 |
Table of Contents |
 |
|
|
Financial Management and Analysis of Projects : 7. Knowledge Management
Financial Management Internal Control and Risk Assessment (FMICRA)
Project/Executing/Implementing Agency
Financial Management Internal Control and Risk Assessment (FMICRA)
(to be completed before/during fact-finding)
Guidance:
Advice on making a Financial Management Internal Control and Risk
Assessment (FMICRA) should be sought from a Financial Management
Specialist. If there is more than one implementing agency, an FMICRA
should be completed for each entity.
This assessment is NOT suitable for a Financial Institution. Chapter
6 of the Guidelines and the Appraisal Checklist provided in 7.10
of the Guidelines should be used. Specialist advice should also
be sought.
| Project : .............................................................................................................................................. |
| Prepared by :............................................................................... |
Date:...................................... |
| Reviewed by :............................................................................... |
Date:...................................... |
§
A key aspect of a financial management
assessment is evaluating the risks associated with the project
financial management arrangements. Assessing the risks involved
in the project and their materiality helps in choosing the appropriate
course of action to ensure robust project financial management
arrangements. ADB’s principal concern is to ensure that project
funds are used economically and efficiently for the purpose intended.
In support of this, it seeks assurance that the financial management
system can report on the use and source of the project funds.
§
The FMICRA approach is
largely based on IFAC Standard 400 Risk Assessment and Internal
Control. The FMICRA should be completed (by PPTA consultants),
based upon the Financial Management Assessment Questionnaire (FMAQ),
and provided to ADB for review and comments. The summary assessment
will be recorded in the FM Assessment Report and the project RRP.
§
The FMICRA structure matches
the FMAQ structure. For each topic, there is space to indicate
the level of risk—high, substantial, moderate, or negligible/low.
The summary risk analysis is used to bring together the component
risks into an overall risk analysis. Further guidance is provided
below.
|
Risks
|
Risks
Assessment*
|
Remarks / Comments
|
|
Inherent
Risk
|
|
|
|
1. Country-Specific
Risks
|
|
|
|
2.
Entity-Specific Risks
|
|
|
|
3. Project-Specific
Risks
|
|
|
|
Overall
Inherent Risk
|
|
|
|
|
|
|
|
Control
Risk
|
|
|
|
1.
Implementing Entity
|
|
|
|
2.
Funds Flow
|
|
|
|
3.
Staffing
|
|
|
|
4.
Accounting Policies and Procedures
|
|
|
|
6.
Internal Audit
|
|
|
|
6.
External Audit
|
|
|
|
7.
Reporting and Monitoring
|
|
|
|
8.
Information Systems
|
|
|
|
Overall
Control Risk
|
|
|
| * H = High S = Substantial M = Moderate
N = Negligible or Low |
GUIDANCE: Assessing Risk
1. Introduction
This guidance provides a structured framework to assist
a financial management systems review. It directly reflects World
Bank guidance. Moreover, the approach is largely based on IFAC
Statement 400 Risk Assessment and Internal Control. As
the assessment is not an audit, compliance or substantive testing
is not required.
Inherent Risk is
the susceptibility of the project financial management system
to factors arising from the environment in which it operates,
such as country rules and regulations and entity working environment
(assuming absence of any counter checks or internal controls).
Control Risk is
the risk that the project’s accounting and internal control
framework are inadequate to ensure project funds are used economically
and efficiently and for the purpose intended, and that the use
of funds is properly reported.
The Project Financial
Management System is the series of tasks
and records of the project entity by which transactions are
processed as a means of maintaining financial records. Such
systems identify, assemble, analyze, calculate, classify, record,
and report transactions and other events periodically presented
in the financial statements.
The Internal Control Framework is defined as
all the policies and procedures adopted by the management of
the project entity to assist in achieving management's objective
of ensuring, as far as practicable, the orderly and efficient
conduct of the project, including adherence to management policies,
the safeguarding of assets, the prevention and detection of
fraud and error, the accuracy and completeness of the accounting
records, and the timely preparation of reliable financial information.
The internal control framework extends beyond those matters
that relate directly to the functions of the financial management
system, and comprises:
§
The Control Environment
means the overall attitude, awareness, and actions of the project
management and staff regarding the internal control framework
and its importance in the entity. The control environment has
a bearing on the effectiveness of the specific control procedures.
