GUIDANCE AND SELF-ASSESSMENT QUESTIONNAIRE ... - rks … · GUIDANCE AND SELF-ASSESSMENT...

GUIDANCE AND SELF-ASSESSMENT QUESTIONNAIRE FOR THE FINANCIAL MANAGEMENT AND CONTROL SYSTEM

Ministria e Financave – Departamenti Qendror Harmonizues

Ministarstvo za Finansije – Centralni Departament za Harmonizaciju 1 Ministry of Finance – Central Harmonization Department

SELF ASSESSMENT QUESTIONNAIRE FOR

FINANCIAL MANAGEMENT AND CONTROL COMPONENTS

GUIDANCE

The self-assessment questionnaire has been conceived to be used by budget organisations for

the self-assessment of the organisation internal control system (including the central level

and subordinate structures). Questionnaire is comprised of five sections corresponding to five

components of Financial Management and Control (FMC) according to COSO and INTOSAI

international standards:

1. Control Environment;

2. Risk Management;

3. Control Activities;

4. Information and Communication;

5. Monitoring.

Within the document, requests have been structured according to FMC principles.

How to fill in the questionnaire?

Each section contains a certain number of requests relating to each and every of these

components.

Along every request, Chief Administrative Officer will initially provide the

comment/feedback accompanied with respective references of corroborating / supporting

evidences (e.g. number, date of approval and naming of the document).

Afterwards, CAO will provide his/her opinion on the level of filling in of the request through

self-assessment in a special column of the questionnaire. The self-assessment is carried out

according to the following procedure:

Every request is assessed from 1 to 3 points

3- The assessment with 3 points shows that this FMC aspect has been understood and it

functions very well throughout all BO structures. CAO, in his/her opinion, will assess with

maximum points those requests which are not applied in the organisation. This is carried out

by providing comments in the respective column (e.g.: if there are no Information

Technology integrated systems in the organisation and if they are not assessed to be

integrated in the future, since the needs are met with the existing systems, then requests

related to them are assessed with N/A (not applied) and the assessment is scored with 3

points).

2- The assessment with 2 points shows that this FMC aspect has been understood

partially/functions only in some integral chains of BO or the meeting of the request has been

planned and is under process.

1- The assessment with 1 point shows that this FMC aspect is still not applied and/or is not

understood by integral parts of BO.




The total of points from five components of Financial Management and Control should be

presented along with the naming of each component.

The total of points for the entire questionnaire will be calculated and should be written down

at the end.

At the end of the questionnaire, CAO may present relevant measures he/she has decided to

undertake in the future to improve the internal control system in the organisation he/she runs.

How to interpret the results?

If some of the questions have been assessed with 1 point, the issue in question requires an

immediate intervention for improvement.

If some of the questions have been assessed with 2 points, CAO should take into

consideration the possibility to conduct system improvements on the issue in question.

If some of the questions have been assessed with 3 points, this area requires no further

intervention.

We would kindly ask you to fill in the questionnaire with sincerity, answering the questions

and also taking into account the findings of the Internal Auditor and Auditor General.

Legal framework for Financial Management and Control has recently entered into force. This

means that some of the FMC aspects are a novelty for BOs in Kosovo and a high score self-

assessment which means that no system improvement is needed, would be something

unrealistic. One has to take into account that the questionnaire will help in the identification

of those FMC aspects of BOs in which measures should be taken for the system

improvement, where further understanding is needed on the importance and system

efficiency as well as on the directions for the personnel capacity building.

The BO Chief Administrative Officer is recommended to distribute this questionnaire to

managers of different BO departments/structures under his/her responsibility (the integral

parts of the central body as well as to the subordinate units) in order to fill it in and obtain

complete information. In doing so, CAO will make use of the results in order to form a

consolidated response related to BOs.

The questionnaire is completed upon the signature of Budget Organisation Chief

Administrative Officer after it has been filled in electronically in the website, the same

copy is printed out, signed and stamped by CAO and is sent in a hard copy to Division

for Financial Management and Control in the Ministry of Finance.

The questionnaire may also be found in the website of the Ministry of Finance.




