Download - paper 2 IC 2014
-
7/24/2019 paper 2 IC 2014
1/16
REVIEW
375
I
Jnos Ivanyos Jzsef Roz
A new approach in theassessment of the internalcontrol systems applied in the
public sector1
In our article, we will describe the new approach
that supports the assessment of the operation of theinternal control system. The significance and
timeliness of the topic are justified not only by the
recommendations of the audit profession such as
the COSO frameworks, or INTOSAI GOV
9100: Guidelines for Internal Control Standards
for the Public Sector, or the international regula-
tions of financial reporting such as SOX, EU
directives, etc. but also, the ever more pronounced
appearance of the executive assessment and
accounting obligations, which are already widely
applied in the private sector, in the organizations
of the public sector as well.
INTRODUCTION APPLICATION OFINTERNAL CONTROL SYSTEMS
As is explained by the INTOSAI Guidance onGood Governance, i.e. by the introductory partof the GOV 9100 Guidelines, the assessment of
internal control systems is a generally acceptedstandard for conducting the controls. Theguidelines for the internal control standardsbuilt on the COSO model are on the one handused by the managers of the organizations ofpublic finances as an example for establishing asolid control framework for their entities, andon the other hand, these may be applied by the
controllers of the public sector as a tool for
assessing the internal control system.Chart 1 helps overview the dimensions of the
internal control system, as well as the relatedinternational (COSO, INTOSAI) recommen-dations and the guidelines published by theMinistry of Finance.
The good governance guidelines of thepublic sector can be traced back to the funda-mental principles of responsible corporate gov-ernance in the private sector. In our article, wehave only examined the roles of the internalcontrol and risk management frameworks fromamong the wider correlations of good gover-nance, as well as responsible corporate gover-nance, in other words, we have analyzed towhich extent the application of these con-tributes to obtaining an appropriate level of(reasonable) certainty as to how effectively andefficiently the given organization is able to real-ize its mission.
Internal control is a complex process both
with regard to the public and private sectors,realized by the management and staff of anorganization, and established for the definitionof risks and for obtaining reasonable certainty.The purpose is that internal control supportsthe organization in
complying with the relevant laws and regu-lations;
-
7/24/2019 paper 2 IC 2014
2/16
REVIEW
376
meeting its accounting/reporting obliga-tions;
the regular, ethical, economic, efficient andeffective performance of the operationalprocesses;
the achievement of its strategic goals,including the protection of the resources ofthe entity from losses, improper use anddamages.
In the following sections, we have described,as an example, those processes presented in the2006 COSO Guidelines which are typical forthe individual components with regard to thecontrol system of financial reporting.
Control environment componentIntegrity and ethical values The values of
integrity and ethical behavior are established,
with special emphasis on the members of senior
management, there is appropriate familiarity
with the principles and in the course of the
preparation of the financial reports, these are
applied as fundamental norms of behavior.
Supervisory body The supervisory body
(Board of Directors, Board of Trustees or
Supervisory Board) is aware of, and exercises the
responsibilities related to financial reporting, as
well as the relevant internal control system.
Management philosophy and working style
The philosophy and operational style of manage-
ment contribute to the realization of an effective
internal control system of financial reporting.
Organizational setup The organizational setup
of the entity supports the effective operation of
the internal control system of financial reporting.
Financial reporting competences The organi-
zation uses such persons who have the required
expertise and experience in financial reporting
and the related supervisory responsibilities.Authority and responsibility Both the man-
agers and the staff have the appropriate authori-
ty and responsibilities for allowing the efficient
operation of the internal control system of
financial reporting.
Human resources The human resource policies
and practices are planned and introduced in such a
Chart 1
DIMENSIONS OF THE INTERNAL CONTROL SYSTEM AND THE RELATED INTERNATIONAL
AND DOMESTIC GUIDELINES
COSOERMframework
COSO2 6Guidelines
Management
AccountabilityGuidelines
Irregularities
Management Guidelines
COSOOBJECTIVECATEGORIES
Strategic
High-level goals related to the mission of the organization
OperationalEffective and efficient use of the resources of the organization
ReportingReliable reporting
Compliance
Compliance with the applicable laws and requirementswork
COSO components (inter-
nal control processes)
Financial reporting
activities
Operational
processes
Risk tolerance
Risk appetitework
FEU
VE
Risk
Management
Guidelines
INTOSAIGOV91Guidelines
-
7/24/2019 paper 2 IC 2014
3/16
REVIEW
377
way that these allow the effective operation of the
internal control system of financial reporting.
Risk assessment component
The goals of financial reporting The managersdefine the goals of financial reporting with
appropriate clarity and by applying sufficient
criteria in order to allow the identification of the
risks that may affect reliable financial reporting.
