Outcomes of the FMC review Vania Tomeva, PIFC consultant July 2013, Tbilisi 1
Agenda 1.Why Financial Management and Control? 2. COSO Framework and Managerial Accountability 3. FMC review – our approach 4. Major findings 5. Recommendations 6. Questions and answers 2
Why Financial Management and Control? PIFC Law since 2011, Section II: The responsibility of the CHU for development of FMC regulations; Responsibility of Heads of organisations and units to report on the FMC to their superior; The role of the FMC and the meaning of managerial accountability; Introduces the COSO model as a basis for establishment of Internal Control Systems in the public sector. 3
Financial Management and Control in practical terms: The system by which financial resources are planned, directed, and controlled to enable and to ensure the efficient and effective delivery of public service. Consists of structures, regulations, people, resources, processes, power and authorities, communication channels. 4
Who is responsible for FMC? 1. The CHU for development of FMC regulations: Under implementation – FMC review, FMC Strategy, FMC tools 2. The Heads of organisations and units to implement and to report on the FMC to their superior: either incorporated in the existing regulations or specific new regulations need to be developed 5
The meaning of managerial accountability: Heads of organisations are responsible and accountable to their superior and/ or to the taxpayers for: -the achievement of the objectives of their organisation -by spending the public funds allocated to them in compliant, efficient, effective and economic manner. 6
The objectives of the FMC review: 1.Description of the management methods applied in achieving the objectives and reporting on their achievement. 2.Description of the system by which resources are planned, directed, and controlled to enable and to ensure the efficient and effective delivery of public service. 7
COSO Framework 8
FMC review - our approach Interviews with Heads of MoF’ Departments, Units and Agencies based on COSO; Quick review of PFM’ legislation; Targeted review for specific regulations on accountability, reporting, new processes etc. High reliability on ITS. 9
Major findings Two types of FMC I. Sub-units with clearly defined objectives Regulations, incorporated in automated processes; Decision making based on transparent rules deriving from the objectives of the activity and legislation; Identifiable accountability - not always explicitly specified; Information disseminated electronically, timely, accessible; 10
I. Sub-units with clearly defined objectives Regular monitoring of performance and achievement of objectives; Risk assessment and management done for the advanced processes and processes with high inherent risk. Internal controls are integral part of the process itself. 11
II. Sub-units under reform, new processes under implementation, activities not fully controlled by the organisation, but the organisation is ultimately responsible for the outcomes of the process. Main difference from group I: – Objectives not clearly defined or process not designed to meet the objectives; – Insufficient rules, more discretionary decisions; 12
Main difference from group I: – Risks are recognised and controlled by the Heads of units in charge into the extent allowed within their competences and skills; – Less systematic approach in risk assessment and mitigation; – Control over achievement of objectives is not integrated into the process. 13
Strengths: - Core processes in the reviewed organisations belong mostly to the first group – identified objectives and integrated controls; -Lots of controls are automated; -Information for decision making or reporting is generated by ITS. 14
Weaknesses: -Some activities lack clear objectives – problem for defining risks and controls; -Most processes except the automated do not have formal record – difficult to control; -Delegation of duties and responsibilities if in place not formalised in most cases – risk of inefficient management; 15
Weaknesses: -Accountability not formally defined except in general manner – missing preventive control on achieving the objectives; -Reporting if in place does not provide easy to read, understandable and useful information; -Except for few very advanced processes and their managers the term “RISK” is not part of the managerial vocabulary. 16
Summary by COSO – components Control environment Integrity, ethical values,compe tence Management operating style Methods of assigning responsibility and authority Staff’ organisation and development I.satisfactoryBy objectiveFormalisedPerformance based promotion, incentives II.asatisfactoryBy objective, but some objectives lack adequate controls Mix of traditional and formalised (User Manual) Under reform II.bsatisfactoryTraditionalTraditional – job descriptions Under reform 17
Risk assessment (not systematically performed except IT) Strategic (achievement of objectives) Operational (loss from inadequate internal processes) Compliance IT security I.Yes Good II.aYes for autom. processes Good II.bNoCan be identified Good 18
Control activities PoliciesProceduresIT controls Analysis I.SpecificMostly documented A/EYes II.aYes for restructured processes, Under development for new processes A/EYes for restructured processes, Under development for new processes II.bGeneral legislationRoutine, some documented A/ENo information 19
Information and communication TimelinessAccessibilityContent I.Real timeCompleteGood for internal and external users II.aReal time for some processes, according to legislation for others Complete for someVaries II.bAssumed compliant with legislation 20
Monitoring On-goingSeparate evaluations Quality assurance Others I.Yes for autom. processes YesYes for some processes II.Yes, by Head of Department Only if there is a case No 21
Recommendations (short term) Each organisation (department) should: 1.Review and redefine its objectives in general, by public service and process deriving from legislation, strategy, etc.; 2.Carry out basic risk assessment, evaluate the existing measures for mitigation of high risk and change them if needed; 3.Elaborate and enforce internal policies and procedures enabling the achievement of objectives, defining duties, power, delegation of responsibility, accountability, including formal reporting. 22
Recommendations (long term) FMC and Managerial accountability in the public sector: 1. MoF’ should approve FMC strategy and provide to the CHU the resources needed for its implementation. 2.Donors should provide technical assistance on the FMC’ implementation 23
Governance and oversight: 1.Organisations’ senior management should implement FMC by establishing: -Sector (organisational) strategies; -Risk management - internal regulation, structure, risk assessment tools, implement high risk mitigation measures, risk management report; -Tangible accountability scheme for implementing the strategic goals of the organisation. 24
Q&A 25