the final product to fulfil all expectations, it has
to be produced efficiently and flawlessly. For production to take place correctly, the inputs required
have to meet certain criteria, although this may involve consuming time and resources. The third
question facilitates the identification of the indicators. To better control the suggested standards, it is
31
necessary to formulate indicators that reflect the quality, the integrity, the compliance with the time
limits, the reliability, the accuracy and the conformity of the input.
Output indicators
Legend: Output indicators
What output has to be produced?
What kind of criteria does it have to fulfil in order to achieve the objective?
How do you intend to measure the output?
To completely control the process, at least one indicator has to be linked to each of the performance
criteria. The standard assigned to the indicator constitutes the minimum value it should reach in order
to achieve the objective.
Not only do the indicators and the standards used allow for detailed monitoring but, in addition, they
also constitute an important source of information for identifying risks, since the latter can be defined as
a failure to reach the standard.
Example: An operational objective was formulated, rather vaguely, as follows: “Ensure a
comfortable room temperature”. To measure whether the goal was reached, an output
indicator is defined, with a standard 20°C. Historical data shows that this temperature is
reached in buildings for average energy needs of 45kWh. Hence this is the standard for the
input indicator. Higher consumption leads to a risk at the level of efficiency, while lower
consumption involves the risk of not achieving the target.
In the example above, operational risk can be consequently defined as the failure to
achieve a comfortable room temperature, normalized at 20°C, while registering at the
same time a consumption of 45kWh.
32
Outcome Indicators
Legend: Indicators of effect
What is the intended effect of the service or product?
How do you intend to measure the effect?
The outcome indicators measure in fact customer satisfaction with the output. They focus on the
success of the policy led.
In addition, they can serve as a control measure to ensure the proper functioning of the other
indicators. Indeed, meeting the standard output indicator does not necessarily mean that the customer
is satisfied. Due to new conditions, the customer may express new requirements concerning the
provision of a specific service, which may cause a negative effect indicator. Additionally, the output
indicator may have not been properly used.
Again, it is important that the objectives and the final products be formulated according to the SMART
method: this allows for a better definition, quantification and monitoring of the indicators, which in turn
makes it possible to better estimate and control the accomplishment of the objectives.
The development of a measurement system is always similar, regardless of the type of indicator
considered.
Example: To state that the room temperature is in fact 20°C, it is not enough to look at the
thermometer. Although it may show 20°C, an indicator of effect such as questioning the
staff may prove that it is in fact cold, which means that the objective “ensure a
comfortable room temperature” was not reached. This could be explained, for instance, by
the fact that the thermometer is positioned right above a heat source, while the cold air
enters through openings, allowing draughts. An analysis of this problem should be able to
establish its cause.
Nevertheless, a similar problem could go unnoticed because a thermostat ensures a
sufficient temperature. In this case, however, consumption should be abnormally high;
hence, the usefulness of an input indicator which, in this example, would show that
consumption exceeds by far the standard of 45kWh.
33
Phase PLAN – Step 3: ex ante evaluations
The ex ante evaluation is a relatively simple instrument to further efficiency and effectiveness.
The new offers or the corrected offers, the indicators and the measures can be tested and improved in
various ways before becoming fully integrated with the operations.
This is an aspect of good management which saves time and valuable resources. Possible instruments
include: SWOT analysis, What if analysis, test situations and pilot projects.
What is a SWOT analysis?
It is a method of strategic analysis used to evaluate, on the one hand, the strengths and weaknesses,
and, on the other hand, the opportunities and threats for an organisation, project, process or
measurement. A thorough analysis allows the identification of the internal and external factors likely to
affect the main objective. Applying a SWOT analysis to objectives that were not formulated according to
the SMART method is not very relevant.
Letter Description Translation Type Meaning
S Strength Force Internal Feature constituting an advantage over others.
W Weakness Faiblesse Internal Feature constituting a disadvantage compared to others.
O Opportunity Opportunité External Opportunity to improve performance or development.
T Threat Menace External Risk of reduced performance or nuisance to the current operation.
Steps:
1. Determine the output indicators that are connected with the objective considered.
The indicators determine the extent to which the process output meets the criteria
formulated in the objective. If, for instance, the target described is: “provide the
customer a quality calculation within 3 days from the request,” it is necessary to
establish measurable criteria for the quality, as well as an indicator reflecting the
processing time.
2. Determine the indicators of effect. These indicate the extent to which a final product
meets the initial requirements, which can be measured, for instance, through
evaluation forms or satisfaction surveys.
3. Identify indicators for the intermediate outputs. It is crucial to provide a final product
that meets the customers' expectations.
4. Identify the indicators for the intermediate inputs. They give an overview of the
operations' efficiency.
34
What is a What if analysis?
This is a structured analysis method based on brainstorming, which is equivalent to free association. It
consists in asking a set of pertinent questions of the type “What would we do if ...?” Just as in the case of
the SWOT analysis, we first consider the main objective in order to identify all the factors that may
influence it. Since the focus is placed here more on the solution, this method allows addressing more
quickly and in more detail the elements that are likely to fail. Therefore, it is strongly indicated in
identifying the control measures.
Phase PLAN - Step 3 in practice: ex ante evaluations
When setting the objectives, the indicators, the standards and the control measures, it is often
worthwhile to review their operation, content, acceptance, impact, etc. before actually integrating them
with the operations.
Legend: Ex ante evaluation
Is the current formulation SMART enough?
What are the results of a SMART analysis?
What are the results of a What If analysis?
Is a pilot project worth implementing?
Steps:
1. Consider the need for an ex ante evaluation. This will depend on the impact or scope
of the subject of the evaluation.
2. Conduct the assessment on the basis of the above questions.
3. Correct if necessary.
35
The implementation phase (DO)
PHASE / STEP ACTORS
Do 4 - activities Management, central collaborators Do 5 - measurement and monitoring Management, central collaborators Do 6 - recording incidents Central staff
The three steps of this phase overlap: the services are continuously measured and monitored during the
execution of the activities. Thus, if an incident occurs, it can be immediately recorded.
