FINANCIAL

MANAGEMENT
AND GOVERNANCE
PRACTICE
JANUARY 2010
The Statement on Internal Control:
A Guide for Audit Committees
The National Audit Ofce scrutinises public spending on behalf of
Parliament. The Comptroller and Auditor General, Amyas Morse, is an
Ofcer of the House of Commons. He is the head of the National Audit
Ofce which employs some 900 staff. He and the National Audit Ofce
are totally independent of Government. He certies the accounts of all
Government departments and a wide range of other public sector bodies;
and he has statutory authority to report to Parliament on the economy,
efciency and effectiveness with which departments and other bodies
have used their resources. Our work leads to savings and other efciency
gains worth many millions of pounds: at least 9 for every 1 spent
running the Ofce.
Our vision is to help the nation spend wisely.
We promote the highest standards in nancial
management and reporting, the proper conduct
of public business and benecial change in the
provision of public services.
The Statement on Internal Control:
A Guide for Audit Committees
FINANCIAL MANAGEMENT AND GOVERNANCE PRACTICE
JANUARY 2010
2 The Statement on Internal Control: A Guide for Audit Committees
In the current climate of scal restraint and declining
availability of resources, it is important that central
government bodies can demonstrate the resources
that they are responsible for are appropriately
managed and controlled.
For further information, please ask your
usual NAO contact or Client Director:

National Audit Ofce
157-197 Buckingham Palace Road
Victoria
London
SW1W 9SP
Tel: 020 7798 7000
Email: [email protected]
National Audit Ofce 2010
Contents
Introduction 4
Part One
The purpose and content
of the SIC 5
Part Two
The NAOs approach to the audit
of the SIC 7
Part Three
How can the Audit Committee
add value? 8
Appendix One
Contents of the SIC 12
Appendix Two
Roles and responsibilities in
preparing the SIC 15
4 The Statement on Internal Control: A Guide for Audit Committees
Introduction
In the current climate of scal restraint and declining availability of resources, it is
important that central government bodies can demonstrate the resources that they are
responsible for are appropriately managed and controlled. High quality and proportionate
internal control systems will help organisations achieve their aims. The Statement on
Internal Control (SIC) is a public accountability document that describes the effectiveness
of internal controls in an organisation.
This guide sets out the NAOs approach to considering the SIC as part of our annual
audit of the nancial statements. In particular, it provides guidance to Audit Committee
members on how they can add value to the risk management, governance and internal
control processes within their organisation through effective challenge of the disclosures
made in the SIC.
As part of our audit approach, the NAO engages with senior executives early on in the
reporting period and subsequently challenges the disclosures made in the SIC if these
do not provide transparent information to Parliament, or the underlying processes are
inadequate. Where we do not see appropriate disclosures in the SIC, we may make use
of our powers to report to Parliament.
A wide variety of governance models exist within the central government sector and,
although the principles detailed in this guide are intended to apply throughout, some
exibility in their interpretation will be necessary.
I hope you will nd this guide useful and informative.
Andrew Baigent
Director General, Financial Audit
The Statement on Internal Control: A Guide for Audit Committees 5
Part One
The purpose and content of the SIC
What does the SIC tell us?
The Statement on Internal Control (SIC) is the means by which the Accounting Ofcer
declares his or her approach to, and responsibility for, risk management, internal control
and corporate governance.
1
It is also the vehicle for highlighting weaknesses which exist
in the internal control system within the organisation. It forms part of the Annual Report
and Accounts.
Why do we have a SIC?
Public bodies must provide assurance that they are appropriately managing and
controlling the resources for which they are responsible. The SIC is an important
accountability document in communicating these assurances to Parliament and citizens.
The SIC is a mandatory disclosure for all central government entities that comply
with the Financial Reporting Manual (FReM). It is a primary accountability document.
The external auditors do not provide an explicit audit opinion on the content, but it is
subject to external audit review to ensure that it has been prepared in accordance with
Government guidance and that it is consistent with the auditors knowledge of the entity.
What does a SIC disclose?
The Financial Reporting Manual sets out the expected form and content of the SIC.
This is a mix of prescribed text and sections where Accounting Ofcers are expected to
describe the particular arrangements in their organisations.
1 The Accounting Ofcer usually holds the post of Permanent Secretary or Chief Executive. The Accounting Ofcer
is the senior ofcial in the organisation and he or she may be called to account in Parliament for the stewardship of
the resources within the organisations control.
6 The Statement on Internal Control: A Guide for Audit Committees
The SIC should contain disclosures under the following headings:
Scope of responsibility;

The purpose of the system of internal control;

Capacity to handle risk;

The risk and control framework; and

Review of effectiveness.

