mig programme – control and risk self-assessment … · control and risk self-assessment control...

MIG PROGRAMME – CONTROL AND RISK SELF-ASSESSMENT WORKBOOK FOR

MUNICIPALITIES

WORKBOOK INDEX

A. Control and risk self assessment presentation B. Introduction to control and risk self assessment C. Control and risk self assessment template D. Audit procedures

MIG PROGRAMME – CONTROL AND RISK SELF-ASSESSMENT PRESENTATION TO

MUNICIPALITIES

PRESENTED BY THE MIG MACRO CONSORTIUM

Presentation Outline

Principles of the Municipal Infrastructure Grant (MIG)Objectives of MIGMIG governance challenges?What is self-assessment?Why perform a self-assessment?Who performs a self-assessment?How is self- assessment accomplished?What is done with the self-assessment results?Key questions?

Principles Of MIG Programme

Is a conditional grant in terms of DoRA:

n Focus on infrastructure required for a basic level of servicen Targeting the poorn Maximising economic benefitsn Equity in the allocation and use of fundsn Decentralisation of spending authority within national standardsn Efficient use of fundsn Reinforcing local, provincial and national objectivesn Predictability and transparencyn Geared to achievement of objectives in one or more separate but

overlapping categories1

Objectives Of MIG Programme

Is a conditional grant in terms of DoRA:

n Fully subsidise the capital costs of providing basic services to the poor households

n Distribute funding for municipal infrastructure in an equitable,transparent and efficient manner

n Assist in enhancing the development capacity of municipalities, through supporting multi-year planning and budgeting

n Provide a mechanism for the co-ordinated pursuit of national policy objectives with regard to basic municipal infrastructure programmes

n The devolution of responsibility to the lowest level

2

CRSA is a process through which internal control effectiveness is examined and assessed. The objective is to provide reasonable assurance that all business objectives will be met

CRSA is a process that generates information on internal control that is useful to management and internal auditors in judging the quality of business processes and controls

3

What Is Self-Assessment?

Why Perform A Self-Assessment?

The CRSA process allows management of the PMU and the municipality directly responsible for the MIG Programme to:

n Participate in the identification and assessment of risks

n Evaluate risks

n Develop action plans to address identified weaknesses

n Asses the likelihood of achieving MIG objectives

n Measure, monitor and report on financial input and outcomes

4

Who Performs A Self-Assessment?

The CRSA process can be performed by two groups of people:

n Line management

n Internal audit

The real benefit is derived when management and staff take ownership of the system of internal controls and uses CRSA as a proactive risk management tool that makes a difference and adds value to the business environment and control environment

5

How Is Self-Assessment Accomplished?

CRSA Approaches:n Facilitated team meetingsn The questionnaire approachn Management-produced analysis

CRSA Process: n Control-basedn Process-basedn Risk-basedn Objectives-based

We have made use of a combination model of the first three basedmodels

6

Process- Based Approach

7

MegaMega

MajorMajor MajorMajor

Sub

Activity

SubSub

ObjectivesObjectives

Controls

Controls

Controls

Risks

Risks

Risks

8

Risk - Based Approach

CRSA Template Risk and Control

9

CONTROL AND RISK SELF-ASSESSMENT TEMPLATE – MIG PROGRAM

Inherent Risk Residual Risk Mega / Major Process and Risks As Lik Imp

Leading Practice Control Actual Controls In Place AD NI IA

Action / Comments

STRATEGIC Stakeholder Management / Communication

ST1 - No or inadequate communication and or working relationship between the municipality and critical external stakeholders (i.e. Sector Departments, Eskom, Provinces, dplg, etc.)

20 4 5 1. A formal communication strategy and plan is in place where the critical stakeholders have been identified

2. A review of the effectiveness of the communication process is undertaken on a regular basis

3. Regular interfacing with the MIG Unit, Sector Departments, provinces and dplg

4. MIG Orientation workshops 5. Sector participation on PMITT

X

X

X

Action: Responsible Person: Due Date:

ST2 – The relationship and communication between the PMU function and the other divisions/units within the municipality is ineffective

5 5 1 1. A formal communication strategy and plan is in place and has been rolled out