Phase DO - Step 4: activities
Besides producing a product or service, a process or a project is designed to contribute to fulfilling the
stakeholders’ needs. By properly describing and executing the activities, there is less undesirable
variation of the result and an established quality level is thus guaranteed.
The execution phase includes the normal working activities, or the chronological execution of the
processes and the completion of projects. The manner in which activities are performed during this
phase is critical to the quality of the output and the amount of input. In other words: the execution
determines the operations' compliance, economy, efficiency and effectiveness.
To obtain a good result, a first condition is naturally to strictly follow the procedures and requirements
during the execution of activities. To this purpose, clear guidelines and the support of the direct
superiors and other management staff are necessary.
Phase DO - Step 4 in practice: activities
In some cases, the generic objectives of internal control should be pursued through the introduction of
mandatory work procedures for specific activities. In other cases, the organisation or cultural factors are
likely to interfere. The generic objectives are considered at a level surpassing the individual activities,
that is, in the various areas of control environment described within the COSO reference framework.
The management of change is a simple technique used to apply transversal changes within an
organisation.
36
Phase DO - Step 5: measurement and monitoring
The measurement proper should be accurate. There can be no question of reworking the measures so
that the result presented be better than it actually is. This would be contrary to all the generic objectives
of internal control. This justifies the need for good monitoring.
During the ex-post control, the external control bodies will carefully study the measuring method.
Therefore, the organisation must pay sufficient attention to the compliance with the requirements and
instructions related to the various elements of the measuring system.
Organisations whose services are decentralized or externalized should pay particular attention to this
aspect.
Phase DO - Step 5 in practice: measurement and monitoring
The method of measurement and its frequency were already discussed and established during the
planning phase.
Legend: Measurement and monitoring
Were the activities carried out according to the requirements?
Did major incidents occur?
Is the collection of measures carried as expected?
In this stage we gather the basic information to be examined in the analysis phase. Monitoring devolves
primarily upon the management staff and, in particular, upon direct executives, as their permanent
control of the appropriate execution of the activities and achievement of the objectives aimed at by the
outputs facilitates good monitoring and strengthens risk management. The superior also plays a
prominent role, as he/she has to ensure that the measuring system is adequately used.
Phase DO - Step 6: recording incidents
37
A centralized system of incident management is not essential, but it can significantly contribute to
identifying the risks and estimating realistic standards for performance and other indicators.
The organisation itself determines the need for recording incidents, as well as the procedures and
treatment thereof. This is also the case of the activities, the data recorded and the actors involved in this
process.
The end goal of incident management is to provide performance data and to track issues in order to
thoroughly prepare the performance and risk analyses. Incident management provides opportunities in
terms of both internal control and management control.
In addition, keeping a systematic track of incidents has the advantage of being able to consult a history
of solutions according to problem. This type of information is priceless for the accumulation of
knowledge on the functioning of the organisation and its processes. In addition, it allows assessing more
thoroughly the responsibilities in relation to the problems. This serves to prevent, with a view to
efficiency, the suggestion and testing of a series of less suitable solutions.
The organisation must not forget, nevertheless, that any system of incident management has to be
coherent. In fact, the record is only a means to control the information, not an end in itself.
Phase DO - Step 6 in practice: recording incidents
The diagram below provides a possible starting point.
Figure 9: Recording incidents
38
Example of recorded data:
once the problem is identified: description, numbering, type, date, who, where, ...
once the problem is assessed: severity, impact, emergency ...
once the proposed solution is approved: description, numbering, type, approval date, who, date of the next evaluation ...
once the proposed solution is evaluated: results, efficiency, possibly the date of the next evaluation, ...
in case of rejection of a solution: causes for the initial solution failure, deadline for a new solution, ...
once the problem is solved: date, who, grounds (rejected, solved), ... Repeated incidents indicate a structural problem and may, therefore, be treated as risks within the
system of internal control. The centralized management of incidents can provide information about the
impact and frequency of the problem. These data are not only relevant in the context of risk analysis,
but they can also significantly contribute to the definition of targeted control measures. Additionally,
this valuable information can be used to determine performance indicators, as well as their related
standards.
Verification phase (CHECK)
PHASE / STEP ACTORS
CHECK 7 - performance analysis Management, central collaborators CHECK 8 - identification of risks Central staff CHECK 9 - risks analysis Management, central collaborators
Phase CHECK - Step 7: performance analysis
In developing the system of internal control (planning phase), an organisation must consider whether
the existing management plan, as well as the balanced scorecard (BSC) related thereto contain sufficient
SMART elements to provide an accurate picture of the services provided.
This phase of the project also serves to document the main analysis factors: process descriptions,
preliminary identification of risks. This is how the basic material is assembled and will serve as a basis for
carrying out an initial cyclic analysis of the results and their related risks.
During the periodic analysis of results, the partially achieved objectives are carefully examined. This is
part of management control and it is one of the common tasks of the executive management.
The manager concerned has to analyse, together with his/her colleagues, the reasons underlying the
(poorer) services.
39
Phase CHECK - Step 7 in practice: performance analysis
Legend: Results analysis
What are the results obtained in the assessed period?
To what extent were the objectives achieved?
What is the relation between these results and the previous ones?
Steps:
1. Collect all the information on the results obtained. In order to obtain a realistic and
measurable picture of the results, good planning and correctly formulated
performance indicators are necessary. If the image is too blurry, it poses a risk to the
executive management, which shall be forced to make decisions based on an unclear
situation. In this case, it is recommended to improve the measurement system in the
reaction phase.
2. Connect the achievements to the objectives: this is the core of management control.
A mature organisation in terms of internal control and management control will
succeed in explaining the results in detail. If the outcome remains below the
expectations, this is because of interfering events that hindered its achievement.
These events are manifestations of risks and should be clarified.