Risks of financial reporting The organization
identifies and analyzes the risks that may affect
the achievement of the goals of financial report-
ing, and based on this, determines the method
of risk management.
The risk of fraud The possibility of funda-
mental misrepresentations arising from fraudshould expressly be reckoned with in the assess-
ment of risks affecting the achievement of the
goals of financial reporting.
Control activities component
Integration with risk assessment Measures are
taken to handle the risks that jeopardize the
achievement of the goals of financial reporting.
Selection and development of control activities
The control activities are selected and developed
by taking into account the costs related to them,
and their expected effectiveness with regard to
the reduction of the risks that jeopardize the
achievement of the goals of financial reporting.
Policies and procedures The policies for reliable
financial reporting are developed and communi-
cated to the whole organization, the procedures
stipulated in executive directives are executed.
Information Technology IT controls are
planned and introduced in order to support the
achievement of the goals of financial reporting,where applicable.
Information and communication component
Information in financial reporting Relevant
information is determined, collected and
applied, as well as distributed in such a way and
by using such timing on each level of the organ-
ization that it could support the achievement of
the goals of financial reporting.
Information in internal control the informa-
tion required for the operation of the other con-
trol components is defined, collected, appliedand distributed in such a way and by using such
timing that should allow the employees to per-
form their internal control tasks.
Internal communication Communication
allows and supports the understanding and
implementation of the internal control goals and
processes, as well as the personal tasks on each
level of the organization.
External communication The external part-
ners are informed of the topics that affect the
achievement of the goals of financial reporting.
Monitoring component
Regular and individual assessments It is by
relying on regular and/or individual assessment
that management can conclude whether the inter-
nal control of financial reporting exists and works.
Reporting of deficiencies The deficiencies of
internal control are identified in due time and
are communicated to the parties responsible for
corrective measures, as well as to the manage-
ment and the supervisory body, if necessary.
The sample processes that have been present-ed show that the components of the internalcontrol system (control environment, risk assess-ment, control activities, information and commu-
nication, monitoring) appear as groups ofprocesses that are parallel to each other and sup-plement each other, which ensure the efficientoperation of the control system as a whole.
BACK TO THE BASES OF RISKMANAGEMENT!
Enterprise/Entity Risk Management, or ERM
points beyond the risk assessment componentof the internal control system. Focus is placed
-
7/24/2019 paper 2 IC 2014
4/16
REVIEW
378
on the risks that jeopardize the organizationallevel goals rather than on the risks inherent inthe operational processes. In the following sec-tions, we have highlighted those elements of
risk management which primarily appear onthe level of the organization (ERM) rather thanon that of the operational processes (within theinternal control system).
Setting of objectives
When the goals are defined, the managementconsiders the strategy and the strategic goals ofthe organization. They determine the organiza-
tion's risk appetite, i.e. what level of risks themanagement and the supervisory body (Boardof Directors) regard as acceptable with regardto the strategy. Furthermore, risk tolerance isalso defined, i.e. what level of deviance fromthe organizational goals is to be permitted onthe given risk-bearing levels.
The goals defined for the organizational levelor for the individual operational units andprocesses, as well as the allowed deviationsfrom these should be supported by appropriate
metrics (indicators).The COSO ERM model, along with theincorporated control system, sets categories ofobjectives. In the case of the ERM, the strategic,operational, reporting and regularity objectivesshould be assessed through the realization of thegoals of the operational units and processes, withregard to the organization, the integrated inter-nal control system. Although different types ofassessment (performance, financial or regularity)can be defined on the basis of the individual
objective categories, it is easy to understand thatthe objective categories do not exist by them-selves but are tied to each other (see Chart 2).
According to the approach (also) represent-ed by us, the objective categories are built oneach other. On the level of the operationalprocesses, the fulfillment of the compliance
Chart 2
INTERRELATED OBJECTIVE CATEGORIES
Assessments
Metrics
Guidelines
Regulations
Work programs
Work products
Activities
Effectiveness goals
Efficiency goals
Regulatory goals
Application goals
Management goals
Documentation goals
Execution goals
Strategic
objectives
Operational
objectives
Reporting
objectives
Compliance
objectives
Organizational
level
Operativelevel
Management
Evidence Focus Objective categories Orientation
-
7/24/2019 paper 2 IC 2014
5/16
REVIEW
379
(regularity) goals ensures that the activities areperformed according to the selected or pre-scribed requirements of risk management andthe internal control system. The goals of reli-
able reporting (or accountability) assume thefulfillment of the compliance requirements, i.e. the risk-bearing level of the organizationwith regard to the operational processes can bedetermined by the indicators of the compliance(regularity) requirements.
As regards the operational units, the goals ofefficient operation assume the fulfillment ofthe requirements of reliable reporting and reg-ular execution. On this level, the risk appetiteof the organization can be prescribed by the
indicators of the requirements of reliablereporting and compliance (regularity).