2. Regular meetings between the PMU function and other critical divisions/units

3. Formal minutes of meetings maintained and circulated to all attendees in a timeous manner


Internal Audit Software

10

Inherent and Residual Risk

11

Inherent risk before assessment of controls

Residual risk after assessment of controls

Objectives Process Controls

Inherent and Residual RiskRisk

Residual RiskInherent Risk

What Is Done With The Self-Assessment Results

n Used by municipal management to improve controls, risk management and expected outcomes

n Used by internal audit to report on control adequacy and improvescope of audit work

n Used by Audit Committee to determine control status

n Gives MIG Unit reasonable assurance and comfort

12

What Are The Benefits Of Self-Assessment

n Attention is focused on key processes, risks and controlsn It encourages the idea that improvements to processes and control

should be continuous, empowering staff to remove inefficient or ineffective practices

n It assists all employees at all levels to assume responsibility and accountability for managing risks and effective control

n Corrective action may be more effective as staff own control andrisk improvements

n Improves management’s ability to comment on the overall effectiveness and state of internal control and risk management

n Identifies important issues fastern Provides a proactive tool to asses the control environment

13

No problem can be solvedfrom the same consciousness

which created it

Albert Einstein

14

Questions and Answers

It’s a state of “heart and mind” and not a pure discipline

15

MUNICIPAL INFRASTRUCTURE GRANT (MIG) PROGRAMME – INTERNAL CONTROL AND RISK SELF-ASSESSMENT AT MUNICIPAL LEVEL 1. Introduction

The vision of MIG To provide all South Africans with at least a basic level of service by the year 2013 through the provision of grant finance aimed at covering the capital cost of basic infrastructure for the poor. Through the application of MIG funds, Free Basic Services would be realised for the poorest of the poor, aligning national government’s aim of poverty eradication with sector targets. The MIG has thus an overall target of removing the backlog with regard to access to basic municipal services over a 10-year period.

The principles of MIG

The MIG funds that are being made available to municipalities for infrastructure, are based on the following principles: • Providing services to the poor • Providing infrastructure for basic levels of service • Maximising economic benefits to communities • Using funds efficiently • Allocating funds equitably and in a transparent manner • Decentralising the spending authorities • Empowering municipalities to identify, select and approve projects The entire approach of Municipal Infrastructure Grant (MIG) Programme is focused on improving the capacity, efficiency, effectiveness, sustainability and accountability of local government. Whilst national and provincial government are responsible for creating an enabling environment with regards to policy, financial and institutional support for MIG, municipalities are responsible for planning municipal infrastructure and for utilising MIG funds to deliver infrastructure.

The MIG is a conditional grant to municipalities and thus the management of the grant at municipal level must occur within the planning, budgeting, financial management and operational arrangements at local level in terms of DoRA requirements. Infrastructure development is one of the functions of municipalities. It should not be addressed as a separate function but integrated into other functions. It should be integrated into the inter-sectoral planning, Integrated Development Plan (IDP) processes, as well as the municipal monitoring and performance management systems.

1

2. Fundamentals of Control and Risk Self-Assessment

THE ROLES AND RESPONSIBILITIES OF MUNICIPALITIES

The framework of the roles and responsibilities of each sphere of government involved in the successful implementation of the MIG Programme is set out in the MIG Policy Framework [August 2003, version 8 (c)]. The Policy took cognisance of Chapter 3 and 7 of the Constitution of the Republic of South Africa, 1996, which states, among other, that the objectives of local government are to: - ensure the provision of services to communities in a sustainable manner - promote social and economic development

Municipal responsibility is based on the Cooperative Governance principles reflected in section 88 of the Municipal Structures Act (Act No. 117 of 1998) which stipulates: (1) A district municipality and the local municipalities within the area of that district municipality must cooperate with one another by assisting and supporting each other. (2) (a) A district municipality on request by a local municipality within its area may provide financial, technical and administrative support services to that local municipality to the extent that that district municipality has the capacity to provide those support services. (b) A local municipality on request of a district municipality in whose area that local municipality falls may provide financial, technical and administrative support services to that district municipality to the extent that that local municipality has the capacity to provide those support services. (c) A local municipality may provide financial, technical or administrative support services to another local municipality within the area of the same district municipality to the extent that it has the capacity to provide those support services, if the district municipality or that local municipality so requests. All municipalities need to develop capacity to administer MIG funds and manage infrastructure projects because all municipalities have to address infrastructure backlogs of one type or another. The aim, therefore, is to establish project management capacity in all municipalities. However, some local municipalities do not at the moment have the necessary capacity to implement the MIG programme and it might take time to develop this capacity. In these cases, the approach is for the district municipalities to administer MIG funds and to provide project management capacity until the local municipalities are able to perform programme management. The Constitution of South Africa requires that municipalities must ensure that there is an effective system of performance management in place that is geared towards outcome achievement, while the Municipal Finance Management Act as well as the provisions of the Public Finance Management Act, as amended, requires that government entities must ensure that there are effective systems of internal control and risk management in place.