3. With a view to efficiency, it is also advisable to compare the results with those
obtained in the previous period. An analysis of the reasons leading to a better
performance of the organisation provides highly useful information for the
management and contributes to the strategic development of the organisation. If the
performance turns out to be inferior to the previous one, the study of its cause will
explain what hindered the identification of appropriate solutions. To measure the
efficiency in the most appropriate manner, it is necessary to follow the periodic unit
cost of production.
40
Phase CHECK - Step 8: identification of risks
The first step in risk management is to identify the elements affecting the achievement of the
objectives. Indeed, if a predetermined outcome is not achieved, this indicates possible problems. These
problems are manifestation of risks, which should necessarily be pointed out and documented.
However, it is not enough to identify the risks, since a risk can have different causes.
New risks may arise when circumstances change. The factors or causes leading to the emergence of a
risk may also change. This is why it is important to periodically review the risk cycle. Moreover, the risk
cycle should be integrated in the management cycle, since the analysis of the results will lead directly to
the identification of risks and, if necessary, to their (re)evaluation.
This way, the internal control system is built in a systematic manner, without requiring too great a staff
investment. Gradually, a database creates itself and can be used to preventively incorporate certain
controls or measures.
A management gap is not always the result of an operational incident. Potential structural causes could
also be found: lack of SMART objectives, insufficiently developed standards, incomplete measurement
system, failure to follow procedures, etc. In such cases, it would be better to focus on improving the
formulation of objectives and/or standards, relevant KPI, staff accountability, training, etc.
In other words, the causes of poorer results not arising directly from a unique operational incident
originate in what is called the control environment. In particular, when an incident has undesirable legal
or budget consequences, it is worth examining the need for a preliminary specific measure for the
process concerned. In other cases, it is often more efficient to take one or several general measures
applied to the entire organisation.9
Phase CHECK - Step 8 in practice: identification of risks
The Management Support Methodology made use of the role-based process description, called
Diabolo,10 which also included intermediate outputs, that is, the intermediate product of each activity
considered separately. At this stage, the tables provide an even more detailed overview of the
performance standards in order to facilitate the identification of risks. Risks associated to an activity
derive directly from the formulation of the objective and the intermediate and final outputs of a
process; this justifies the importance of objectives, SMART standards and a clear process sheet.
The starting phase of the internal control system is used to collect the basic material. Starting from
activities, the risks are identified based on past incidents. In the next loop of the management cycle –
depending on the periodicity specified in the planning phase – new risks are identified starting from
9 See The core of the Management Support methodology: improve the control environment
10 See phase PLAN - Step 1 in practice.
41
problems encountered during the period considered. From this perspective, an incidents recording
system11 may constitute a valuable aid.
Legend: Identification of differences
Why did we do better or worse?
What opportunities did we take advantage of?
What problems hindered the achievement of objectives?
What are the causes of the risk?
Are they related to the process/task or of a more general nature?
11
See step DO - step 6 in practice.
Steps:
1. Investigate the nature of the problem. In case of a results-oriented analysis, it is
advisable to first establish the level where the problem is situated: the objective itself,
the measuring system or the activities. After the first phases of analysis and action
have passed, a reformulation of the objectives or an adjustment of the measurement
system may be performed during the next planning phase, as appropriate.
2. Identify the activity-related risks that may hinder the achievement of the process
objective. If, for instance, the aim is rather vaguely described, as follows: “issue a
properly established permit in a timely manner”, it is necessary to establish SMART
standards in order to render the objective measurable. The PLAN phase is the right
moment. Various criteria have to stipulate what a “properly established” permit
means, while other criteria should refer to the time limits mentioned. These criteria
are in fact indicators. If they are not frequently changed, they can be included in the
formulation of the objective. In a more dynamic environment, it is better to keep them
as indicators. In all cases, the risks are identified in relation to the non-compliance
with the criteria set. For example: risk R1 is “exceeded time limit”.
3. Identify the risks associated with the final and intermediate inputs and outputs of a
process. Generally, the final output of a process must meet specific quality criteria.
Intermediate inputs and outputs must also meet all sorts of criteria in order to
produce, in an efficient manner, a high quality final output. The criteria used to
formulate the risks are in fact associated with them: the risk is actually the failure to
achieve the predetermined criteria. Systematic improvements in formulating the risks
allow strengthening the internal control system since it leads to the accomplishment
of measurable objectives.
4. Determine the causes underlying the problem. This is important because avoiding a
risk often requires a different approach based on its cause.
42
Strategic risks can be identified by means of a SWOT or Diabolo analysis. This could be carried out using
a risk identification model (MIR) of the SPF Mobilité (FPS Mobility). The strategic risks identified can be
assessed by following the same methodology as the one applied to operational risks.
Phase CHECK - Step 9: risk analysis
To manage a risk, it is necessary to first address the causes behind it. If the cause is one of the risk factors
already dealt with, then the existing measures should be corrected or extended. In the case of a new
problem, it is necessary to try and identify a method to overcome it.
The most appropriate techniques to find a solution are work meetings, consultations and interviews. For
each cause a degree of risk is finally determined. On the one hand, it consists in the impact or the
severity of a problem and, on the other hand, in the probability or chance for that problem to occur. The
degree of risk allows estimating and classifying risks and establishing priorities. It is not mandatory to
determine priorities based on the degree of risk; nevertheless, this possibility is offered in cases where,
due to time constraints, the management decides to limit the thorough analysis to high degree risks.
During the project phase, or during the launch of the internal control system, the service must define
the most probable causes of the identified risks, to be initially entered into the internal control system.
Thus, a list of possible causes is drawn and will actually serve as a reference framework of the
management cycle; the analysis of the results will refer back to this list.
Phase CHECK - Step 9 in practice: risk analysis
For instance: for the risk “exceeded time limit”, there are several possible causes likely to
lead to non-compliance: “lack of staff”, “ICT technical problems”, “necessary input received
after deadline”, “necessary input not meeting the requirements”, “staff negligence”, etc.
