ENZO MASIYA: Managing public administration needs dramatic culture shift

Internal controls remain at the heart of the conversation in ensuring effective management of the administration of the public purse. They are what separates entities that are effectively managed with minimal to no internal control deficiencies, and those that are not. 

The international standards on auditing define internal controls as “the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives, with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.”

The public sector is a highly regulated environment with a myriad laws and regulations that govern the operations and administration of operations. With this context in mind, one wonders how corruption can possibly thrive in such a highly regulated space.

This is where internal controls come in: no matter how many controls can be put in place to ensure the smooth management of operations, if they are not enforced through implementation and maintenance by those charged with governance, the entity cannot achieve its objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

To effectively manage the risk of material misstatement of the financial statements, a thorough review of internal controls needs to be conducted, with a particular focus on the various aspects of the components of internal controls.

Dissecting the components of internal control aids in addressing the correct root cause of the internal control deficiency. The root cause refers to the actual reason things went wrong, and this can only be attained through a thorough analysis of these components. Being able to identify which aspect of the component is deficient ensures that the risk is addressed at the appropriate level, and it is managed accordingly.

Control environment 

When a deficiency is identified within the control environment one needs to identify which aspect of the control environment this deficiency is attributable to; is it the enforcement of ethical values? Is it a commitment to competence? Is it a leadership issue? Based on the responses to these questions, one is able to correctly address the issue to ensure that it is appropriately addressed.

Risk assessment 

Risk assessment is an integral part of the internal control components, and it is imperative that an organisation’s risk assessment is examined to ensure that the risks identified and the mitigations that are proposed to address those risks will address the internal control deficiencies identified. In an instance where they do not address the deficiencies, such control would need to be reviewed to ensure this gap is addressed. It is important to note that risk assessment should not be conducted for compliance purposes only, but that the exercise should be undertaken to ensure the risks prevalent within the environment are either reduced to an acceptable level or eliminated altogether.

Information and communication

In this component, the focus is mainly the validity, accuracy and completeness of information. This is picked up through the system being used to capture and process information as well the enterprise resource planning (ERP) system being used. Organisations have a business process that they follow to process data, and through this process various risks are identified and managed through the various stages of the process to ensure the validity, accuracy and completeness of information. Manual systems and process are quite problematic and give rise to greater risks of human error that must always be considered when looking into this aspect of internal control.

Control activities

Control activities are an important focal point in the system of internal control because of the level of risk and possible deficiencies that may exist therein. These include approval and authorisation of transactions, segregation of duties, isolation of responsibilities, access/custody controls, comparison and reconciliation of data, performance reviews, preventive and detective controls, general and application controls. These areas do seem technical in nature for consideration, but all of these control activities are embedded in the daily execution of responsibilities.

Take for instance an invoice that needs approval: one needs to confirm that this invoice was approved through a signed requisition (approval), the requisition was signed at the appropriate level (segregation of duties) and the signature is evidence of isolation of responsibility.

These controls continue all the way until the invoice is captured onto the ERP system and eventually the transaction makes its way into the accounting system. This is where all the remaining control activities come into play and it is important to be able to review these activities and where gaps are identified, mitigating controls are put in place to ensure the validity, accuracy and completeness of the financial statements that result from this.

Monitoring of controls

Continuous monitoring of controls remains crucial to ensure continuous improvement and to detect any deficiencies in the process. The whole premise of monitoring of controls is to ensure that at any given point one is able to account for information and/or data that flows through the ERP system, especially in environments where there are elements of manual interventions that may be prone to human error.

There is a need for an organisational culture shift in the approach to the management of public administration. An ethical leadership vacuum is apparent, and such a shift is therefore essential to drive the much-needed change in the public sector. The locus and ethos of the privilege of being in the public sector is about service to the people and accountability to the communities that are being served. The absence of this paradigm is robbing generations of an inheritance through the legacy of corruption that is perpetuated without consequence.

The focus on internal controls will serve as a launching pad towards great governance while ensuring service delivery remains the focal point of what the public sector is supposed to provide, as opposed to self-enrichment and disenfranchisement of the poor.

• Masiya is an audit professional in the public sector with a particular interest in governance, risk management and compliance.