2

Definition of internal control Is a process, effected by a municipalities Councilors, executive management team, line management and other personnel, designed to provide reasonable assurance regarding the achievement of strategic, operational and financial MIG Programme objectives in the following categories: • Effectiveness and efficiency of MIG Programme operations at municipal level • Effective and efficient utilisation of MIG infrastructure assets and resources • Reliability and integrity of MIG Programme financial and project management

and or operating systems, measuring, monitoring and reporting • Compliance with applicable laws, policies and procedures surrounding the

development and future sustainability of MIG Infrastructure Assets Internal controls are either “preventive” (errors, irregularities are identified and corrected before they put the MIG funds and programme at risk) or “detective” (errors, irregularities are identified that have already put the MIG funds and programme at risk) by nature and have a direct correlation to the inherent risk exposure. The ring-fenced municipal systems and processes together with the “MIG Project Management Function” are responsible for establishing the required internal control processes to ensure that the municipality stays on course toward fulfilling its financial and MIG Programme goals of developing the required basic infrastructure as determined by the provisions of the annual Division of Revenue Act (DoRA), ensuring that MIG funds have been spent for the purposes intended and that the future sustainability . Control And Risk Self-Assessment Control and Risk Self-Assessment (CRSA) is a methodology used to review key business objectives, risks and effectiveness of processes involved in achieving the objectives, and internal controls designed to manage those risks. CRSA is basically a formal process that generates information on internal control that is useful to both management and internal auditors in validating the status or judging the adequacy of the control systems in place to address the identified strategic, financial and operational risks. It can also provide a positive influence on the control environment, as operating staff (Executive Management, CFO, MIG Project Unit and the Internal Audit Function) buys into the process, while at the same time control consciousness increases. CRSA can be facilitated by any component of the municipality, including the MIG Project Unit, line management and or internal auditing staff. Regardless of who provides such facilitation, CRSA, improves the control environment of the MIG Programme within the municipality by:

3

• Increasing awareness of the MIG Programme objectives and the role of internal

control in achieving such goals and objectives. • Motivating personnel to carefully design and implement control processes and

continually improve the MIG Programme financial and operating control processes.

CRSA Approaches There are three primary CRSA approaches which are: • Facilitated team meetings – Facilitated team meetings gather internal control

information from work teams which represent multiple levels within the municipality (line management, office of the CFO and MIG Project Function).

• Questionnaire approach – This uses a survey instrument that offers opportunities for simple (Inadequate, Needs Improvement and or Adequate) responses. Both internal audit and the business/risk process owners use the survey results to assess the adequacy and or effectiveness of their control structure in meeting the MIG Programme objectives and goals.

• Management-Produced Analysis – Is any approach that does not use a facilitated meeting or survey and basically makes use of an internal audit or management approach that producers a study of the business processes, risks and required treatments (more in line with Enterprise-wide Risk Management techniques).

It is suggested that municipalities combine the first two approaches reflected above to accommodate the specific MIG Programme and DoRA requirements and needs of dplg head office (MIG Unit) and the municipalities own control and risk assurance needs.

3. Control and Risk Self-Assessment Instructions

The responsibility for undertaking the CRSA process is normally shared among all employees of the municipality. Where there is an in-house, outsourced or co-sourced internal audit function in place, it is suggested that the internal audit function take responsibility for undertaking the CRSA review. However, where there is no internal audit function in place then the CRSA review should be undertaken by the head of the municipal MIG Project Function, under guidance of the MIG Unit (dplg head office). As a combination method of the “Facilitated team meetings” and the “Questionnaire” approach is to be used the following combination techniques will also be used simultaneously:

4

• Control based format – This format focuses on how well the management

controls in place are actually working and which in turn are benchmarked against the leading practice controls that should be in place. This technique produces an analysis of the gap between how controls are working and how management intended these controls to work. In addition, this format can be effective in examining soft controls such as management ethics, training and skills, etc.