....
43
Legend: Analysis of causes
Why did the measures taken fail?
Is this an isolated case or does it show a new tendency?
How serious is this and how often is it likely to happen?
How can we create new opportunities?
The conventional risk analysis method consists in determining the degree of risk.
The most common calculation method is: Degree of Risk = Impact x Probability
Over time, the incidents recording12 can provide a useful database to quantify the impact and
probability of a risk.
In the absence of numerical data, we can, nevertheless, make use of a qualitative scale. In this case, it is
advisable to consider an even number of options to choose from. Since there is no median value, the
user or the assessor is compelled to take an affirmative or negative stance in relation to a risk.
Example of qualitative values:
SCALE IMPACT PROBABILITY
1 Limited Unlikely 2 Low Slightly possible 3 High Likely 4 Serious Very likely
A qualitative analysis gives better results when performed by several people. Diabolo offers the
possibility to carry it out in a group or individually.
In the case of an individual-based approach, significant assessment differences are immediately visible
and leave the manager the possibility to decide what issues will be approached in round table
discussions in order to reach an agreement.
The group-based approach to risk assessment has an important advantage: it immediately eliminates
any differences in interpretation.
12
See phase DO - step 6 in practice.
44
Indeed, in the case of an individual-based approach, the subsequent elimination of differences, made
jointly, may give some of the participants an impression of being placed under questioning. Moreover,
during the individual stage, attention may be less focused since a common decision will be taken
anyway.
A second, much more important reason to choose the group-based approach is related to the control
environment of the COSO reference framework. Indeed, the group-based approach leaves room for
communication, the members having the opportunity to express their view and to open up to other
opinions and communication manner. This stimulates the involvement and commitment within the
organisation, educating the collaborators to further the development of the internal control system. In
addition, group discussion can lead to improved risk identification.
Risk assessment is not an exact science but heavily relies on the cultural values of the organisation and
the sensitivity of its management executives.
Steps:
1. Choose an individual or collective approach. There is no empirical rule governing this
choice. Generally, the availability of the concerned staff constitutes the decisive
factor. If an individual approach is chosen, it is important to review the different
assessments and discuss, as a group, any possible major differences. Thus, work
meetings, consultations and interviews are the most appropriate techniques to this
purpose.
2. Study the underlying causes of each risk. In the case of a risk identified in the previous
cycle, it is necessary to investigate why the measures introduced in the past did not
work, or why they were not implemented. The reasons identified could be considered
additional causes of the risk and, therefore, addressed in the same way.
3. Determine the degree of risk depending on each of the causes by estimating both its
impact and its probability.
45
Figure 10: Example of a risks matrix correlated with the activities described in a Diabolo13
Here, the risk reference consists in a simple ascending number beginning with the process reference and the activity number.
Although the losses caused by fire are the same, namely the loss of archive material, the risk is estimated differently depending on the underlying
cause:
Risks R6, R9 and R10 are considered high because they are associated with unacceptable behaviour that does not correspond to the
culture of the organisation.
R10 shows a certain ignorance of the guidelines in place and therefore constitutes the highest risk for the objective and the activity
considered. It will most likely receive priority treatment.
Risk R7 is deemed serious because the fire also affects other parts of the organisation.
The highest probability assigned to R8 is linked to the doubts arisen by the safety of the old electrical wiring.
13
This is a simple and fictitious example. The goal is to show the different components of the risk matrix and not to judge its content.
46
The adjustment phase (ACT)
PHASE / STEP ACTORS
Act 10 – analysis of measures Management, central collaborators Act 11 – validation of measures Management Act 12 – application of measures Management, central collaborators
Phase ACT - Step 10: analysis of measures
Once the risk level is determined, a series of measures can be defined taking into account the
(more or less powerful) desire to act on the risk impact or probability and, in particular, on its
causes. Actions against the risk are established depending on the risk nature, as well as on the
opportunities and priorities of the management.
Detection measures are alarms based on indicators and/ or other forms of reporting. Their role
is to detect undesirable events. Corrective measures mitigate the impact or the undesirable
effects of a risk. As far as preventive measures are concerned, they reduce the probability or
the chances for a risk to occur.
The analysis of the measures involves several aspects. First, the organisation has to ensure that
the measure is appropriate and is properly functioning. Then, its potential effects on the rest of
the organisation must be analysed. A measure can indeed deliver good results as regards a
specific problem and still have, at the same time, a negative impact on other areas, thus
creating new risks or reinforcing existing ones.
Phase ACT - Step 10 in practice: analysis of measures
Legend: Analysis of measures
How can we avoid a repetition or reduce an impact?
How can we identify a similar problem at an early stage?
Is the cost of the measure proportionate to the seriousness of the problem?
Can we estimate the effectiveness of an ex ante measure?
What conditions does a measure have to fulfil in order to be effective?
47
Requirements: current processes, risk matrices, control matrices, reports.
Measures can take many forms, depending on the nature and extent of the underlying
problems or needs.
Examples:
- Adapt an objective if it no longer meets the requirements.
- Correct an indicator or its standard if they were not well defined.
- Adapt a goal or indicator if another level of performance is required by changed
circumstances.
- Correct a process if the nature or the sequence of activities is not optimal.
- Implement or revise past agreements between various services in order to improve
the mutual provision of services, the quality of the input/output or the flow of
information.
- Retrain some of the staff in order to increase the productivity or the quality of the
services provided.
- Draw up work instructions to reduce number of processing errors.
- Insert checkpoints to prevent errors or fraud.
- Organize trainings or seminars to raise the staff's awareness or to improve their
skills.
- Update a tool or an application in order to improve ergonomics.
- Expand the monitoring system if the results cannot be measured with sufficient
accuracy.
48
When a risk is not related to a specific process and concerns the entire organisation or a
substantial part thereof, the risk should be treated at global level. In this case, the problem is
assessed by a working group outside the process and is correlated to one or several
dimensions of the internal control environment. Then, the measures to be taken are included
in improvement actions or projects.
