FC 110/13

Finance Committee

Hundred and tenth Session

Rome, 19-23 September 2005

Internal Controls Reporting

Table of Contents


1. During the 107th session of the Finance Committee in May 2004, the issue of introducing formal internal control reporting in FAO was discussed. As noted during that session, the Organization would, in principle, have no objection to the introduction of such reporting which would be issued with the Audited Accounts.

2. At the request of the Committee, the secretariat presented a paper to the 109th session, including the results of a study of what other organizations in the UN system were doing in this regard and outlining current best practice in internal control reporting and the issues involved in introducing such reporting within the Organization. The Committee noted that formal internal control reporting was considered to be good practice by a large number of standard setting bodies and organizations. Furthermore, the Committee noted that many other organizations in the UN system have confirmed that they are considering the implementation of such reporting.

3. FAO has an extensive system of internal controls in place, developed over many years and maintained by staff and management at all levels under the ultimate responsibility of the Director General. Internal controls are evaluated and reported on by the External Auditor as part of his biennial audit of the Organization. The issue under discussion is not the introduction of an internal controls system, but rather the implementation of formal reporting by the Organization on such controls.

4. During discussion of this item, the Committee requested the preparation of a paper providing further information on the issue, in particular on alternative approaches to formal internal control reporting which could be considered and the estimated costs involved in implementing such reporting in the Organization. This document has been prepared in response to the above request.


5. There are many possible ways to approaching the question of formal internal control reporting, both in terms of the scope of the underlying review and documentation of internal controls and the type of report issued. This paper can only usefully attempt to describe a few examples in general terms. The examples of formal internal control reporting selected are the following:

A summary of the salient points of these approaches can be found in the Attachment.

6. While comments on the likely resource implications of each approach have been included in the table, details of cost implications of the different approaches have not been provided as comparable and reliable information on implementation and maintenance costs is not available. This is mainly due to the fact that costs are affected by the widely differing environments and types of organizations. As noted in the Attachment, the first three approaches involve a significant cost and effort on the part of the implementing organization, mainly in connection with the required documentation, assessment and testing process, which could not be covered without significant redirection of Organization resources to this exercise and a higher fee for external audit. In this regard, it is useful to recall the information provided in the paper presented to the 109th session of the Finance Committee in May 2005:

“It is important to note that the introduction of formal internal control reporting within an organization requires a lengthy and intensive process consisting of several distinct stages including, among others:

Such a process necessarily involves significant initial investments in the form of both staff time and expert advice. Furthermore, the maintenance of the reporting system in the years following initial implementation, including regular update and testing as well as maintenance of formal documentation, require significant resources on a continuous basis. Indeed, according to information received from one of the large accounting firms, the implementation and maintenance of formal internal control reporting, be it in line with that implemented by the World Bank or in accordance with the legislation and standards introduced in the US or UK, is onerous and costly. As an example, according to a survey carried out in the United States the average cost for implementing Section 404 of the Sarbanes-Oxley Act is estimated to amount to over US$ 3 million in the first year, including internal staff time of over 25,000 hours and an average increase in fees for external audit of approximately 50%. Costs for maintaining the reporting system are expected to decrease after the year of initial implementation but will remain significant. “

7. The fourth approach described in the Attachment provides a form of reporting which excludes any qualitative statement on the internal control system of the Organization and would therefore not require a costly assessment and testing process. This approach could be considered as an alternative which could be implemented with less additional resource requirements compared to the first three approaches.


8. A common feature of the various alternative approaches to formal internal control reporting is that both the introduction and the maintenance of such reporting is costly and requires significant amounts of internal and external resources, both relating to the initial investment and on a continuous basis.

9. In view of the above, key questions to consider are:

10. The Finance Committee is invited to review the present document and provide such guidance as deemed appropriate.


Sarbanes Oxley Act (US)

UK civil service approach, based on Turnbull

IBRD reporting to date (based on the COSO framework2)

Factual reporting3

Scope of internal control assessment

Covers internal control over financial reporting, including safeguarding of assets. Must be based on full documentation of procedures, sufficient to evaluate, design and test operating effectiveness – inquiry is not considered adequate basis

Assessment covers all risks and the related controls that support the achievement of the entity’s objectives, i.e. not only controls over financial reporting.

The entity must have a risk management assessment framework, including an appropriate mechanism for the review of risks and controls.

The Accounting Officer (i.e. head of department or agency) can to a significant extent determine how to derive the required assurance to be able to report on the effectiveness of internal controls.

Internal control is defined as a process, effected by an entity’s board of directors, management and personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories:

• Reliability of financial reporting;

• Effectiveness and efficiency of operations; and

• Compliance with applicable laws and regulations.