• Risk based format - This format focuses on identifying and managing the critical and significant MIG Programme risks at a municipal level within the requirements of the MIG Policy and DoRA. The outcome of this technique is that it examines the control activities to ensure that they are sufficient to address the identified the key MIG Programme risks.

Procedure Internal Control Risk Self-Assessment Who Must Complete the Document: Where the municipality has a staffed-up internal audit function the head of internal audit or where there is no internal audit function the head of the municipal MIG Project Management Unit function (PMU) must complete the CRSA making use of the electronically provided template Obtained from the dplg – MIG Unit on www…………. Furthermore, a combination of the “Control based” and “Risk based” format, must be used as reflected above. Roles and Responsibilities Internal audit and the head of the MIG Project Management Unit Function are encouraged to use the questionnaire as the foundation to determine if a more in-depth review of structures, processes, systems and controls are required surrounding the MIG Programme. This determination should be based on the Council’s, municipal manager’s, line management and or Audit Committee’s experience and judgement. The CRSA questionnaire does not take the place of the municipality’s performance management system but runs alongside this system. The process is conducted within a structured environment in which the process is thoroughly documented and the process is repetitive as an incentive for continuous improvement. Furthermore, as CRSA is a technique that adds value to the internal auditing profession it can effectively augment internal auditing as it judges the quality of internal controls.

5

The following table depicts the various areas of role and responsibility: Role Responsibility Internal audit / MIG Project Management Function

• Completes CRSA questionnaire • Retains original document for future reference • Provides a copy and results of the control environment

status to the municipal manager and Audit Committee • Sends copy to dplg MIG Unit

Project Management Function

• Monitors implementation of management treatments and or actions that explain how risks are mitigated

• Retains submitted copies of completed forms and management actions for future reference and for access by internal audit

• Suggests alternative procedures to the municipality • Provides status of remedial action to the municipal

manager and Audit Committee • Sends copy to dplg MIG Unit

Internal audit • Where internal audit does not complete the form but management, internal audit verifies that the responses on the CRSA are the actual processes and that the controls and treatments have been implemented as stated by management

MIG Unit • Assesses the impact of the CRSA reviews and the adequacy of the system of internal controls and consolidate the areas of risk

• Monitors the implementation of corrective action per municipality

• Provide holistic MIG Programme guidance and advice in a proactive manner

When To Complete The Self-Assessment: The CRSA must be completed at least: • On a bi annual basis • Whenever there are significant personnel changes (MIG Project Management

Function) • Whenever there are significant project management system and procedure

changes • Whenever the financial and operational targets for a MIG project are lagging

behind targets

6

Completing The Questionnaire: Review the CRSA document located on www……… in the ………. Area “???????” section. Where appropriate, comments have been embedded throughout the questionnaire to provide the assessor with further explanation about the questions should it be required. Making use of the Control based and Risk based approach a response to each and every question on the CRSA questionnaire must be formally captured. Refer to the municipalities MIG Programme, financial and supply chain management policies, procedures, or websites referenced on the questionnaire for additional information. If further clarification is needed, questions should be directed to a representative of the MIG Unit based in Pretoria and whom can be contacted on e-mail (……….) or alternatively by land line during office hours (…………). Any “Inadequate” or “Needs Improvement” response require an explanation in the comment field where specific emphasis to the gap in the control is identified together with the envisaged management plan of action to address the identified weakness/es. The responsible person’s name and implementation date must also be captured. For “N/A” responses, briefly explain why the question is not applicable. Any internal control risks identified by the municipality during completion of the questionnaire must be addressed. If at any time the municipality wishes to discuss the best control process in which to address the risk/s, the municipality should contact its head of internal audit and or the MIG Unit representative on ………..(insert e-mail address).

7

CONTROL AND RISK SELF-ASSESSMENT TEMPLATE – MIG PROGRAM

Inherent Risk Residual Risk Mega / Major Process and Risks As Lik Imp

Leading Practice Control Actual Controls In Place AD NI IA

Action / Comments

STRATEGIC Stakeholder Management / Communication

ST1 - No or inadequate communication and or working relationship between the municipality and critical external stakeholders (i.e. Sector Departments, Eskom, Provinces, dplg, etc.)