During the next management cycle, the analysis of the results and risks is collected to assess
the success or failure of the improvement measures and projects implemented
Generally, the analysis of the measures immediately follows the risk assessment. Both
activities are carried out by the same people since both cases require practical knowledge of
the activities. However, in some cases, at specific times or in very large organisations, this
principle is not respected. Indeed, the issue of vulnerability allows a gap between the risk
analysis and the analysis of measures, which makes it possible to test the measures in practice
and to thoroughly assess them only after a certain time; for instance, at the end of the next
loop in the management cycle. After several cycles or when the existence and functioning of
the measure is widely recognized, it can be removed from the vulnerability analysis and fully
integrated into the risk analysis. This means that the original measure is identified as a possible
cause of a risk that is likely to materialise in case the measure is not applied or if it is not
applied correctly. Thus, the vulnerability analysis can be applied to estimate the potential need
for additional measures.
Steps:
1. The management expresses their preference concerning the approach to risk analysis.
For efficiency reasons, it is sometimes desirable to determine, even before the
definition of possible actions, the best way to address a risk and its underlying causes.
The nature of the risk, as well as the management’s strategic priorities, determines
whether the impact or the risk probability will be addressed.
2. Develop new measures or improve existing ones in order to reduce the impact of a
risk.
3. Develop new measures or improve existing ones in order to reduce a risk probability.
4. Identify indicators to monitor the functioning of a measure.
5. Estimate the effects and consequences of a measure. An ex ante evaluation may
prove useful in this regard.
6. Determine the vulnerability of the organisation to the risk factor considered, taking
into account the analysis of the measures.
49
Figure 11: Same example of risk matrix including risk control measures:
Given that the majority of organisations do not have numerical data available, a qualitative approach is required. It examines to what extent the
activity is vulnerable to a given risk, taking into account the measures adopted. To this end, we used a qualitative scale ranging from 1 (very low
vulnerability) to 4 (high vulnerability). The exposure (level of risk x vulnerability) determines whether the risk and its cause should be treated as a
priority. The final decision rests with the management staff.
Risks R6, R7 and R9 seem well covered and obtain the lowest vulnerability factor. Since the exposure is identical to the degree of risk, the risk
obtains a low priority.
For risk R8 there is already a solution of questionable effectiveness. Therefore, the activity is assigned an average exposure.
Risk R10 is a recent addition based on, for instance, the fact that a previous analysis or audit found that an existing measure (see R6 and R9) that
was not always properly followed. The high degree of risk and the vulnerability arising lead to a very high priority.
Due to their initially low degree, risks R11 and R12 are assigned average priority. The management has to decide whether the risk is acceptable
or not.
Although assigned an average degree, risk R13 reveals a manifest uncertainty regarding the effectiveness of the measure. The underlying level of
vulnerability turns R13 into another priority risk.
50
Phase ACT - Step 11: validation of measures
In practice, the success of a measure largely depends on the manner in which it is effectively
monitored.
This is why validation is one of the most important steps in the application of measures. It
reflects the management's position when faced with undesirable situations and translates their
willingness to act in order to remedy the situation.
Phase ACT - Step 11 in practice: validation of measures
Legend: Validation of measures
Do we want to act on the impact or on the probability?
What is the most efficient measure suggested?
Which of the suggested measures is the easiest to implement?
Does the measure enjoy enough support?
Which of the suggested measures is likely to have the fastest effect?
Phase ACT - Step 12: application of measures
Some measures simply consist in small improvements and instructions, while others may
involve significant changes in the activities.
Any change always causes concern to some of the staff. In this case, the principles of “change
management” may provide some relief.
Steps:
1. Choose the measures to be applied. The manager concerned is the one to make this
decision based on the risk exposure and priority assigned to it. Generally, this choice
partly depends on the resources required by the various measures, as well as on
strategic considerations.
2. Validate measures. Validation is a strong signal and it has an impact on the control
environment, because the management clearly highlights the risks they deem
undesirable, thus raising the staff's awareness and keeping them prepared.
51
What is “change management”?
It is a technique that allows increasing the success rate of a change project. The main obstacles
when introducing changes in an organisation consist in the co-workers, their habits, personal
problems and the time available. This could be explained by the fact that any structural change
creates some uncertainty regarding its impact on the position and responsibilities of an
individual. Change is appreciated only when any form of uncertainty is eliminated.
Therefore, the first step in managing change is a good analysis of the problem. In the
framework of internal control, this usually occurs during the identification and analysis of risks.
When significant changes are made, it is advisable to conduct an analysis of the stakeholders.
This analysis is designed to point out the possible effects of the proposed change on the
expectations of each party or group of stakeholders concerned. The analysis of the problem
indicates the need for change, while the stakeholder analysis helps to suggest globally
acceptable solutions. This balance is the core of change management. It also requires a clear
view and support from the management, as well as a good communication policy
incorporating a wide range of connection possibilities.
Phase ACT - Step 12 in practice: application of measures
Legend: Application of measures
What else is necessary to ensure that the measure is functioning properly? Are all the stakeholders aware of the new measure? Does the measure enjoy enough support?
52
Steps:
1. Introduce possible adjustments to meet the requirements. An ex ante evaluation of
the measure can provide the necessary information in this regard.
2. Take care of communication. Draw the attention of all co-workers on the new
measures and their corresponding criteria. Ensure that everyone adheres to any new
techniques and procedures. Make use of the principles of change management to
mitigate possible reluctance.
3. Provide guidance, monitoring and feedback at the beginning, so that the news
receives sufficient attention during the execution phase.
53
Reporting: the beginning of a new cycle
Like all other aspects of an internal control system, reporting must be built according to the
requirements.
Diabolo is the most appropriate tool for the management of operational risks among the
management staff and, in particular, the heads of service. It is they who are responsible for the
smooth running of the operations. Therefore, they are also responsible for updating the
information in the Diabolo files.