With regard to the organization as a whole, thestrategic goals broken down to the operationalobjectives defined for the level of the opera-tional units assume the fulfillment of therequirements of efficient operation, reliablereporting and regular execution. As regards theorganization as a whole, the level of risk-bear-ing can be characterized by the indicators of theoperational, reporting and compliance require-ments assumed in relation to the operationalunits, operational processes and activities.
As regards the risk management strategy of the
organization, the level of risk-bearing can be
described by the indicators of the requirements
prescribed for the internal control system as a
whole. Thus, a consistent organizational levelrisk management assumes that the operation ofthe internal control system of the organizationcan be described by the appropriate indicators.
These indicators are also assigned a role in set-ting the objectives for the internal control sys-tem, since it is by using them that the risk tol-erance for the level in question can be deter-mined. It is the risk-bearing level of the nextobjective category that can be described by thecontrol risk tolerance indicators of the lower-level objective category.
Identification of events
The identification of events contains thoseincidental external or internal events which
may affect the strategy and the achievement ofgoals. It shows how the combination and inter-action of the internal and external factors affecttherisk profile.
From the aspect of organizational level riskmanagement, it is not only the events (risks) ofa negative impact that should be identified butalso, the events of a favorable outcome, i.e. theopportunities. Although the COSO models donot describe the processes that support the uti-lization of the opportunities in detail, these
represent the same level of importance for theoperation of the organization as the traditionalcontrols.
The general operational models, standards,frameworks, as well as the detailed operational(such as technological) requirements can alsobe used well for the identification of the poten-tial events. It is by assessing the requirementsprescribed by the control systems for the indi-vidual elements of the internal control systemand the interrelatedness of the objective cate-gories that we can obtain information on theevents that were regarded as important bythose who developed the control frameworks.
Integration of the internal control sys-tem into the risk management system
Neither the existence of risk management northat of an internal control system in itself pro-
vides appropriate guarantee for the efficientoperation of the organization. It is the riskresponses given to keeping the impacts assessedon the basis of the identification of the externaland internal risks or opportunities within theappropriate limit (risk tolerance), as well as theresults of the control measures taken in order toimplement these responses that we regard as the
-
7/24/2019 paper 2 IC 2014
6/16
REVIEW
380
guarantees for the efficient achievement of thegoals of the organization in question.
In the assessment of the deviations and defi-ciencies, it is the consequences which go
beyond the risk tolerance value and whichpotentially occur as a result of the deficienciesof the organizational level controls that sup-port those operational processes which play akey role in the implementation of the organiza-tional goals that should be taken into account.The assessment criteria can be illustrated by atraditional risk map as well (see Chart 3).
Assessment, even if it is not subjective, isdefinitely individual. The significance of indi-vidual assessment is also supported by the fact
that the consequences that go beyond the risktolerance value may also arise from the inap-propriate execution of the control measurestaken to manage the inherent risk. However, itshould also be taken into account that the keycontrol process can only be developed appro-priately, and its application can only be assessedproperly if its relation to the implementation ofthe organizational level goals is measurable.
The integration of the internal control sys-tem into the risk management system meansthat the effectiveness of the operation of theinternal control system should be measured by
what extent the consequences of the affectedoperational process(es) remain within the pre-scribed risk tolerance limit.
A NEW APPROACH: THE APPLICATIONOF THE ISO/IEC 15504 STANDARD IN THEASSESSMENT OF THE PROCESSES OFTHE INTERNAL CONTROL SYSTEM
COSO-based process assessment
model
The ISO/IEC 15504 standard defines a two-dimensional process capability model for theassessment of processes. One of the dimen-sions, which is the process dimension, definesthe processes and lists them in the differentprocess categories. The other dimension is thecapability dimension, which defines the set of
Chart 3
CONTROL DEFICIENCIES IN THE RISK MAP
GRAVEWEAKNESS
E
F
F
E
C
T
LOW HIGHER
PROBABILITY
SIGNIFICANTDEFICIENCY
INSIGNIFICANT DEFICIENCY
Risktolerancelevel
MATERIAL
SIGNIFICANT
INSIGNIFICANT
-
7/24/2019 paper 2 IC 2014
7/16
REVIEW
381
process attributes grouped according to capa-bility levels. It is the process attributes thatprovide the measurable characteristics ofprocess capability (see Chart 4).
It is required by the ISO/IEC 15504-2 stan-dard that the process reference model (PRM)should contain the goals and results of theprocesses, as well as the definition of the con-ditions that are necessary and sufficient for theachievement of these.