This approach provides facts relating to internal controls in place without a qualitative assessment of the internal control system.

Reporting scope

Covers internal control over financial reporting, including safeguarding of assets.

Must include statements of management’s responsibility for establishing and maintaining adequate internal control over financial reporting as well as management’s assessment of such controls. Must include reference to framework used to evaluate effectiveness - COSO framework is accepted standard of assessment.

Any material weaknesses must be disclosed by management in its report and exclude the conclusion that internal control is effective.

Covers all internal controls that support the achievement of the entity’s objectives, i.e. not only controls over financial reporting.

Includes statement of management’s responsibility for maintaining a sound system of internal control and notes that the system of internal control has been in place for the period. The statement describes the risk and control framework and the process of review of effectiveness of internal controls. While the report does not explicitly conclude on the effectiveness of the control system, it is implicit that the review generates a documented assessment of effectiveness.

Covers internal controls over external financial reporting only. Makes reference to the COSO framework

Requires mandatory reporting to the Audit Committee by senior management through an assertion by management regarding the adequacy of internal controls.

States facts relating to internal controls in place, with information on different components of internal control currently existing within the Organization. The report could be divided into sections according to the COSO or the INTOSAI4 framework:

• Control environment

• Risk assessment

• Control activities

• Information and communication

• Monitoring of internal controls

The report would not include any statement as to the efficiency and effectiveness of the internal control system.

Documentation required

Evidential matter must be maintained, including full documentation, to provide support for management’s assessment and testing of design and operating effectiveness of internal controls.

Documentation requirements are not prescriptive but appropriately documented support for the statement on internal control is required.

Documentation and testing must be sufficient to support and validate management’s assertion regarding the effectiveness of internal controls.

Limited additional documentation required

Frequency of updates

Full update required annually. Limited quarterly reporting.

Full update required annually.

Full update required annually.


EAUD involvement

EAUD must report on effectiveness of internal controls.

Annual evaluation must include testing of each significant process. The auditors cannot rely on management’s testing

If a material weakness is discovered an adverse opinion must be issued.

The National Audit Office reports on whether the management’s statement is in accordance with the guidance and whether the statement is misleading or inconsistent with other information that the auditor is aware of from the audit of the financial statements.

While a review of the internal control system must be performed, the External Auditor’s report does not represent an opinion on the effectiveness of the internal controls.

EAUD issues separate opinion on fairness of the assertions expressed in management’s formal report on internal controls. The review is performed in accordance with the standards established by the American Institute of Certified Public Accountants.

EAUD could verify the statements in the internal control report as part of the biennial audit

Comments on resource implications

The Sarbanes Oxley Act is the most prescriptive of the approaches reviewed, in particular in the areas of documentation of procedures and compliance testing.

This approach is therefore the most resource demanding, both relating to the company’s own testing and the work required to be performed by the external auditors. The cost and effort involved in implementation and maintenance of this type of reporting could not be covered without significant redirection of the Organization’s resources to the exercise.

The UK Civil Service approach leaves much room for the agency to decide how to arrive at the required assurance to be able to report on the effectiveness of internal controls. Furthermore, the scope of the external auditor’s report is limited compared to that required by the Sarbanes Oxley Act.

The reporting is, however, not limited to controls over financial reporting but includes all internal controls that support the achievement of the entity’s objectives.

The implementation of this approach is likely to require less resources than the Sarbanes Oxley approach, mainly due to the fact that it is less prescriptive in the areas of how to test and document internal controls and their effectiveness. However, the cost involved would require the redirection of significant resources to the exercise.

The form of reporting made to date by the IBRD is likely to require less resources than the reporting in accordance with the Sarbanes Oxley Act as no specific legal framework must be followed and testing and documentation requirements are less prescriptive.

This approach is not regulated by legal requirements and is therefore more flexible than the US or UK approaches. However, the resources required to implement a similar internal control reporting system in the Organization would have to be obtained through significant redirection of the Organization’s resources to the exercise.

Depending on extent of details provided in report, but additional resources required could be limited compared to the first three approaches.

1 The World Bank is now implementing the Sarbanes Oxley Section 404 approach to internal control reporting. The approach described in the Attachment is based on their reporting to date, prior to implementation of Section 404

2 The Internal Control – Integrated framework issued by the Committee of Sponsoring Organizations of the Treadway Commission

3 This approach would be significantly different from the others in that it is not governed by any regulatory framework and includes statements of facts rather than qualitative statements

4 International Organization of Supreme Audit Institutions