Diabolo files are crucial for the interpretation of results. The head of service uses the
information regarding the activities, the risks, the control measures and the incidents in order
to conduct the evaluation of a given period. This information, together with the data provided
by the measuring system, forms the basis of reporting to the higher hierarchical level.
This hierarchical level has its own objectives as well and should, therefore, regularly assess the
results obtained. This implies a follow-up of the results and the risk control measures at its
own level. Based on detailed preferences and needs, we can settle for a simplified Diabolo or
choose to perform a SWOT analysis14 for the identification of risks. It is possible to assess the
strategic risks identified by following the same methodology as the one applied to operational
risks.
This reporting cascade is repeated at every level of the organisation, from the head of service
who manages detailed Diabolos to the highest executive manager. This approach is, to a large
extent, self-regulating:
Maximum use of the information from the lower levels;
Additional information may be required depending on the situation; this eventually
leads to a periodic adjustment of the reporting;
A need for information that is not provided by the lower level leads to the
development of a reporting system at the respective level. This is based on the
concept that “The whole is more than the sum of its parts”;
The reporting need of a certain level and the information required by the higher level
determines the need for detailed information and risk monitoring;
After a certain amount of reporting, the organisation will evolve by itself to the most
suitable reporting mode.
14
See phase PLAN - step 3
54
The following diagram describes the reporting structure
Figure 12: Reporting diagram
The diagram shows the reporting needs for level “X”. These requirements contain three
elements:
1) An overview and evaluation of level ‘X’
2) The contribution of the lower level (X-1) to the objectives of Level X
3) The contribution of level X to the higher level objectives (X +1)
The first element refers to the specific needs of level X. These needs are met by management
control and internal control. This information includes the results achieved in relation to their
assessment, the control of activities, risk management and the measuring system that provides
the necessary data. It includes everything that the executive needs for the management of
his/her own level X.
The second element relates to the lower level. Indeed, level X is hierarchically responsible for
the lower level X-1. The latter therefore contributes to the achievement of the objectives of
level X. The level X-1 is responsible for assessing and demonstrating this contribution. The
procedure is defined based on the reporting requirements of the higher level (see the curved
arrow in the diagram), in consultation with the two levels. The most adequate time for this is
the planning phase, when the relationship between the objectives, activities and necessary
55
means is established. The performance criteria and their corresponding indicators are
determined in the same way.15
These first two aspects of the information needs corresponding to level X give a complete
image of the achievement of the agreed objectives. This image materialises in a management
report, the structure of which was previously set out by the management. Possible topics
include: an explanation of the results achieved, the development of the most important
performance criteria, the evolution of the most important risks, new initiatives at managerial
level, etc.
The report provides an added value on several levels:
1) When used exclusively for internal reporting purposes, it contributes to the periodic
evaluation of activities in which successive periods can be compared to reflect changes
over time.
2) In addition, the management report can simply be used to evaluate the results of the
service concerned by the Executive Committee.
3) Periodic management reports can be a source of information for the preparation of
the annual report on the internal control system, most commonly referred to as
“Article 7 report”.
The third element demonstrates the contribution of level X to the objectives of the higher level
X +1. The structures and systems that have been previously used to assess the results obtained
at level X could also be used to estimate the effect of the X level services on the objectives of
the higher level.
This approach ensures the consistency of the objectives and, therefore, of the management of
the organisation. Indeed, the lowest levels eventually serve for the concrete implementation
of the objectives.
15
See phase “PLAN” - step 1: objectives, means and activities
Example (see phase Plan - Step 2 in practice):
The reporting structure for the process designed to guarantee an ambient temperature of
20 ° C. The established indicator of effect, that is staff interviews, can be used to assess the
effect of the heating process on the operational objective “Ensure a comfortable room
temperature”. Other projects (e.g. “Isolate the building”) and sub-processes (e.g. “Open
and close windows”) may also contribute to reaching this operational objective. The
person in charge of this operational objective certainly has other operational objectives to
fulfil. Each of these objectives will contribute to the goal of the higher level, e.g.,
“Improving the staff’s well-being”. The official in charge has to evaluate the effect of each
of these objectives.
56
Conclusion
The biggest challenge in developing an internal control system resides in the creation of a
balanced structure and the cohesion of the various components. One should not to get caught
from the outset in the definition of all processes, activities, risks, measures and indicators. A
structured approach based on the priority treatment of key processes is recommended,
because the goal is to create a system, not to draw various lists containing a plethora of items.
In fact, an internal control system is shaped mainly by ensuring that the various components
interlock perfectly with one another. This overlap results in a string that starts from the
objectives. Services are provided with a view to achieving these objectives. They result from a
series of activities requiring the input of different resources. To ensure proper functioning, the
management has to develop a balanced measuring system, based on three pillars. First, the
services or outputs to be produced must be formulated specifically so as to allow for an
assessment of their quality and the observance of time limits by means of measurable criteria.
Second, it is important that activities be well monitored, as a valid execution is critical to the
timely delivery of the desired outputs. Finally, it is crucial to accurately estimate the
effectiveness and efficiency of the inputs required. They ensure, in fact, the smoothest
progress possible of the activities to be performed. Most risks are related to these three
pillars. They constitute potential risks, likely to have an impact on the quality and timeliness of
the outputs and inputs. In addition, they can create problems during the execution of the
activities proper.
Risk control is the main element of an internal control system: it is designed to increase the
chances of obtaining a good result. It can be concluded that internal control is everyone's
business. In its pragmatic approach, Management Support translates this view concretely: each
participant is responsible for the correct execution and the proper monitoring of his/her own
processes. To this purpose, Management Support developed the tool Diabolo, which allows for
describing the process individually. It serves as an informative process sheet and establishes
links with the rest of the organisation. In addition, risk management is fully integrated into
Diabolo, from risk identification and assessment to the assessment of the effective functioning
of the control measures implemented.