The 2006 COSO guidelines define twentyfundamental principles that represent the basicconceptual processes that are related to, and aredirectly derived from the five components ofthe internal control framework. The individualprinciples are supported by the attributes thatrepresent the characteristics related to the prin-
ciples. It is stated in the guidelines thatalthough it is generally required that the indi-vidual attributes be present in the organization,it is possible to apply a principle in such a waythat not all the listed attributes are present.According to the general criteria of assessingthe internal control system, the attributes aretreated as the process results creating the condi-
tions necessary and sufficient for the achievement
of the process goal described in the relevantprinciple.
Table 1 shows how the contents of the 2006COSO guidelines can be used in PRM deriva-tion.
The individual processes of the processassessment model are presented according tothe definition of the goal (see the example inTable 1). These definitions of goals contain theindividual functional goals related to the imple-mentation of the process in a given environ-ment. There is a list of specific final resultslinked to each definition of process goals, con-taining the positive results expected from theimplementation of the process.
The fulfillment of a goal definition for a
process means the first step in building up sucha (level 1) process capability where the expect-ed final results can already be observed.
The capability levels that make up the capa-bility dimension of the process assessmentmodel represent such a set of the processattributes as a compound result of which thecapability of implementing the process in ques-
Chart 4
ELEMENTS OF THE PROCESS ASSESSMENT MODEL
PROCESSASSESSMENTMODEL
ProcessReferenceModel
Subject and area of application Processes with goals and results
1 2 3 ............................nIndividual processes
Capabilityscale
Derivation
Derivation
Measurementframework
Capability levels
Process attributes
Ranking scale
-
7/24/2019 paper 2 IC 2014
8/16
REVIEW
382
Table 1
EXAMPLE FOR A STANDARD PROCESS DESCRIPTION FROM
THE 2006 COSO GUIDELINES
Results of the successful implementation of the IFC.CE.IEV process:clearly defined values A clearly defined set of ethical values is developed by senior man-
agement, familiarity with which is ensured on each level of the organization;control of compliance Processes are implemented for the control of compliance with the
principles of integrity and ethical behavior;handling of deviations Any deviations from the principles of integrity and ethical behav-
ior are identified in due time, they are appropriately handled and corrected on the relevant
levels of the organization.
Process results
The values of integrity and ethical behavior are established, with special regard to the membersof senior management; these principles are duly familiar, and are applied as fundamental normsof behavior in the preparation of the financial reports.
Process goal
Integrity and ethical valuesProcess name
IFC.CE.IEVProcess identifier
Chart 5
PROCESS ASSESSMENT MODEL OF INTERNAL FINANCIAL
CONTROLS
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Two-dimensional model of process capability:
" Process dimension based
on COSO components
" Process dimension based
on ISO/IEC 15504-2
PROCESSdimensionControl environmentIntegrity and ethical valuesSupervisory body
Management philosophy andwork styleOrganizational setupFinancial reporting compe-tencesAuthority and responsibilityHuman resources
Risk assessment
Goals of financial reportingRisks of financial reportingRisk of fraud
Control activitiesIntegration with riskassessmentSelection and developmentof control activitiesPolicies and proceduresInformation Technology
Information and communi-cationFinancial reporting infor-mationInternal control informationInternal communicationExternal communication
MonitoringRegular and individualassessmentsDeficiency reporting
ProcessReference Model
C
L
T
d
m
e
o
-
7/24/2019 paper 2 IC 2014
9/16
REVIEW
383
tion significantly improves. The capability toimplement the process in question consider-ably improves from one level to another. Thelevels create a sensible route in the develop-
ment process of either of the process capabili-ties and their definitions are contained by theISO/IEC 15504-2 standard (see Chart 5).
The process assessment model is based onthe principle that the capability of a process canbe assessed by presenting the achievement ofthe process attributes, on the basis of the evi-dence related to the assessment indicators.
There are two types of assessment indica-tors: the (general) process capability indica-tors, which relate to capability levels from 1 to
5, as well as the (specific) process implementa-tion indicators, which exclusively refer to the 1.capability level.
There is such a set of process capability indi-cators belonging to the process attributes inthe capability dimension which signals theextent of the fulfillment of the attribute in theprocess in question. These indicators refer tothe significant activities, resources or resultsrelated to the fulfillment of the attribute goal inthe process.
The levels of process capabilities andprocess attributes
In this measurement framework, the measuringof capabilities rests on nine process attributes(PA's) defined in the ISO/IEC 15504-2 stan-dard. By using the process attributes, it can bedefined whether the process in question has
reached the required capability level. Each attri-bute refers to a predefined aspect of the processcapability. The list of attributes within the capa-bility levels does not suggest any sequence orranking, it only serves their definitions.
ISO 15504 is built on a continuous model.This means that each process involved in theassessment can be independently assessed
through the six-grade ranking scale of processcapabilities (see Chart 6).
LEVEL 0 NON-EXISTENT PROCESS On this
level, there is not any, or there is very little evi-dence as to whether the goal of the process is
consistently fulfilled.