More detail on the information to be disclosed under each heading is set out
at Appendix One.
What are the roles and responsibilities?
The Audit Committee plays a key role in the production of the SIC. It supports the board
and Accounting Ofcer by reviewing the comprehensiveness of assurances in meeting
the board and Accounting Ofcers assurance needs, and reviewing the reliability and
integrity of the assurances. The Audit Committee also advises the board and Accounting
Ofcer of any control issues that could be considered signicant and are therefore
appropriate for disclosure in the SIC. Fuller information on the roles and responsibilities
involved in the production of the SIC is set out at Appendix Two.
The Statement on Internal Control: A Guide for Audit Committees 7
Part Two
The NAOs approach to the audit of the SIC
To provide assurance to Parliament that public bodies are appropriately managing and
controlling the resources for which they are responsible, the NAO reviews SICs to ensure
they are supported by robust evidence and the underlying controls are sufciently reliable.
Although we also have a professional responsibility to review the SIC under ISA 720
as it is information published with the audited accounts, our engagement will begin
much earlier in the reporting period.
2
Assignment Directors and Managers will engage
with senior executives, including the Accounting Ofcer, to discuss the risks facing the
organisation, the adequacy of the underlying controls and the transparency of reporting
in the prior year. We will also consider the governance processes in place over the
production of the SIC.
We expect Accounting Ofcers to reect weakness in internal control identied by other
reports on their organisation published during the year within the SIC, for example,
select committee reports or NAO VFM reports.
At the Audit Committee, we will discuss the disclosures made in the draft SIC and raise
any concerns we have over the transparency of reporting or sufciency of the underlying
controls and assurances. In addition, our professional responsibilities require us to
consider whether the SIC is:
Produced in accordance with HM Treasury requirements; and

Consistent with our understanding of the position based on the information that we

are aware of from our work on the nancial statements and other work.
In cases of non-compliance with HM Treasury requirements or where we consider that
a signicant issue has not been adequately reected in the SIC, we will consider the
implications for our audit opinion. In these instances, we modify our audit opinion and/or
issue a separate report to Parliament.
To enable change and help audited bodies benet from our cross-government
perspective, we will publish digests of best practice from our work on SICs.
2 International Standard on Auditing 720 (Revised) Section A Other Information in Documents Containing Audited
Financial Statements.
8 The Statement on Internal Control: A Guide for Audit Committees
Part Three
How can the Audit Committee add value?
To assist Audit Committees in their challenge function we reviewed a wide range of SICs
to identify good practice in corporate governance, risk management and internal controls,
and the disclosure of these, within the SIC. The results are set out below broken down
by key SIC heading. The table is not intended to be a comprehensive list, but a useful
tool to help Audit Committee members identify where their organisations processes and
procedures could be strengthened or additional disclosure would be valuable. All good
practice areas should be considered in two ways; rst to see if there are appropriate
policies and procedures in place and secondly to see if this is working in practice.
Management should have evidence that these systems and processes are working,
and may use internal audit or other assurance providers to give some of this assurance.
Capacity to Handle Risk
Key theme Area Good practice
Leadership Risk
management
policy
Sets out the commitment, processes and

behaviours expected of the Board

Guidance is available on how to implement the policy

Description of
responsibilities
Clear chain of accountability for risk from the

Accounting Officer downwards

The responsibilities of the Executive, Board, Audit

Committee and any other relevant groups/roles are

clearly defined
Communication Regular consultation with key stakeholders and

partners on risk
Staff training Risk management
tools on intranet
Risk management support and guidance made

available to staff via intranet

Senior management
accountability
Management clearly accountable for ensuring

that appropriate guidance, support and training is

available to their staff
Risk
management
training
Ongoing training to embed risk management

concepts and tools into everyday business

The Statement on Internal Control: A Guide for Audit Committees 9
Key theme Area Good practice
Other items Independent review Periodic review of the capacity to handle risk by

internal audit
Risk
management
maturity
Benchmarking of the organisation against a risk

management model, with actions in place to

achieve the next maturity level
Evidence of Effectiveness
Evidence that the organisation has responded to changes in risk profile or specific events in a

positive and effective way

Risk and Control Framework
Key theme Area Good practice
Risk
management
framework
Risk
management
strategy
Agreed and specifically signed-off at Executive/