After the design phase, the management should focus on the maintenance, correction and,
finally, development of the internal control system, until it practically covers the entire
organisation. Some degree of uncertainty is related especially to timing: what to do and when?
Management Support adopted an approach integrating completely the risk cycle and, by
extension, the maintenance of the internal control system in the four phases of the
management cycle (Plan - Do - Check - Act, cf. Deming), corresponding to twelve steps.
Management control plays an important role because it provides input for updating the
system of internal control. Indeed, the periodic assessment of performance required by
management control indicates the results that fail to meet the expectations. The reasons for
this are contained in the information provided in the Diabolo (on existing risks) and in the
register of incidents (on any new causes of the problems). The loop is closed when the
information from the internal control system is used to improve management control. This
57
leads to a constantly improved monitoring of results and, therefore, to systematic support for
the management of the organisation.
Finally, it should be recalled that internal control is not an exact science, but an art. This means
that the suggested methodology should not be considered the only valid approach. There are
undoubtedly other approaches, angles or applications that can also provide the official in
charge with reasonable assurance regarding the achievement of the objectives. The director is
in charge of choosing an approach, because he/she is the one finally responsible for the
development, implementation, monitoring and proper functioning of the internal control
system.
58
Glossary
Action plan: a document proposing means and methods to achieve the agreed targets. The document mentions the possible consequences of the actions taken and the revisions thereof.
Audit field: allows defining the scope of the audit. The object, duration and nature of the audit are three components of the audit field.
Audit risk: it is the risk related to the field of an organisation’s accounts certification. This occurs when an auditor certifies the accounts although they are not reliable.
Audit universe: the set of entities to be audited. Ideally, this corresponds to the entire organisation.
Audit: methodical, objective and independent activity that allows the auditor to express an opinion on the proper functioning of the internal control. The opinion may cover the level of control of the financial operations, the activities, or even the degree of compliance. There are several types of audit.
Collusion : secret agreement or conspiracy between several people to harm a third party. The third party may be a person or an organisation.
Compliance audit: type of audit designed to verify whether the organisation complies with the applicable norms, regulations and procedures.
Conformity: one of the objectives of the internal control system. In the private sector, the English word “compliance” is often used instead of conformity. Conformity means respecting the norms and regulations in force, the procedures, etc.
Control activities: internal control component based on the COSO model. It represents the set of policies and procedures established to control risks and to contribute to reaching the goals of the organisation.
Control environment: internal control component based on the COSO model. This component provides the foundations of the internal control system. It consists of the culture, the values shared within the organisation. More specifically, it comprises the management style, the philosophy, the ethical values, the integrity and the ethics of the staff composing the control environment.
Corporate governance: set of rules and principles that determine the mode of operation of an organisation in order to best ensure the achievement of the objectives, risk management, the transparency and the satisfaction of the various stakeholders.
Corruption: Unethical use of power for personal or private ends. Corruption concerns all individuals enjoying decision-making powers. It consists of an individual doing or failing to do something, by means of his/her position, in exchange of money, gifts, advantages, etc.
59
COSO: in 1992, The Committee of Sponsoring Organisations of the Treadway Commission published a report aimed at providing organisations with a reference framework for establishing and assessing a system of internal control. This framework is called COSO and it is shaped as a cube or pyramid.
Critical success factor: essential element or condition to be considered in achieving a goal. However, managing this factor does not guarantee reaching the objectives.
Degree of risk: it results from the multiplication of probability with the risk impact.
Delegation: transmission of power or skill to an individual. Within an organisation, it is usually the transmission of the decision-making power to lower levels of the hierarchy. Delegation does not necessarily discharge responsibility. For proper delegation management, it is advisable to keep a register of delegations and to update it regularly.
Effectiveness: relation between the result obtained and the objective established. If the goal is reached, the action is accomplished and is effective. This parameter does not take into account other elements such as cost, effort, time, etc.
Efficiency : notion qualifying an action’s effectiveness. It represents the relationship between the resources used and the results obtained. Elements such as cost, effort, time, and other resources are taken into account in determining whether an action is efficient. Based on results, the action that consumed the least resources will be considered the most efficient.
Entity: organisation, institution, corporation, company or other unit or centre created for a specific need, irrespective of its size and its public or private status.
Ethics: a set of rules that allow acting in a particular situation and making a behavioural choice regarding self-respect or respecting the others. In other words, it comprises the moral rules that define the behaviour deemed as good or bad.
External audit: objective and independent control exerted by a body external to the entity. This control is intended, on the one hand, to provide reasonable assurance concerning the legality and regularity of the financial transactions, and that the financial statements present a rather faithful image of the state of the organisation; on the other hand, it is intended to establish the corresponding reports.
Financial audit: type of audit designed to verify the accuracy, consistency, compliance and the ability to reflect an accurate image of an organisation’s assets. This control concerns the quality, the transparency of the information contained in the financial statements, as well as the assessment principles applied.
Fraud: definition by the IIA: “any illegal act characterized by deceit, concealment or violation of trust, in the absence of violence or threat of violence. Fraud is perpetrated by individuals or organisations in order to obtain money, goods or services, or a personal or commercial advantage”; it includes corruption.
Frequency: corresponds to the number of times an event occurs over a predetermined period of time.
IIA: Institute of Internal Auditors. This is the professional association of internal auditors.
60
Independence: freedom to act outside any external interference, pressure or coercion. This feature is assigned to an audit function.
Inherent risk: the possibility that risk occurs regardless of the control measures. If the risk is not identified or not corrected by control measures, it could hinder the organisation from achieving its objectives.
Inspection: often mistaken for audit. However, inspection services conduct compliance investigations. These are special departments in charge of strengthening the internal control but they are not independent because they work for the management and depend on it.
Integrity: refers to a person of irreproachable integrity and honesty, who cannot be corrupted. This person is motivated by the desire to do good deeds, to be of good character.