LEVEL 1 PERFORMED PROCESS On this level,there is one attribute, that ofprocess implementa-
tion, which shows the extent to which the
process goal is fulfilled through the achievement
of the predefined results of the process.
LEVEL 2 MANAGED PROCESS On this level,there are two attributes, those of managing
implementation and handling the product of work,
which show to what extent the implementationof the process is governed, and how appropri-
ately the work product resulting from the
process is handled.
LEVEL 3 DEFINED PROCESS On this level,there are two attributes, those of defining the
process and applying the process, which show to
what extent a standard process is maintained in
order to support the application of a predefined
process, and how successfully the standard
process is applied in the achievement of the
results of the process in question.
LEVEL 4 PREDICTABLE PROCESS On thislevel, there are two attributes, those of process
measurement andprocess control. These show the
extent to which measurement results are used
for the execution of the process to support the
achievement of the appropriate process imple-
mentation goals for supporting the relevant
organizational and operational goals, and the
extent to which the process is managed by quan-
titative tools for achieving a stable process withappropriate capabilities and predictable within
the predefined limits.
LEVEL 5 OPTIMIZING PROCESS On thislevel, there are two attributes, those of process
innovation andprocess optimization. These show
the extent to which the changes in the process
are determined by the analysis of the common
-
7/24/2019 paper 2 IC 2014
10/16
REVIEW
384
Chart 6
LEVELS OF PROCESS CAPABILITY
Chart 7
CAPABILITY LEVELS IN ISO/IEC 15504 AND THE COSO OBJECTIVE CATEGORIES
Level5:OptimizingprocessPA 5.1: Process innovationPA 5.2: Process optimization
Level4:PredictableprocessPA 4.1: Process measurementPA 4.2: Process control
Level3:DefinedprocessPA 3.1: Process definitionPA 3.2: Process application
Level2:ManagedprocessPA 2.1: Implementation managementPA 2.2: Work product management
Level1:Performedprocess
PA 1.1: Process implementation
Level0:Non-existentprocess The process is not implemented, or doesnot fulfill the goal of the process.
High-level goalssupporting themission of theorganization
Processes operat-ing between limits
defined for theachievement of
results
Level 3:Defined
Level 2:
Managed
ISO IEC155 4Capabilitylevels
COSOobjectives
Determined byresulting in
resulting in
resulting in
Level 1:Performed
Defined processes
by using the
standard
processes
Effective andefficient use of
the resources ofthe organization
Strategicgoals
COSO-ERMInternal Control
Operationalgoals
Reportinggoals
Compliancegoals
Managed process-es, with defined,controlled and
maintained workproducts
Reliability ofreporting
organization
Compliancewith appli-cable lawsand rules
Performedprocesses, which
perform theprocess goals
The performed process fulfills the goal of
the process.
The process is managed and its workproducts are created, controlled andmaintained in an appropriate manner.
The process is continuously developed
with a view to fulfill the relevant currentand projected business goals.
The process operates within the prede-fined limits in order to achieve the
results.
The defined process is implemented byusing a standardized process.
-
7/24/2019 paper 2 IC 2014
11/16
REVIEW
385
reasons for the fluctuations in implementation,
as well as the examination of the innovative
approaches used in process definition and appli-
cation, and the extent to which the changes
exert an actual effect in the definition, manage-ment and implementation of the process that
will achieve the relevant process development
goals.
The fulfillment of a capability level requiresthat all the attributes below it should be com-pletely (minimum 85 percent) fulfilled and theattributes of the level in question should atleast beroughly (minimum 50 percent) met.
The capability levels of the manage-ment and control processes
The 1. and 2. level process attributes of themeasurement framework of the ISO/IEC15504 standard described above focus on thecase or activity aspects of the processes, whilethey concentrate on the aspects of the organi-zational unit from the 3. level onwards. Byusing this observation, it is easier to understandhow COSO's internal control system andERM's framework fit with the above-describedassessment model. Besides the control and riskmanagement components and objective cate-gories, the third dimension of the controlframework is represented by the operativeprocesses that describe the operational unitsand activities, while in the ERM, the thirddimension also including the level of opera-tional units is the organizational setup.
In the ISO/IEC 15504 process assessmentmodel, the target process profiles define thatlevel of the selected process capability which isfound suitable by management (or the partywho ordered the assessment) for the riskappetite and risk tolerance of the organization.
Chart 7 shows the derivation appliedbetween the capability levels and the objective
categories of COSO, i. e. how the processcapability levels can be applied as the score-cards for the objective categories of theCOSO model.
LEVEL 1 COMPLIANCE (PERFORMED PRO-CESS) There is an internal control process inplace and all the predefined results are achieved
in accordance with all the relevant external and
internal regulations.
The relevant operational activities should be
examined on the 1. level from the aspect of
whether they prove the existence of theresults of
the internal control processes.