QUESTIONNAIRE FOR SELF-ASSESSMENT OF THE FINANCIAL MANAGEMENT AND CONTROL SYSTEM

Budget Organisation

Budget value for the reporting year in Euro

Chief Administrative Officer

Number of units controlled by BO (subordinate units, offices, agencies,

public companies)

Address of website (where the organigram of BO is attached)

E-mail;

Telephone;

Reporting period: January – December 2014

No.

of

quest

ion

DESCRIPTION OF QUESTIONNAIRE REQUIREMENTS

ACCORDING TO FINANCIAL MANAGEMENT AND CONTROL

COMPONENTS

Select the

answer from

1 to 3

according to

the guidance

Provide the answer

and/or

your comments

Component I. CONTROL ENVIRONMENT Total points

for C1

Control environment is the organisation’s fundamental basis since it is linked to main rules of the internal functioning such as:

strategic objectives, internal regulations, organisational structures, human resource policies, etc. It comprises the foundations upon

which all other components of Financial Management and Control are established.

Principle 1 –Commitment for integrity and ethical values

Total points

for P1

1 Are there internal regulations/procedures in your organisation in compliance

with relevant laws, on defining the conflict of interest situations which are

specific to this BO?

(if CAO deems the existing legal framework sufficient, without it being

necessary to further specify rules for BO, he/she can assess this question with

3 points)

2 Is there a Code of Conduct in your organisation?

(If yes, please provide no. and date of the approval of the act, or the relevant

laws, if they are deemed to be sufficient)

3 Are there procedures in BO which do assess the compliance/harmonisation of

the employees with the Code of Ethics/ and Organisation regulations?

(For example, if it is determined that the newly hired officers are forced to be

familiar with codes/ regulations and/or human resource department should

electronically forward the Code of Ethics to officers, as a reminder he/she

should organise periodic meetings for this purpose, etc.). If yes, please

explain in the column “Comments” and specify the title and date of the

approval of this procedure.

4 Is there any procedure for reporting the violation of rules on the ethics and

thus undertaking measures as a result of this?

(If yes, please explain in the column “Comments” and specify the title and

date of the approval of this procedure).




5 Have you undertaken administrative actions/measures for the reported cases

of the violation of procedures of ethics, conflict of interest within the

organisation? If yes, please provide the type of measures undertaken.

6 Which employee in the BO is responsible for monitoring the compliance of

employees with the Code of Conduct and is he/she a direct subordinate to

CAO?

Principle 2 – Exercise of the oversight responsibility

Total points

for P2

7 How many of Publicly Owned Enterprises are under your control as a main

shareholder or controller?

(This question refers to the profitable organisations or those with self-

administration implementing the Law on Publicly Owned Enterprises)

If it is not applicable for a BO – give 3.

8 If there is Publicly Owned Enterprises: Do you receive regular reporting from

the Board of Companies on the performance of companies and on the

decisions taken by Oversight Body during the discharge of their activities?

Principle 3 –Setting strategic objectives and organisational structure

Total points

for P3

9 Have you drafted and approved the BO Mission Statement you are covering?

(If yes, please specify in the column “Comments” the date of its approval).

10 Have you prepared and approved the BO strategic plan?

If YES: for what reporting period? (over 3 years)

11 Which BO Departments are responsible for coordination and development of

the strategic plan?

12 Are managers of subordinate units involved in the discussion of the strategic

plan? What about third parties?

(for example: organisation of round tables with other budget organisations,

civil society, academicians)

13 Is the cost of strategy calculated?

14 Is the strategic plan sent to the system of Strategic Planning of the Office of

Prime minister?

15 Is BO defining in the strategic planning the performance indicators for

monitoring the achievement of objectives?

16 Do you have annual action plans approved for the achievement of the

strategic purposes, which contain concrete actions, deadlines and responsible

persons for every anticipated action?

17 Are performance reports prepared (in the achievement of objectives)?

18 Are BO managers/employees informed on the contents of the mission,

objectives and strategic statement?

(Specify in the column “Comments” what was the way and the date of

distribution of documents, e.g., electronically, via letter, through meetings,

etc.).




19 Is the structure of your organisation appropriate for the character of its

activity?

(This question deals with the fact that, if the structure of organisation is

appropriate to achieve its objectives/ if the structure covers all duties and

responsibilities given to BO by law/ if this structure is centralised, or

decentralised/ how does it facilitate the circulation of information).

20 Does the BO organisational (published) structure also include the subordinate

units/controlled units?