A strong control environment—for example, one with tight budgetary
controls—can significantly complement specific control procedures.
However, a strong environment does not, by itself, ensure the
effectiveness of the internal control framework. Factors affecting
the control environment include: (i) composition of the Project
Management Unit, (ii) philosophy and operating style of the
project management, (iii) project entity’s methods of assigning
authority and responsibility, (iv) project external audit arrangements,
and (v) management’s personnel and incentive policies.
§
The Control Procedures
are those policies and procedures, in addition to the control
environment, which management has established to achieve the
specific project objectives. Specific control procedures include:
(i) reporting, reviewing, and approving reconciliation; (ii)
controlling applications and environment of computer information
systems; (iii) maintaining and reviewing control accounts
and trial balances; (iv) reviewing and reconciling disbursement
summaries with the project accounting records; (v) limiting
physical access to assets and records; and (vi) comparing
and analyzing the financial results with budgeted amounts.
3. Assessing Inherent Risks
To assess inherent risks that the project may face,
factors should be evaluated at three levels: country-specific,
entity-specific and project-specific.
3.1. Country-Specific
Risks
Existing documents and materials should be referred
to when assessing country-specific inherent risks—this assessment
is not expected every time FM systems are assessed for an individual
project. Areas to be reviewed include:
§
Significant weaknesses
in the budgetary process (transparency, basis of preparing the
budget, budget monitoring process, sanctity of budget approvals,
medium/short term expenditure framework);
§
Significant weaknesses
in the public sector accounting and reporting (standards, timeliness,
capacity of the public sector accounting professionals);
§
Significant weaknesses
in the public and private sector auditing (standards, capacity,
independence, timeliness);
§
Significant weaknesses
in the legislative scrutiny process of the public purse particularly
in respect of review and follow up over the audit findings (composition
of the Public Accounts Committee, frequency of Public Accounts
Committee meetings, independence, effectiveness;
§
Significant weaknesses
in the funds flow mechanism (bureaucratic delays, cumbersome
procedures, weak banking system);
§
Salary structure within
the public sector compared with the private sector;
§
Degree of management independence
from the politics; and
§
Status of the country accounting
profession.
3.2. Entity-Specific
Risks
The inherent risks in relation to the project implementing
entity are primarily in three areas: (i) institutional and organizational
aspects, (ii) funds flow, and (iii) audit arrangements. In some
projects the distinction between the entity and project may
be nonexistent as the project implementing unit (PIU) is created
exclusively to implement the ADB-financed project, and the PIU
is independent of any existing agency.
Institutional and Organizational Aspects should be reviewed and the following issues considered:
(i) Capacity to handle the budgeting, accounting, internal controls,
and reporting functions; (ii) Complexity of the project, volume
of transactions, number of implementing agencies, and geographical
spread of the project activities (for a complex project that is
implemented by a large number of agencies, the project will require
a strong project financial management team to monitor the release
of funds, their use, and reporting of expenditures); (iii) Number
of accounting staff required to manage the financial management
function, staff qualifications, staff training requirements, the
level of the accounting staff vis-à-vis other departments, and
reporting relationships; (iv) Staff retention and turnover rate,
and the adequacy of the performance review process (frequent staff
changes may have an adverse impact on the project implementation);
and (v) Risks that the project will not have appropriate staff
who are sufficiently qualified and trained, or that the staff
will be transferred frequently leading to disruptions or that
the reporting relationships are conducive to efficient functioning.
Fund Flow Arrangements should be reviewed (i.e., from ADB to the Imprest
Account, to the implementing agency, contractors and suppliers,
and in some cases, to the ultimate beneficiary to assess the
risks that the proceeds of the loan will be used for their intended
purposes. The same issues need to be examined for flow of counterpart
funds.
Audit Arrangements should be considered concerning the risks that audited
project financial statements will not be furnished to ADB on time
or that the quality of audit will not be acceptable to ADB.