Internal audit: internal audit is a function assessing objectively and independently the effectiveness, efficiency and adequacy of the internal control system of an organisation. This is part of the monitoring component of the internal control system (COSO). The role of internal auditors is to provide the management, which is uniquely and solely responsible for the proper functioning of the internal control system, with the reasonable assurance that the structures, methodologies and control activities are actual, relevant, effective and efficient. The internal auditors may also carry out advisory tasks in order to add value and improve the functioning of the organisation. However, they cannot perform operational tasks. The internal audit thus helps the organisation achieve its objectives through a systematic, disciplined approach in evaluating and improving risk management, the control measures and the management methods.
Internal control : definition provided by the INTOSAI: “Internal control is an integrated process implemented by the managers and staff of an organisation, designed to address the risks and to provide reasonable assurance regarding the achievement, within the scope of the organisation, of the following general objectives: execute the ordered, ethical, economical, efficient and effective operations, compliance with reporting requirements, compliance with the norms and regulations in force and resources protection against loss, misuse and damage”.
INTOSAI: art. 1 of the INTOSAI Statutes: “The International Organisation of Supreme Audit Institutions (INTOSAI) is an autonomous, independent and non-political organisation established as a permanent institution in order to foster the exchange of ideas and experiences among the Supreme Audit Institutions on government auditing. Its headquarters are in Vienna, Austria.”
IPPF: International Professional Practices Framework. It represents the internationally recognized guidelines for practising the internal audit profession. These were developed by the IIA.
Loss: damage, harm or any other negative consequences. The loss can be financial or otherwise.
Mission: at the organisational (macro) level, the mission is the raison d'être of an organisation, its guidelines and future directions. In other words, what the organisation does and the direction in which it develops. On a personal or functional level, it is a responsibility or a task assigned to an individual or a function.
61
Monitoring : internal control component based on the COSO model; a continuous process of evaluating the performance of the internal control system.
Objective: the result an organisation wants to obtain. This definition refers to the purpose, not the means to accomplish it. The latter dimension appears in the action and procedures plan.
Objectivity: impartial intellectual attitude that allows independence of mind and judgement. It allows a description of an object or situation without value judgement from the observer. Objectivity is, together with the independence, essential to the exercise of the audit profession.
Operational audit: type of audit designed to verify the effectiveness, efficiency and the economy of the internal control procedures implemented. This audit consists of an evaluation of the organisation’s operation and performance.
Operational objective: the translation of a strategic objective into an activity. It enables the implementation of the strategic plan.
Organisation: see “Entity”
PIFC: Public Internal Financial Control. It is a government governance model developed by the European Commission. It applies to countries that entered the EU in 2004.
Probability: possibility of occurrence of an event and its possible effects.
Professional ethics: synonym of ethics. It is a set of standards, norms of conduct, values and principles that govern the profession. A code of ethics facilitates the development of a state of mind.
Reasonable assurance: limit of internal control related to the fact that zero risk does not exist (e.g. unforeseeable event; force majeure; inadvertent error, etc. ...). The internal control system never provides absolute assurance. In other words, reasonable assurance corresponds to a satisfactory level of confidence in relation to the management of the organisation (considerations on effectiveness, efficiency, economy, compliance and assets protection).
Residual risk: the possibility that risk occurs regardless of the control measures. Indeed, once the organisation implemented control measures to control the risk inherent to an objective, other risks may occur for the same objective. The new risks are called residual risks and they are risks of a different nature.
Risk acceptance: the response to a risk, consisting in the acceptance of the consequences and the possibility of risk occurrence. This approach is chosen, for example, when it comes to a risk with no serious consequences or when the possible solutions are too costly.
Risk adversity: the level of risk an organisation is willing to accept. Any strategy will expose the organisation to various risks. Therefore, it is necessary to determine the risk adversity and check its appropriateness to the strategy adopted. In practice, risk adversity depends on the management's sensitivity and response to uncertainty.
Risk analysis: first of all, it is necessary to identify the risks and their causes and, subsequently, to estimate their probability of occurrence and their impact on the results. Risk analysis is based on the available information.
62
Risk aversion: reluctant attitude of an individual or organisation to risk.
Risk avoidance: attitude towards risk that presupposes not being involved in a risky situation.
Risk reduction: the response to risk, consisting in reducing the risk through the implementation of prevention, detection and correction measures. The measures may aim to reduce risk probability, its consequences, or both.
Risk transfer: attitude to risk consisting in transferring it to a third party (e.g. insurance premium, joint venture, etc.).
Risk: the risk is a random event that can have a negative impact on the results of the organisation. When the event has a positive impact, it is more of an opportunity.
Sampling: method used by the auditor; it consists of the selection, according to a statistical approach or not, of a number of test items. The test results will support the findings of the audit.
Separation of functions: the separation of functions is a control measure that an organisation puts in place to prevent the risk of fraud and error. In some processes such as, for instance, accounting or budgetary and financial processes, it is strongly recommended, even mandatory, to assign the decision-making, registration, authorization and audit functions to different people.
SMART (objective): SMART means Specific, Measurable, Ambitious, Realistic and Time-bound. If these five characteristics are applied, they can determine whether a goal was correctly set.
Stakeholder: every actor, individual or collective, internal or external, who is affected by the operation and performance of an organisation. A stakeholder is affected by the decisions made within an organisation.
Strategic objective: overall objective that supports and contributes to the fulfilment of the mission and vision of an organisation. The strategic objective reflects the choice of the management concerning the best means to create value for its stakeholders.
SWOT (analysis): SWOT is the acronym for Strengths, Weaknesses, Opportunities and Threats. It refers to an analytical tool that helps the management identify and assess the strengths and weaknesses of the organisation, as well as the opportunities and threats within it. The management body often conducts a SWOT analysis when carrying out a strategic planning (drafting the management plan or the management contract) or during specific diagnosis activities within the organisation.
Tone at the top: one of the elements of the control environment. The “tone at the top” is synonymous with the example the management should set so as to have a positive effect on staff behaviour.