The Statement on Internal Control is critical to the effective risk management and governance of Ireland’s State bodies. Tom Ward and Níall Fitzgerald offer their best practice insights
Recent challenges faced by Irish entities in the public, non-profit and private sector have emphasised for many boards (and, where relevant, their funding bodies) the critical importance of the adequacy and operational effectiveness of internal controls, risk management and governance.
Ultimately, a systematic and proactive approach to testing and reviewing controls, addressing weaknesses and implementing remedial actions in a timely manner, can only enhance confidence in public sector governance and best practice.
In this regard, the Statement on Internal Control (SIC) plays a crucial role. State bodies in Ireland are required to report on all of their internal controls, risk management and governance in their annual SIC in accordance with the Irish Code of Practice for the Governance of State Bodies 2016 (Code of Practice).
Such reporting encompasses financial, business, operational and compliance controls and State bodies are subject to a swathe of such controls as standard, spanning:
- The discharge of public business.
- Project delivery and cost management.
- Monitoring and control of assets.
- Fraud prevention and detection.
- IT systems and technology (including cybersecurity).
- Procurement.
Additional controls specific to the nature of each bodies’ activities include clinical governance for public hospitals, infrastructure guidelines for large infrastructural projects and controls relating to onward funding to other public bodies or non-profits.
The SIC must acknowledge the Board’s responsibility for ensuring that effective internal control systems are in place, the approach taken to reviewing these systems to ensure they are working (including steps taken by the Board and its Committees) and must identify any significant weaknesses or breaches.
While the format for the SIC is prescribed, the content should be tailored according to the size and complexity of the organisation. However, there is limited guidance on the extent to which the Board should tailor this approach and content.
At a recent SIC event co-hosted by Chartered Accountants Ireland and the Institute of Public Administration’s Governance Forum, Andy Harkness, from the Comptroller and Auditor General (C&AG) Office, provided examples of SIC best practice for State bodies, including the need for:
- Good documentation clearly explaining the work carried out to support the review of controls;
- Assurance statements provided by senior managers;
- The involvement of the internal audit team, including key changes arising from their reviews and recommendations; and
- If appropriate, an assurance statement from independent assurance service providers.
Within this approach, the C&AG highlighted the importance of documenting any issues that may arise and adequately supporting any work undertaken to ensure that significant risks have been identified, including risks arising from changes to the control environment.
Also emphasised was the importance of assessing the effectiveness of the controls in place, the assurance results and the effectiveness of follow-up steps taken in response to any control deficiencies identified.
Board and board committees should minute their review and conclusions with regard to the effectiveness of the systems of internal controls under review, and record recommended changes to governance, internal controls and risk management matters arising from the review.
Also speaking at the recent SIC event, several experienced non-executive directors provided examples of the approaches they have taken to preparing the SIC within their organisation.
In particular, they noted challenges associated with the absence of formal guidance and the ambiguity surrounding the term “operating effectiveness”, which is typically associated with Sarbanes–Oxley applying to companies listed on the US Stock Exchange.
In an Anglo-Irish context, assurance on the effectiveness of controls has traditionally been limited to financial and reporting controls. This is, however, changing. To achieve best practice in SIC reporting, the Boards of State bodies in Ireland may currently rely on:
- Guidance issued by the Financial Reporting Council (FRC) in Britain in relation to the UK Corporate Governance;
- International Standards on Assurance Engagements (ISAE) 3402 Reports;
- Sarbanes–Oxley literature for directors and auditors;
- Guidance or circulars issued by the Department of Public Expenditure, Infrastructure, Public Services, Reform and Digitalisation or the C&AG; and
- General assurance standards and guidance.
Some best practice insights for State boards arising from the recent SIC event include:
- The benefit in defining, adopting and communicating a common framework for performing the review of internal controls.
- The importance of the work needed to support and underpin the SIC.
- The need to ensure that the findings reported in the SIC are consistent with other supporting documentation approved and minuted by the Board.
- The need to disclose any scope limitations encountered in the processes necessary to support the SIC and to consider their impact on the directors’ assertion on compliance with the Code and SIC requirements.
- Above all, the importance of understanding that the reporting of significant weakness is just one part of the equation—this must be accompanied by reporting on the steps since taken (or to be taken) to address these weaknesses.
The focus on robust internal controls, comprehensive risk management and effective governance remains a critical requirement for State bodies.
The SIC is not just a compliance requirement; it also serves as a reflection of the organisation’s commitment to transparency, accountability and continuous improvement.
As State bodies navigate evolving challenges and expectations, adopting a standardised yet adaptable framework, combined with clear guidance, will strengthen overall SIC governance practice.
Dr Tom Ward is Senior Governance Specialist, Professional Development, with the Institute of Public Administration
Níall Fitzgerald, FCA, is Head of Ethics and Governance at Chartered Accountants Ireland
LOADING...