Board level
Sets clear accountabilities for action

Sets out a structured process for identifying,

assessing, communicating, escalating and

managing risks, which is dynamic and responsive to
changing circumstances
Staff are held accountable for risk management

through the performance management system

Reporting Regular risk management reporting at various levels

within the organisation

Risk
identification
Upward reporting Upward identification and reporting of risks

Risk evaluation Risk registers Clear ownership of risk at Executive/Board level

Regular review of the corporate register

Risk ranking consistently assigned to all entries

Control of risks Framework of

appropriate
controls built into
routine processes
Procedures in place to ensure appropriately

skilled and experienced staff are responsible for

business processes
Documented procedures for all key

business processes
Management controls ensure quality processing

Management information is available to assess the

quality of processing and the level of activity

Risk appetites Clearly defined
risk appetites
Risk appetite is defined at a corporate level

Risk appetite cascaded down within the organisation

Evidence of risk appetite being tailored to reflect

different risks
10 The Statement on Internal Control: A Guide for Audit Committees
Key theme Area Good practice
Embedding risk
management
Culture of risk
management
throughout
organisation
Every significant risk is assessed and ranked

A risk owner is assigned to each risk and has the

authority to allocate risk management tasks to

specific officers
Every employee is aware of their own responsibilities

for managing risk

Executive decision papers contain a section

on key risks
Evidence of Effectiveness
No significant internal control failures occurred in year

Evidence that the risk and control framework identified and managed changes in the risk

environment effectively during the year

Review of effectiveness
Key theme Area Good practice
Review of
Effectiveness
Executive/Board Considers the top risks faced by each part of

the organisation
Discusses the effectiveness of internal controls

related to key risks

Audit Committee Regularly considers the effectiveness of

internal controls
Considers the coverage of the Internal

Audit programme
Reviews progress on implementing Internal Audit

and External Audit recommendations

Risk Manager/
Committee (if
applicable)
Periodically reports on progress made and further

improvements necessary
Internal audit Annual work programme is risk-based.

Progress and amendments are reported to the

Audit Committee
Annual assurance statement provided to the

Accounting Officer
The Statement on Internal Control: A Guide for Audit Committees 11
Key theme Area Good practice
Other
assurance
mechanisms
Management Accounts Monthly review by budget holders

Quarterly re-forecasts

Individual approval of capital expenditure projects

Management
assurance statements
Set out the governance, risk and control

arrangements in each directorate/business area and

any weaknesses identified
The statements are collectively reviewed and

challenged by the Audit Committee

Capability Review Review of progress in implementing

recommendations
Evidence of Effectiveness
Evidenced-based assurances over the effectiveness of internal controls and their coverage of risks

(provided by senior management to support the SIC)

The annual internal audit plan is flexed to address risks arising

Signicant Internal Control Issues

Key theme Area Good practice
Significant
Internal
Control Issues
Current year issues Full disclosure of all significant internal control

issues and their impact on the organisation

Includes action being taken to prevent recurrence

and the timescales involved

Anticipated future risks and actions to mitigate these

are reported
Prior year issues Follow up reporting on all prior year significant

internal control issues

Includes explanations for any slippage against the

original timescales
Evidence of Effectiveness
Significant internal control issues have not arisen in subsequent years

12 The Statement on Internal Control: A Guide for Audit Committees

Appendix One
Contents of the SIC
Based on the 2009-10 Financial Reporting Manual (FReM), Annex 2 (http://www.
nancial-reporting.gov.uk/documents/2009/2009_10_frem_full_version.pdf)
Scope of responsibility
Reports the Accounting Ofcers responsibility for maintaining a sound system

of internal control. The Accounting Ofcer is required to sign the SIC in

recognition of this.
NAO comment
It is essential that the Accounting Ofcer clearly identies their responsibilities, and the
interaction with any statutory board, where this applies.
The purpose of the system of internal control
Explains that the system of internal control is designed to manage the risk of

failure; it cannot eliminate all risk and therefore only provides a reasonable and not
absolute assurance of effectiveness.
Conrms whether the system of internal control was in place for the whole of year

and accords with HM Treasury guidance. Material changes or the absence of an

element of the risk management process for a material period should be disclosed.
NAO comment
It is important that this section includes a transparent consideration of areas where the
system may not have been fully in place during the period. This would include where
processes were temporarily suspended.
Capacity to handle risk
Describes how leadership is given to the risk management process, how staff are

equipped to manage risk and how the organisation learns from good practice.
NAO Comment
This section should provide details of how the organisation has adapted to changes in
the risk environment.
The Statement on Internal Control: A Guide for Audit Committees 13
The risk and control framework
Describes the key elements in the risk management strategy, including how risk

is identied, evaluated and controlled. This section must explicitly include the
management and control of information risk.
Describes how risk appetites are determined.