20 4 5 1. A formal communication strategy and plan is in place where the critical stakeholders have been identified

2. A review of the effectiveness of the communication process is undertaken on a regular basis

3. Regular interfacing with the MIG Unit, Sector Departments, provinces and dplg

4. MIG Orientation workshops 5. Sector participation on PMITT

X

X

X


ST2 – The relationship and communication between the PMU function and the other divisions/units within the municipality is ineffective

5 5 1 1. A formal communication strategy and plan is in place and has been rolled out

2. Regular meetings between the PMU function and other critical divisions/units

3. Formal minutes of meetings maintained and circulated to all attendees in a timeous manner


Policy Management ST 3 - The municipality does not have the available MIG policy, framework, DoRA and PMU procedure, etc., in their possession

3 3 1 1. Municipality has identified the required documentation they should have in their possession.

2. PMU function maintains the required library of the MIG documentation and or literature


1

Risk Management ST4. - MIG risks have not been identified, assessed and incorporated into the municipal risk assessment and or risk register

1. A formal risk management system is in place and is operational

2. MIG risks have been identified, assessed and ranked.

3. MIG risks have been included in the risk register

4. Internal audit reviews these risks and controls as part of the annual audit program

5. The risk committee reviews the adequacy of the risk management systems and internal audit reports on a regular basis (MIG Program included)


ST5 - Line management has not assessed the adequacy of the system of internal controls against the business risks on a regular basis

1. Quarterly review of the risks by line management (CSA)

2. Identification of control gaps and the implementation of control actions/treatments

3. Implementation of an operational risk committee, chaired by the municipal manager

4. Quarterly reporting to the Audit Committee and risk Committee on the status of the control environment

5. External and internal audit reviews

6. Use of leading practice risk based control models (i.e. COSO, etc.)


2

Backlogs ST6 - Inaccurate backlog targets and figures

1. Formal process and report developed (backlog studies) to determine backlog targets with implementation plan

2. Uniform and acceptable criteria utilised

3. Mechanism in place to measure and monitor the achievement of targets – use of KPI dashboards and progress on removal of backlogs


Measuring & Monitoring ST7 - No or ineffective MIG measuring and monitoring system in place at municipal level

1. MIG performance part of the municipal managers M&M quarterly performance meetings

2. Part of Council agenda and reporting

3. Dedicated Councilor for MIG Programme


FINANCIAL MANAGEMENT

FM 1 - Interest received on MIG funds utilised for other purposes other than for MIG projects

1. Validation of MIG funds transferred to funds received

2. Interest on MIG funds reflected separately in the books of account

3. Adherence to DoRA, MIG, municipal financial policies and procedures

4. Interest on MIG funds reflected on monthly and quarterly DoRA returns

5. Statement on how and where interest was utilised

6. CSA, external and internal audit reviews


3

FM2 - MIG funds utilised for purposes other than for MIG projects as per DoRA and MIG requirements

1. Effective financial accounting system and controls in place

2. Reconciliation between PMU function records and books of account on a monthly basis

3. If possible to have a separate bank account for MIG funds

4. Cash flow forecast per project and compared with drawdown records

5. Adherence to DoRA, MIG, municipal financial policies and procedures

6. MIG funds received and spent reflected on monthly DoRA and project list returns

7. Regular management reviews and sign-off by head of PMU function

8. Quarterly municipal management performance meetings and reports



FM3 - MIG Funds over or understated in books of account

1. Segregation of duties 2. Adherence to code of ethics

and values 3. Effective financial systems

records and controls in place 4. Effective expenditure and

income codes 5. Comparison between WIP

records maintained by PMU function and management accounts on a monthly basis

6. Regular management reviews and sign-off by head of PMU function

7. Adherence to DoRA, MIG and municipalities financial policies and procedures

Action: Responsible Person:

4

8. Effective delegations of authority

9. Effective working relationship between CFO and head of PMU function



Due Date:

FM4 - Financial figures and information on monthly DoRA, cash flow and Project Listing reports are inaccurate and or incomplete

1. Skilled PMU function and CFO staff

2. Reconciliation between books of account and figures reflected on monthly returns by a third-party (i.e. CFO)

3. Reconciliation between previous months returns and new month figures




FM5 - Compulsory MIG reporting information not submitted timely as per DoRA and MIG dplg requirements