(The question deals with the fact that the published structure often contains

only the main part of the central body, thus excluding the subordinate units.

Therefore, the link between them and the reporting lines is not clearly seen).

21 Is the structure able to provide the necessary information for your decision

taking?

(For example; if you receive complete information including financial

information combined with information for the achievement of planned

purposes/product; or the information comes partial or uncoordinated from

different departments)

22 Does every department/directory/division/sector, or unit have clear defined

duties and responsibilities and in particular by other directories / department /

sectors.

(If yes, please specify which document describes these responsibilities).

23 Does the BO organisational structure provide clear reporting lines?

24 Are responsibilities of managers clearly defined? And have they understood

them clearly?

25 Do managers have the appropriate knowledge and experience to meet their

responsibilities?

26 Are managers of budget programmes directly subordinate to CAO?

Principle 4 – Commitment for competence

Total points for

P4

27 Have you approved job descriptions for each job position in BO, which

include individual work to be accomplished, requirements related to

necessary qualifications and reporting lines?

(This question is related to employees of all levels in BO and includes senior

managers).

28 Is there any analysis of knowledge and skills required to meet the work in the

recruitment process of personnel in new working positions or for job

promotion?

29 Is there a Board and /or Audit committee which is independent from

management and which can challenge or address questions to CAO?

(As a rule, there is a Board in municipal organisations, public companies and

in regulatory offices/authorities. There may be Audit Committees in all

budget organisations).

30 Do Board and Audit Committees members have the necessary knowledge and

experience?

31 Are there frequent meetings between the Board/ Audit Committee and

finance mangers, internal and external auditors?

(According to LIA, Boards/Audit Committees are obliged to convene at least

4 times a year)

32 Is accurate and timely information sent to the Board and Audit Committee to

allow the monitoring of managing objectives and the financial position in

BO?




33 Who is responsible for HR management?

(provide position (department, directory, division, sector, officer depending

on the size of organisation)

34 Are there periodic appraisals of employees carried out in your institution

relating to the duties they perform, as part of their responsibilities?

(Please use the column “Comments” to explain how often these appraisals

are carried out, and how the employees are informed on the appraisal

results).

35 Are requirements for skills and needs for personnel training identified by

BOs?

36 Does BO have a training plan including the Financial Management training?

(For example; in strategic planning areas, preparation of financial plans,

risk management, procurement and contracting, accounting systems, etc.).

37 How many employees have been trained in financial management during the

reporting period?

Principle 5 – Implementation of accountability (authority and responsibility

in the achievement of objectives)

Total points

for P5

38 Are there regular meetings of the Senior Management Team held to discuss

on issues relating to Financial Management and Control?

(Please specify the frequency of these meetings during the year in the column

“Comments”. The reference documents may be meeting minutes or records

which are sent electronically to members).

39 Does the Senior Management Team often visit its personnel in their working

positions? Are there regular meetings held?

40 Do managers of departments have the authority of he budget management of

their departments?

Please provide no. and date of budget document for each department.

(While providing the answer, one should take into account if managers also

have all the tools for monitoring the use of their budget. Do they have access

to their financial information or not)

41 Is this valid for all departments? If NOT: for which ones?

42 Are there written procedures, approved by Head of BO, which do handle the

delegation of duties and the way of its documentation?

(It is about delegation of the signature, not only for the segregation of duties,

is there is any standard authorisation format which will mention the person to

whom the competence is delegated, type of competence, time period, the

reporting mode).

43 How do delegated officers report to their supervisors for the performance?

44 How is the performance of employees appraised?

(achievement of short and long- term objectives; standards of conduct)

45 Does the BO provide for

- Stimulation or rewards for extraordinary employee performance? (it is not

only about material rewards but also about moral rewards)

- Disciplinary sanctions and corrective measures in case of poor

performance of an employee?

46 How many certification officers are there in BO?




47 Which is their institutional position (department, organisational unit) and who

do they report to?

Component 2 – RISK MANAGEMENT Total points

for C2

Risk management includes identification, assessment, risk analysis which may be important to the achievement of organisational

objectives and defining an appropriate response to these risks.

Principle 6 –Specification of objectives as the basis for identification and

risk assessment relating to these objectives

Total points

for P6

48 Does the BO, as an entirety, set mid-term objectives during the preparation

of Mid-term Expenditure Framework (MTEF)?