LEVEL 2 RELIABLE REPORTING (MANAGED
PROCESS) The above-described performedprocess has already been implemented on this
level in a managed (planned, monitored and cor-
rected) form, the work products are properly
developed, controlled and maintained.
Besides the fulfillment of the requirements of
the 1. level, the internal control process is man-
aged and fulfills the goals of reliable reporting
(management accountability).
On the 2. level, the relevant operational activi-
ties should be examined from the aspect of
whether the implementation management and
work product handling indicators related to the
internal control processes can be assessed.
LEVEL 3 EFFECTIVE OPERATION (DEFINEDPROCESS) The above-described managed processhas already been implemented on this level by
applying the predefined process that is capable
of achieving the process results.
Besides fulfilling the criteria of the 1. and 2. lev-
els, the internal control process has been inte-
grated into the operational processes on the levelof the operational unit and fulfills the goal of
effective and efficient operation (through the
regular, ethical, economic, efficient and effective
execution of the operational processes).
On the 3. level, the relevant operational activi-
ties should be examined along with the guide-
lines and procedures relevant for the given level
-
7/24/2019 paper 2 IC 2014
12/16
REVIEW
386
of the organization from such an aspect whether
the process definition and process application
indicators related to the organizational level regu-
lation of the affected operational processes can be
assessed.LEVEL 4 STRATEGIC GOALS (PREDICTABLEPROCESS) The above-described defined processworks within the framework defined on this
level with a view to achieving the process results.
Besides the fulfillment of the criteria of the 1., 2.
and 3. levels, the internal control process was
incorporated into the system of organizational
risk management and, in harmony with the mis-
sion of the organization and supporting the lat-
ter, it contributes to the fulfillment of the strate-
gic objectives of the organization.On the 4. level, the key controls must be exam-
ined from such an aspect of how they are applied
for the strategy and the organization as a whole,
and organizational level risk management should
be looked at from the perspective of whether the
process measurement and process control indi-
cators related to the realization of the goals of the
organization can be assessed.
POSSIBILITIES OF APPLYING THE NEWAPPROACH
In the ISO/IEC 15504-4 standard, the process-es and the methods of applying of ProcessImprovement, i.e. PI, and Process CapabilityDetermination, i.e. PCD are described, andguidance is given for the following:
use of process assessment,selection of process reference model(s),
setting of target capability,definition of assessment input,definition of process-related risks from the
assessment output,steps of process improvement,steps of determining process capabilities,comparability of the analysis of assessment
outputs.
In the context of process improvement,process assessment provides a tool for thecharacterization of the organizational unit withregard to the capability of the selected process-
es. The analysis of the result of an appropriateprocess assessment in the light of the goals ofthe organizational unit determines thestrengths, weaknesses and risks regarding theprocesses. This, in turn, helps define whetherthe processes contribute to the achievement ofthe organizational goals, and whether theyfacilitate improvement.
The targeted capability levels and attributes of
the internal control system can be interpreted as
the indicators of the operational goals related to
the control system and the relevant risk tolerance,from the aspect of process improvement.
The determination of process capabilitiesdeals with the analysis of the results of one orseveral relevant process assessments, in orderto define the strengths, weaknesses and risksrelated to the operational activities by using theprocesses selected within a given organization-al unit. A determination of process capabilitiesmay provide fundamental input for the regular-ity control and the supervisory review. In thedetermination of process capabilities, however,the risks related to the process are also takeninto account.
With regard to the internal control system, the
capability levels examined (required) in relation
to the determination of process capabilities, as
well as the attributes thereof can be regarded as
the indicators of the risk tolerance with regard to
the requirements of achieving the higher objective
category.
Analysis of the risks related to thecontrol process
By control risk, we mean the risk of that theindividual processes of the control system orthe individual control activities do not achieve
-
7/24/2019 paper 2 IC 2014
13/16
REVIEW
387
the planned effect, i.e. the keeping of the resid-ual risk within the desired range (risk tolerancelevel).
Comprehensive enterprise risk management
(ERM) takes all the strategic, performance,reporting and regularity goals into account but,with regard to the application area of the riskassessment of internal control (regarding theprocesses), is limited to those material weak-nesses which are not prevented or disclosed byinternal controls in time. At the same time,however, the inherent operational and controlrisks are definitely not independent from eachother, and the decisions on the risk appetite(the acceptance of the risk-bearing levels) and
risk tolerance (the acceptance of the deviationsfrom the organizational and operational goals)significantly affect the acceptance of the levelsof control risks.
The risk assessment methodology to be pre-sented can be generally applied for the use of allthe assessment results of operational and con-trol processes described in accordance with therequirements of the ISO/IEC 15504-2 stan-dard. The capability determination applied forthe operational processes may be suitable fordefining the indicators of the risk tolerancelevel even without the framework of the inter-nal control system.