Explains how risk management is embedded within the organisation.

Describes how public stakeholders are involved in managing risks which affect

them (where appropriate).

NAO Comment
Changes to the risk and control framework in year should be highlighted. Disclosure
should cover how quickly and effectively the organisation embedded these changes
within the day to day operations of the organisation.
Review of effectiveness
Conrms that the Accounting Ofcer has responsibility for reviewing the

effectiveness of the system of internal control.

Provides assurance that the review is informed by the work of internal audit,

executive managers and external audit.

Provides assurance that the board and Audit Committee (and risk committee, if

appropriate) have advised the Accounting Ofcer on the implications of the results
of the review.
Conrms a plan is in place to address weaknesses and ensure

continuous improvement.
Comments on the role of the board, Audit Committee, risk committee/managers

(if relevant), internal audit and other explicit review/assurance mechanisms.

Outlines actions taken or proposed to deal with any signicant internal

control issues.
NAO Comment
Organisations should demonstrate how they have been responsive in reacting to risks
and that they are not tied to a process-driven mentality.
14 The Statement on Internal Control: A Guide for Audit Committees
Signicant internal control issues
As part of the review of effectiveness, Accounting Ofcers must disclose the actions
taken/proposed to deal with any signicant internal control issues. While it is for
Accounting Ofcers to judge whether a matter is signicant, Managing Public Money,
suggests the following tests that might indicate a signicant internal control weakness:
3
Might the issues seriously prejudice or prevent achievement of a PSA target?

Could the issue have a material impact on the accounts?

Could the issue divert resources from another important aspect of the business?

Does the Audit Committee advise it is signicant?

Does internal or external audit regard it as signicant?

Could the issue, or its impact, attract signicant public interest, or seriously

damage the reputation of the organisation?

NAO Comment
Disclosure of signicant internal control issues should be full and frank, covering how
the issue arose and the remedial actions taken and planned. Progress against planned
actions should be updated in subsequent years.
3 Managing Public Money, annex 4.15, http://www.hm-treasury.gov.uk/d/mpm_annex4.15.pdf
The Statement on Internal Control: A Guide for Audit Committees 15
Appendix Two
Roles and responsibilities in preparing the SIC
The key roles and responsibilities surrounding the production of the SIC are as follows:
Accounting Ofcer
The Accounting Ofcer is responsible for maintaining a sound system of internal control,
reviewing the effectiveness of the system and the preparation of the SIC. He/she must
sign and date the SIC in acknowledgement of this.
Executive
Prepare and own the SIC prior to submission to the Audit Committee.
Often senior executives are responsible for preparing assurance statements for the
AO to support his/her review of the effectiveness of controls.
Internal Audit
Internal audit provides the Accounting Ofcer with an objective evaluation of, and
opinion on, the overall adequacy and effectiveness of the organisations framework of
governance, risk management and control.
4
The Head of Internal Audit usually provides
this in an annual assurance statement.
Some IA functions do more than this, for example, conducting an evidenced-based
review of the assurance statements received by the AO to support their review of
effectiveness of the SIC.
External Audit
We engage with senior executives early to raise the issues we would expect to be
reported in the SIC. We review the preparation and content of the SIC to ensure the
disclosures are in line with HM Treasury guidance and consistent with our understanding
of the organisation. Where reporting is not transparent or the underlying processes and
controls are inadequate, we will draw this to the attention of the Audit Committee and
Accounting Ofcer for amendment. If the SIC remains unadjusted, we may modify our
audit opinion.
4 Taken from Government Internal Audit Standards, part 4 standards, attribute standards.
16 The Statement on Internal Control: A Guide for Audit Committees
Audit Committee
The Audit Committee should support the board and Accounting Ofcer by reviewing
the comprehensiveness of assurances in meeting the boards and Accounting Ofcers
assurance needs and reviewing the reliability and integrity of these assurances.
5

The Audit Committee should also advise the board and AO of any control issues that it
considers are signicant and are therefore appropriate for disclosure in the SIC.
Audit Committees may rely on a variety of sources, e.g. internal audit, to support them in
this work.
Board
The board supports the Accounting Ofcer in drawing up the SIC.
5 Audit Committee Handbook, principle 1: The role of the Audit Committee
This report has been printed on Consort 155
Design & Production by
NAO Marketing & Communications Team
DP Ref: 009219-002