1. Adherence to DoRA and MIG reporting requirements

2. Input and monitoring from Provincial PPMU, Treasury and MIG National



FM6 - Insufficient municipal funding for M&E

1. Input from Sector Departments on capital and maintenance ratios.

2. Effective maintenance management system and plan in place.

3. Effective budgeting and monitoring systems in place


5

OPERATIONS OP1 - MIG projects registered not feasible or sustainable

1. Input and advice from sector departments.

2. Financial and project feasibility and sustainability studies undertaken supported by formal reports and signed off.

3. EIA undertaken to ensure compliance with environmental standards and legislation.

4. Adherence to MIG funding criteria

5. Effective system of M&E in place


OP2 – No or ineffective PMU function in place

1. Establishment of a PMU function – not required to be full time or dedicated

2. Effective capacity building program in place

3. Utilisation of MIG funds to run PMU function in terms of MIG criteria and permitted % amount

4. Effective and adequate performance management system in place.

5. Effective and adequate measuring and monitoring systems in place

6. Risk management system entrenched in day-to-day activities

7. Effective WIP accounting system in place

8. Use made of other municipalities PMU function where more cost effective and or appropriate


6

OP3 - The PMU function not being responsible for the administration and financial management of MIG funds within the municipality

1. Head of the PMU function having the necessary authority to have ownership over the funds and MIG system at municipal level.

2. Clear roles and responsibilities 3. Effective and adequate

performance management system in place.


OP4 - Inability to spend MIG funding in a timeous manner

1. Effective procurement and supply chain management plan in place

2. Effective supply chain management system and procesess in place

3. Effective contract and project management systems in place

4. Effective financial measuring and monitoring system in place (WIP) – including budgeting system

5. Reporting and action plans to mitigate the risks

6. Effective follow-up on corrective action and determining if results have been achieved

Action:

Responsible Person: Due Date:

OP5 – Project overruns (Time and financial)

1. Effective contract and project management systems in place

2. Effective financial and operational measuring and monitoring system in place (WIP) – including budgeting system and management accounts

3. Effective monthly financial and payment authorisation systems and controls in place


7

OP6 - PMU function not having an effective project management system in place

1. Formal project management policy and procedures in place

2. Formal project charters in place for each and every project

3. Coordinating and roll out of SMIF business plans

4. Formal project management system in place (i.e. Summit, Prince2, etc.)

5. Effective file management system in place

6. Effective quality management policy and systems (QMS) in place

7. Regular site visits and meetings to determine performance to targets and milestones

8. Formal site meeting minutes and governance practices

9. Follow-up on corrective action 10. Effective risk management

system in day-to-day activities including SHE

11. Data capture, updating of all data and KPI’s on MIS

12. Monitoring and consolidating of cash flow reports and expenditure of each project

13. Accepting only original invoices, VAT numbers, supporting documentation, etc

14. Effective reporting system in place – monthly progress reports

15. Legal compliance reviews 16. Site handover meeting 17. Provincial intervention for non

performance


8

OP7- PMU function not applying appropriate contract management practices for MIG projects

1. Adherence to municipalities procurement policies and procedures – as well as determining those labour intensive projects

2. Formal and legal contracts entered into for all contracts awarded externally together with project charters

3. Legal expertise input and approval

4. Contracts to be explicit with penalty clauses, project defect liabilities, etc – cognisance taken of contractors business status (Pty, CC, sole trader, unregistered, social initiative, etc.)

5. Ensuring that suppliers have the ability and capacity to deliver on the project mandate

6. SLA’s entered into where services and construction is to be undertaken internally within the municipality

7. Use of an effective costing system to determine internal costs

8. Community based partnerships


OP8 - An effective M&E system not in place for measurement, reporting & feedback on the progress with MIG objectives and infrastructure projects?

1. Formal M&E policy and procedures in place

2. Formal M&E system and plans in place.

3. Updated asset registers 4. Effective costing and

budgeting system in place 5. Capital replacement and

or rehabilitation costs taken into account


9

KEY Description Inherent Risk Risk without taking the controls into account

AS Risk Assessment LIK Likelihood IMP Impact

Residual Risk Risk after taking controls into account AD Adequate NI Needs Improvement IA Inadequate

Risk Ranking Risk ranking scoring mechanism High Impact X Likelihood = Risk Assessment

Medium Impact X Likelihood = Risk Assessment Low Impact X Likelihood = Risk Assessment

10

mig programme – control and risk self-assessment … · control and risk self-assessment control...

Documents