49 Are these objectives published?

(The management is obliged to publish the objectives within MTEF in the

BO website).

50 Does the BO set objectives at the level of:

Budget programmes?

Projects?

51 Does the BO approve annual plans at the level of department?

52 How does it communicate objectives to employees and to the Board of

Directors (if there is a Board)

53 Which procedure regulates the implementation and monitoring of the

execution of objectives within MTEF?

Principle 7– Risk identification and risk analyses for achievement of BO

objectives

Total points

for P7

54 Does BO conduct identification of potential risks impacting on the failure to

execute objectives for each project?

55 Has the BO appointed a risk coordinator to whom the competencies are

delegated?

(CAO may delegate some of the rights to a managing programme/project

officer).

56 Is there a system for risk identification from external sources? (For example:

with reference to external supplies, technology, economic and political

conditions, legal requirements, natural events, etc.).

57 Is there a system for risk identification from internal sources? (For example:

with reference to human resources, finances, Information Technology

systems, etc.).

58 Do you record risks in writing and in which document:

a) Strategic documents/ development plans of programmes / annual

action plans (defining responsibilities to employees on risk

management)?

b) Risk registers drafted according to FMC requirements?

59 If there is a risk register, how frequently is it updated?

(normally updating has to take place not less than once a year)




60 If there is a risk register, is every proposed response towards the identified

risk documented?

(Best practices suggest that there should be a certain response identified

towards a risk, which may be: tolerance (thus, we do nothing), treatment

(which means controls are introduced to limit the risk), transfer (to a third

party), or termination (ceasing the activity).

61 If there is a risk register, does every risk have its “owner”, therefore, a

person who has taken over the risk management in question (risk manager)?

(risk register has to clearly indicate “the owner” of each risk and /or each

control)

Principle 8 – Fraud risk assessment

Total points

for P8

62 Do you have a reporting system for monitoring the most important risks?

63 Do you have a reporting system for reporting irregularities noticed in the

organisation? (as a rule: every BO employee should report the violation of

rules in force or cases of fraudulent reporting, fictitious notes, loss of assets,

corruption to the Head of Organisation, or to the officer/structure appointed

by him/her)?

Component 3 – CONTROL ACTIVITIES Total points

for C 3

Control activities are policies and procedures established to address risks and to achieve objectives of institution. They include a

range of controlling activities with preventive and detecting character.

Principle 10 – Selection and development of control activities for risk

mitigation

Total points

for P10

64 Are there detailed internal rules/instructions describing main operational and

financial work processes, including circulation of documentation and

information, chains of decision taking and internal controls that an officer

has to exercise in every process? Please provide in detail the no. and date of

approval of the following documents:

65 a) The preparation process and execution of the strategic planning

66 b) The preparation process and execution of financial annual budget

plan?

67 c) Keeping and recording of accounting transactions (which employee

is responsible for what)

68 d) Procurement and contracting process?

69 e) The process of management of current and non-current assets

70 f) Management of own source revenues (assigning employees with

duties)

71 g) Safeguarding, using and archiving documentation?

72 Are the above mentioned instructions reviewed regularly every time the

working processes change?




73 Is there a procurement plan approved along with the availability of budget

funds approved? Is it updated during the year in accordance with the changes

of the BO funds available?

74 Are asset registers completed based on legal and sublegal requirements?

75 Are all changes of assets constantly recorded during the fiscal year and also

at the time of their completion?

76 Which procedures are there in a BO to prevent an employee not to be

responsible for more than one of the following tasks: authorisation,

processing, recording, reviewing of transactions?

77 Do you monitor the compliance of employees with the segregation of duties?

78 Are documented actions undertaken for the improvement of the budgeting

process? (When are there considerable deviations from the initial budget

with the final budget; failing to execute planned expenditures; big number of

reallocations during the year)

79 Is there an ex-post control executed in a BO?

(If yes, mention some of them and what document describes them)

80 Are these controls regular or ad hoc, instructed by the Head of

Organisations as needed?

(it is about control teams with a minimum of 3 officers)

81 Do you undertake subsequent actions following the findings which resulted

from such ad hoc missions?