3.3. Project-Specific
Risks
Consideration should be given to the following factors
when assessing project-specific inherent risk: (i) project complexity,
(ii) number of project implementing agencies involved and their
prior experience, (iii) Involvement of NGOs and community groups
in project implementation, (iv) ability of the PIU to attract
and retain qualified staff, (v) the integrity of project management,
and (v) susceptibility of assets to loss or misappropriation.
4. Assessing
Control Risk
An understanding of the objectives, framework, environment,
and control procedures of the internal control system is needed
to assess its weaknesses.
4.1. Objectives
of the Internal Control Framework
Among other things, internal controls relating to
the financial management system are concerned with ensuring
that:
§
Transactions are executed
in accordance with management’s authorization.
§
All transactions and other
events are promptly recorded in the correct amount, in the appropriate
accounts, and in the proper accounting period to permit the preparation
of financial statements in accordance with an identified financial
reporting framework.
§
Access to assets is permitted
only in accordance with management’s authorization.
§
Recorded assets are compared
with the existing assets at reasonable intervals and appropriate
action is taken regarding any differences.
4.2. Understanding
the Internal Control Framework
Knowledge of the design and operation
of the internal control framework should be gained through completion
of the FMAQ. Where the system is already in place, it may be
appropriate to perform a “walk-through” test (i.e., trace a
few transactions through the financial management system). When
the transactions selected typify those that pass through the
system, this procedure may also form part of the assessment
of the degree of control risk.
The nature, timing, and extent
of the review of the internal control framework will vary with,
among other things, the: (i) size and complexity of the entity
and its computer systems, (ii) type of internal controls involved,
(iii) nature of the project entity’s documentation of specific
internal controls, and (iv) extent to which the financial management
system and internal control framework are in place and functioning
at the time of the assessment.
An understanding of the main elements
of the financial management system and internal control framework
is obtained through previous experience with the PIU (where
applicable), and is supplemented by: (i) inquiries with management
and personnel at various levels within the PIU, together with
reference to documentation such as procedures manuals, job descriptions,
and flow charts; (ii) inspection of documents and records produced
by the financial management system and internal control framework;
and (iii) observation of the project entity’s activities and
operations, including computer operations.
4.3. Understanding
the Financial Management System
An understanding of the project financial management
system should be developed through completion of the FMAQ.
4.4. Understanding
the Control Environment
An understanding of the control environment should
be developed, which is sufficient to assess project management’s
attitude, awareness and actions regarding internal controls
and their importance to the entity. The control environment
will include the budgeting, costing, management reporting, and
auditing systems. The FMAQ provides a basis for developing an
understanding of these systems.
4.5. Understanding
the Control Procedures
Because control procedures are integrated with the
control environment and the financial management system, some
knowledge about control procedures is likely to be gained while
obtaining an understanding of the financial management system.
For example, in assessing the control procedures pertaining
to cash and bank balances, it would be usual to ascertain whether
bank accounts are reconciled.
4.6. Tests
of Control
When reviewing the effective operation of internal
controls, consideration should be given how and by whom they
are applied. The concept of effective operation recognizes that
some deviations may occur. Deviations from prescribed controls
may be caused by such factors as changes in key personnel, significant
seasonal fluctuations in volume of transactions, and human error.
When deviations are observed, specific inquiries should be made
regarding these matters, particularly the timing of staff changes
in key internal control functions. However, tests of the internal
controls will not normally be carried out.
4.7. Assessing
the Control Risk
After obtaining an understanding of the financial
management system and internal control framework, an assessment
of control risk should be made and documented in the FMAQ. The
assessment of control risk is the process of evaluating the
effectiveness of the project entity’s financial management system
and internal control framework in ensuring that project funds
are used economically and efficiently and for the purpose intended
and are properly reported.
Many internal controls that would
be relevant to large project entities are not practical for small
entities. For example, in small projects, a few persons, who may
have both operating and custodial responsibilities, may perform
accounting procedures and therefore segregation of duties may
be missing or severely limited. Inadequate segregation of duties
may, in some cases, be offset by a strong management control system
in which managerial supervisory controls exist because of direct
personal knowledge of the entity and involvement in transactions.
In circumstances where segregation of duties is limited and evidence
of supervisory controls lacking, the evidence necessary to support
the assessment may have to be obtained entirely through the performance
of substantive procedures.
|
Publications 
Back
Top of page