The probability of the occurrence of theproblem arises from the extent of the devia-tions of the process attribute and the capabilitylevel according to occurrence.
The deviations of the capability levels can be cate-
gorized as follows.
NONE There are no major or minor deviations.LOW There is no deviation on the 1. level,there are only minor deviations on the higher
levels.
SIGNIFICANT There is a minor deviation onthe 1. level, or a major deviation on a higher level.
MATERIAL There is a significant deviation onthe 1. level, or more than one major deviation on
a higher level.
The risk related to the process depends onboth the probability of the occurrence of aproblem arising from an identified deviationand the potential consequence. The conse-quences usually depend on the capability levelsaccording to the place of the deviation.
A high risk arises from the material deviationof the lower capability level as described inTable 2.
If the risks are identified on several capabili-ty levels, the highest risk value should beregarded as the risk related to the process.
Table 2
RISKS ALLOCATED TO CAPABILITY LEVELS
High riskHigh riskMedium risk1 Performed
High riskMedium riskMedium risk2 Managed
Medium riskMedium riskLow risk3 Defined
Medium riskLow riskLow risk4 Predictable
Low riskLow riskLow risk5 Optimized
It is indicated by the extent of the deviation of the capability levels
Low Significant Material
It is indicated by the capa-bility level of the place ofthe deviation
PROBABILITYCONSEQUENCE
-
7/24/2019 paper 2 IC 2014
14/16
REVIEW
388
Based on the above-described approach, thefollowing must be defined by the risk analysis:the risks arising from which process or process-es mean a material control deficiency, or a mate-rial (grave) weakness of the control system. InTable 3, we have described how the goal and theprocess profile that contains the assessed capa-bility levels can be applied for determining therisks inherent in the control process.
In the control risk classification of the con-trol processes assessed as described above, lowrisk means an immaterial deficiency within therisk tolerance level; while medium risk suggestsa material deficiency that exceeds the risk toler-ance level. High risk means a material (grave)weakness in the control system. This meansthat the risk assessment system presentedabove is suitable for providing objective sup-port to the traditional control risk classifica-
tions (illustrated in Chart 3).The control risk assessment based on
ISO/IEC 15504-4 provides a practical tool forassessing the effectiveness of the operation of con-trols as well, i.e. for concluding whether theassessed capability profiles provide reasonableevidence for achieving the related organization-al goals. For example, the low risk classifica-
tions established in relation to the controlprocesses meanan acceptably low level of prob-ability of that the material/financial types ofmistakes or defaults, or any significant lossesare not prevented or disclosed in time duringbusiness as usual.
In the example shown above, we applied theapproach of comprehensive enterprise riskmanagement (ERM) with regard to the internalcontrol system:
for the preliminary definition of the riskappetite (risk tolerance level) by applyingthe capability profile of the processes of theinternal control system;
for the definition of risk tolerance withregard to the key control processes;
for linking the measurements of opera-tional effectiveness (risk tolerance) to theprocess attributes;
for risk assessment by comparing the tar-geted and measured process attribute val-ues of the internal control system;
for determining the effectiveness of estab-lishing and operating the internal controlsystem through defining the level ofachieving the target capability profiles andthe risks arising from the deviations.
Table 3
EXAMPLE FOR RISK ASSESSMENT RELATED TO INTERNAL CONTROL PROCESSES
IFC.RA.FRO - Goals of financial reporting
MediumProcess risk
MediumRisk of the capability level
SignificantDeviation of the capability level
MinorMajorDeviation of the process attribute
LFLPFAssessed profile
LLFFFTarget profile
PA 4.2PA 4.1PA 3.2PA 3.1PA 2.2PA 2.1PA 1.1
Level 4Level 3Level 2Level 1
-
7/24/2019 paper 2 IC 2014
15/16
REVIEW
389
Control of the EU Structural Funds
Although the Structural Funds are part of theCommunity budget, the method of spending
them is based on the common responsibilitiesof the European Commission and the govern-ments of the member states:
it is the Commission that negotiates thedevelopment programs proposed by themember states, and approves these, as wellas allocates resources;
it is the members states and their regionsthat manage the programs, as well as exe-cute, control and assess these by selectingthe tenders;
it is the Commission that takes part in themonitoring of the programs, makes avail-able and pays the approved expenses andcontrols the established control systems.
The control of the (operational and finan-cial) control systems can be performed by theEuropean Commission and/or the relevantmember state (in Hungary, the GovernmentControl Office). The definition of the processcapability of the controls is applicable to bothcases.