Principle 11 – Selection and development of IT controls

Total points

for P11

82 Are there other main IT systems used by a BO (besides the access of a BO to

KMFIS)?

If NOT and if there is no need for such systems, assess it with 3 points

83 How is the segregation of duties implemented in the functioning of IT

systems in BO, in order to prevent that a single employee controls all the

stages of IT functioning (e.g. software installation, programing, testing)?

84 Has BO approved policies, instructions or security IT procedures?

85 What access controls are there in place to prevent:

a) Unauthorised modifications in the existing software

86 b) Unauthorised modifications, loss and disclosure of data

87 c) External threats (such as viruses)

88 d) Unauthorised physical access (in equipment and installations)

89 Is there a recovery facility in case of disasters (equipment, backup of data)

and procedures to make sure that important (critical) operations do function

uninterruptedly and that critical data are protected, when unexpected events

take place?

90 Are there procedures set in BO for maintenance of IT controls?

Component 4 – INFORMATION AND COMMUNICATION Total Points

for C 4

Information and communication are essential for the implementation of all internal control objectives

Principle 13 – Use of information to support internal control functioning

Total points

for P 13




91 Does the (manual and/or electronic) reporting system in your organisation

provide information for monitoring the progress of the entire achievement of

organisation objectives and of its special units?

92 Does the reporting system support drafting of the following reports and how

quickly does the BO prepare them?

Budget execution reports

93 Cash flow forecast reports

94 Commitment reports

95 Financial liability reports (recognised but outstanding expenditures)

96 Do you have integrated IT systems for different work processes?

97 Does the BO operate its own accounting system (besides KFMIS)?

98 If yes, does this accounting system provide for monitoring of expenditures

and revenues according to programmes and projects?

If this system does not provide for this, have you planned improvements to

the accounting system?

Principle 15 – Communication related to issues impacting on the internal

control functioning

Total points

for P 15

99 What kind of processes are there in BO to communicate the information to

all employees (from high to low level; from low to high level; between the

same levels)?

100 Do all employees have access to official e-mail accounts?

101 Is there a mechanism for obtaining information from outside on the changes

on relevant legislation and economic conditions, or for the exchange of

information with other public sector organisations, with citizens, non-profit

organisations, media and with private sector representatives?

Component 5 – MONITORING ACTIVITIES Total points

for C 5

Internal control systems should be monitored in order to assess the quality of the performance system during time periods.

Monitoring is carried out through a constant monitoring, through separate assessments, or by combining them both. Internal control

monitoring activities should be clearly differentiated from verification and monitoring of institution operations.

Principle 16 – Special assessment on constant basis

Total points

for P16

102 Is the progress related to the achievement of objectives regularly monitored

and are causes for potential failure in this aspect analysed?

(Please use the column “Comments” to describe how is the progress related

to the achievement of objectives monitored – by whom, for whom, how

frequent, etc.).

103 Does an organisation regularly carry out a self-assessment of systems of

Financial Management and Controls? (this question refers to the

organisation as a whole)

104 Are there internal rules approved for monitoring the systems of Financial

Management and Controls, which specify the periodicity of verification of

these systems as well as the procedures for undertaking the repair measures?

(Please use the column “Comments” to describe how the managers are

made aware of their responsibilities in the risk management. This may occur

through trainings, through a manual or through dissemination of relevant

information, etc.).




105 Are verification lists, questionnaires or other tools included in the

methodology used?

106 How many recommendations for the internal control systems have been

included in the internal auditing reports in the reporting period?

107 How many of them have been implemented to date?

108 Is the implementation of recommendations directly supervised by you?

109 How many recommendations for internal control systems have been included

in the OAG last report?

110 How is the implementation of recommendations monitored by Audit

Committee?

Is a report required from CAO?

TOTAL QUESTIONNAIRE POINTS

Provide main measures you have planned for the improvement of IC system in the BO.

Please provide your comments and your suggestions for the improvement of the internal control

regulatory acts.

(Signature of Chief Administrative Officer of

the BO and the stamp)

GUIDANCE AND SELF-ASSESSMENT QUESTIONNAIRE ... - rks … · GUIDANCE AND SELF-ASSESSMENT...

Documents

Transcript of GUIDANCE AND SELF-ASSESSMENT QUESTIONNAIRE ... - rks … · GUIDANCE AND SELF-ASSESSMENT...