The statement on internal control

What board members need to consider

For state bodies, there are additional statutory and governance commitments that must be met within strict timelines, namely:

1. Draft unaudited financial statements should be furnished to their parent department not later than two months after the end of the financial year.
2. State boards are required to complete an annual review of the effectiveness of internal control no later than three months after the year-end.

In accordance with provision 1.8 of the Code of Practice for the Governance of State Bodies (2016) (the Code), “The Board has responsibility for ensuring that effective systems of internal control are instituted and implemented. The Board is required to confirm annually to the relevant Minister that the State body has an appropriate system of internal and financial control in place.”

The Statement on Internal Control (SIC) is a core part of the governance and accountability framework within the Irish public sector. It is therefore critical that boards obtain sufficient and reliable assurance before approving the SIC.

State bodies vary significantly in size, scope and organisational structure. As a result, the approach to assessing internal systems, preparing and reviewing the SIC may differ across organisations. It is vital that every board understands its organisation’s approach to preparing the SIC before it is presented for approval.

Forms of assurance

Boards should ensure that they are obtaining assurance from a number of sources:

1. Management assurance statements:

In practice, the senior management team (Executive or other) will normally prepare the first draft of the SIC for review by the Audit and Risk Committee. As part of this process, it is good practice for management to provide formal assurance statements.

These statements should consider:

• All the operations of the organisation under each division / business unit
• Whether any significant weaknesses have been identified that should be considered by the board when approving the SIC.

2. Internal audit

The role of internal audit is to provide assurance to boards, typically through the Audit and Risk Committee, on the risk management, internal control and governance processes in operation.

The board should consider:

• The work carried out by internal audit during the reporting period
• Whether any findings identified by internal audit require a specific disclosure in the SIC.

3. External audit

The board should also consider the work of the external auditor, usually the Comptroller and Auditor General. In particular, boards should consider:

• Issues raised in the prior year management letter
• Progress made in implementing management letter recommendations
• Any matters that may warrant disclosure in the SIC

4. Other forms of assurance

Boards should also consider whether other forms of assurance have been obtained, such as:

• Third-party consulting reviews
• Audit or inspection reports specific to the organisation

These reports should also inform the SIC.

Checklist of items for boards to consider

When reviewing the SIC, boards should consider a wide range of areas, including:

• Steps that have taken place to ensure an appropriate control environment exists, such as clearly defined management responsibilities and evidence of appropriate responses to control failures.
• Risk management procedures to identify business risks and assess their financial impact.
• Information systems in place to support financial oversight, including budgeting and monitoring of actual performance against budgets.
• Procedures in place for addressing the financial implications of major business risks, including financial instructions, documented procedures, delegated authorities, segregation of duties and controls to detect and prevent fraud.
• Procedures in place for monitoring the effectiveness of the internal control system, including management reporting.

Boards should also consider whether any breaches of internal control occurred during the reporting period that require disclosure in the SIC. Examples may include:

• Non-compliance with procurement requirements
• Key control systems not operating as intended (for example, risk management or internal audit)
• Material losses
• Material fraud events
• Contingencies or uncertainties which require disclosure in the financial statements

Whilst the format for the SIC is set out in the Code, it is important that the information set out in each state body’s SIC reflects the size, scope and structure of the organisation.

The annual review of the effectiveness of internal control, as well as the review and approval of the SIC, should be formally noted in the meeting minutes of the Audit and Risk Committee (or equivalent) and the board.

How Forvis Mazars can assist you

If your board requires assistance in relation to the matters outlined above, or if you would like to discuss this topic further, please contact a member of the Forvis Mazars risk consulting team.  

Our team supports boards in reviewing systems of internal control and strengthening governance frameworks through the provision of internal audit and risk consulting services.