In its opinion No. 2/2004 (Official Journalof the European Union No. C 107/2004), theEuropean Court of Auditors developed a pro-posal for the Integrated Internal ControlFramework, which contains what we call thesingle audit model. The single audit concepthas no generally accepted definition but it fun-damentally determines that the internal controlsystems should be based on a chain of controlprocedures, in which the different levels of
internal audit institutions cooperate.The single audit approach rests on common
achievements and the prioritization of theircost-efficient principles and aims to minimizeoverlaps in the control efforts and to maximizethe effectiveness of controls with a predefinedlevel of available resources. The sharing of well-defined and documented control data with oth-
ers may enhance the reliability of controls oneach level of the chain. The assessment of cost-efficiency formalized on the individual levelsallows stating that the applied controls have
optimized the error risks remaining in the basictransactions.
Further development of the systemiccontrol method
According to the traditional interpretation,systemic control is defined by the already exist-ing systems and the related controls. Thisapproach assumes that the existing systems
cover all the risks and the method often relieson internal control questionnaires: these aresuch uniform documents which are applied inthe execution of the individual controls.
The use of capability profiles lends an effec-tive tool to management in the identification,understanding and management of control risks.If they reach the attributes of level 4 with regardto the selected control processes, managementwill be able to introduce and apply the principlesof risk management in a cost-efficient manner.
The assessment model that contains both theprocess and the capability dimensions does notonly focus on the use of the internal controlquestionnaires and the checklists but alsotakes the relevant assessment indicators intoaccount. The observance of the standardrequirements of the assessment process underthe standard ISO/IEC 15504 helps implementthis highly developed assessment method intothe internal and external control procedures
that apply varying standards in each sector.
* * *
The approach described in the article with the
support of the readers of the journal Pnzgyi
Szemle (Financial Review) can on the one hand
be used by the managers of the public finance
organizations in the establishment, improvement
-
7/24/2019 paper 2 IC 2014
16/16
REVIEW
390
of their internal control systems, as well as the
presentation of effective operations, on the other
hand, it can be used as a tool for the assessment of
the internal control systems under review by the
controllers of the public sector. A uniform appli-cation in the widest possible scope, i.e. one that is
compliant with the international process assess-
ment standard, may contribute to ensuring trans-
ferability between the various international and
national management and control systems and
the individual levels thereof, thus to the imple-
mentation of the single audit approach pro-
posed by the European Court of Auditors, as wellas to increasing cost efficiency, which has become
ever more important in the public sector, as a
result of the global crisis.
1 The authors of this article have been involved in thedevelopment of the methodology related to theassessment of internal control systems, as well as thedevelopment of the related Hungarian and interna-tional training programs since 2005. In the period
between 2005 and 2007, the international andHungarian training and examination system based onthe European Qualifications Framework ('skills card')entitled "Internal Financial Control Assessment" wasestablished with the support of the European Union'sLeonardo da Vinci Program and with the participa-tion of the Hungarian, Spanish, Belgian, Irish andRomanian partners who took part in project numberL-B-013/2005. From 2008 onwards, the common, i.e.English, Spanish, German, Romanian and Hungarianterminological and ontological model of the interna-
tional training has been developed in the frameworkof a new support contract. This has been applied intraining since late 2009. The findings of the interna-tional projects managed by the Budapest BusinessSchool and professionally coordinated by Memolux
Kft have been disclosed on an ongoing basis and theyhave been discussed at reputed professional symposiaand international conferences. Of these, we can high-light the presentations held by Gejza Halsz, theHungarian member of the European Court ofAuditors and those given by the president of thisorganization Vitor Caldeira in Budapest in September2007 at the international professional conferenceentitled "The Role of Internal Financial Controls inthe Public Sector", which was supported by the StateAudit Office (SZ) of Hungary.
The Committee of Sponsoring Organizations of theTreadway Commission (COSO):
Internal Control Integrated Framework (1992) Enterprise Risk Management Integrated
Framework (2004) Internal Control over Financial Reporting
Guidance for Smaller Public Companies (2006)
INTOSAI GOV 9100 (2004): Guidelines forInternal Control Standards for the Public Sector
ISO/IEC 15504-1:2004 Information technology Process assessment Part 1: Concepts and vocabulary
ISO/IEC 15504-2:2003 Information technology Process assessment Part 2: Performing anassessment
ISO/IEC 15504-2:2003/Cor 1:2004
ISO/IEC 15504-3:2004 Information technology Process assessment Part 3: Guidance on per-forming an assessment
ISO/IEC 15504-4:2004 Information technology Process assessment Part 4: Guidance on usefor process improvement and process capabilitydetermination
ISO/IEC 15504-5:2006 Information technology Process Assessment Part 5: An exemplarProcess Assessment Model
European Court of Auditors: Opinion No.2/2004 of the Court of Auditors of the EuropeanCommunities on the 'single audit' model (and aproposal for a Community internal control frame-work) (Official Journal of the European Union C107/2004)
NOTES
LITERATURE