Current state of internal control and risk management in central government

Conclusions and recommendations of the National Audit Office

The main aim of the audit was to determine how internal control and risk management are organised in central government. This was done by producing an overall picture of the organisation of internal control and the risk management function coming under it. The main aim was divided into four sub-aims.

The first aim in the audit was to ascertain whether the organisation of internal control and risk management is adequately supported by legislation. The State Budget Act and Decree provide the framework for internal control in central government financial administration and they also lay down the most important joint supervisory mechanisms for internal control. In practice, the State Budget Decree serves as the corporate governance document for central government. In the National Audit Office’s view, the major pieces of internal control and risk management legislation are in most respects adequate and on a proper basis. In recent years, however, changes have been introduced in central government to streamline internal control procedures in state budget legislation through legislative reforms and guidelines. There is a material risk that the changes to the State Budget Act entering into force on 1 October 2017 will weaken internal control in central government. As considerable amounts of public funds are used in public administration and the risks concern the use of these funds, the internal control procedures used in small and medium-sized companies and other similar entities cannot be applied at government level. In SMEs, internal control is the responsibility of the owners who are also personally liable if any of the risks are realised.

In addition to the general budgetary legislation, the auditors also reviewed tax laws and the provisions of the Act on Discretionary Government Transfers from the perspective of internal control. The provisions provide a good basis for effective internal control. From the perspective of internal control it is recommended that, as part of the simplification and automation of taxation procedures, material tax provisions should also be simplified. This would serve as a basis for the automation of the supervisory mechanisms from the perspective of internal control. All provisions of the Act on Discretionary Government Transfers should be considered in decisions on discretionary government transfers. For example, the rights and obligations of the recipients of discretionary government transfers should be clearly defined in the decisions on the transfers.

The second aim in the audit was to ascertain whether the steering of central government supports effective organisation of internal control and risk management. In the National Audit Office’s view, the Ministry of Finance and the State Treasury play an important role in the shaping of the control environment. The control environment provides the basis for internal control. Over the past few years, the State Treasury has put more emphasis on the steering of operational efficiency in the steering of financial and personnel administration and reduced steering of internal control. The absence of comprehensive risk assessment of central government finances has led to a situation where the State Treasury is no longer steering the organisation of internal control as decisively as before. In the National Audit Office’s view, proper organisation of internal control and risk management requires that the ministry and the State Treasury should have a more coordinated and focused approach to the steering of internal control. Well-organised internal control also supports operational efficiency.

In the National Audit Office’s view, the Government Financial Controller’s function is only playing a minor role in the overall development of internal control in central government.

The third aim of the audit was to determine whether the internal control is properly organised in the accounting offices. After reviewing the results of the financial audits, the National Audit Office has concluded that continuous attention should be paid to the organisation of internal control in accordance with section 24 b of the State Budget Act and the principles of good governance. In recent years, there have been fewer cautions concerning internal control in the financial audit reports than before. Improvements in the performance accounting of the accounting offices are the main reason for this trend. The statements of internal control and approval have become an established part of the management processes in the accounting offices. As a rule, internal audit in the accounting offices is properly organised. Internal audit procedures are cost-effective and professional. At the same time, the number of cautions concerning compliance with the state budget has increased. However, the cautions concerning compliance with the state budget have not always resulted from inadequacies in internal control.

The fourth aim of the audit was to ascertain whether the internal control of the customer service processes in the Finnish Government Shared Services Centre for Finance and HR is properly organised. In the National Audit Office’s view, the controls applied in the accounting offices and the Shared Services Centre are, from the overall central government perspective, often overlapping while at the same there are also clear inadequacies in the control procedures. The chains of tasks of financial and personnel administration have evolved from processes specific to accounting offices into cross-agency operating processes. When the chains of tasks become longer, there is a growing risk that the agency’s management is not adequately aware of its responsibility for internal control and risk management. Not all controls have been implemented or their introduction has not been properly supervised. The responsibilities of the centralised information systems used in customer service processes and the supervisory functions applied to them should be clarified. The functions of the Shared Services Centre’s financial administration processes and their internal control are extensively automated. The auditors’ view is that the internal control is, in essential parts, properly organised. More attention should be paid to ensuring the reliability of the controls. Material inadequacies were discovered in the internal control of the personnel administration processes. The development of the internal control procedures for the personnel administration section of the Kieku information system and the drafting of guidelines for them only started during 2016 even though the first accounting offices already introduced Kieku in 2011.

Recommendations of the National Audit Office:

  1. The Ministry of Finance, the State Treasury and the Government Financial Controller’s function should pay more attention to the functioning of internal control and its organisation as a comprehensive part of central government financial administration.

  2. As the practical functioning of internal control and risk management is determined as part of the development of processes, functions and information systems, internal control and risk management should always be a integral part of the planning and renewal of operations as well as legislative improvements.

  3. The supervisory procedures implementing internal control should always be planned so that they are pre-emptive and made into automated parts of the information systems. The effectiveness of the procedures should be ensured through testing.

  4. In the reforms of tax legislation, consideration should be given to the perspective of internal control and the automation of the supervisory procedures.

  5. Central government should have a joint electronic system for managing discretionary government transfers.

  6. The Ministry of Finance should ensure that the resources allocated to the Government Financial Controller’s function are in accordance with the principles laid down in section 24 e of the State Budget Act.

  7. Development of the risk management should be continued on the basis of the risk management policy model prepared by the Government Financial Controller’s function, especially at Government level.

  8. Internal control of the overall process of central government finances should be strengthened by, for example, providing the Ministry of Finance or the State Treasury with resources for this task and for the development of internal control.

Categories