Internal control and risk management

Photo: Maskot / Gorilla.

Agencies' internal control and risk management

Internal control refers to the procedures included in an agency's steering and operational processes, organisational solutions and methods, which can be used to ensure with reasonable certainty that

  • the activities are in accordance with the law
  • the funds are safeguarded
  • the activities are effective and
  • correct and sufficient information on the finances and performance is generated.

According to Section 24 b of the State Budget Act (423/1988), agencies and institutions must make appropriate arrangements for internal control in their own activities and in activities for which they are responsible.

Risk management is used to identify, assess and manage factors that threaten the achievement of the goals included in the four classes mentioned above. Risk management has the same goals as internal control.

At its best, the internal control and risk management procedures are integrated into the agency's usual planning, management and operational processes.

Responsibility for organising internal control

According to Section 24 b of the State Budget Act (423/1988), the arrangements for internal control are implemented by the management of each agency and institution that is responsible for ensuring that it is appropriate and adequate.

Assessing internal control

Section 65 of the State Budget Decree (1243/1992) stipulates that the activity report on operations included in the final accounts of the accounting agency must include an assessment of the appropriateness and adequacy of the internal control and the risk management included in it, and a statement of the status and most essential developmental needs of internal control (assessment and statement of assurance of internal control).

Internal control assessment framework

In 2005, the advisory council on internal control and risk management appointed by the Government drew up a recommendation for state agencies and institutions on approaches to internal control and risk management and assessment of functionality.

The internal audit sub-committee of the advisory council on internal control and risk management has created a concise version of the assessment framework, which can be used, for example, in small agencies, or agencies that wish to start by fulfilling the minimum requirements of internal control.

The agency or institution can also use other generally accepted assessment frameworks (such as COSO, COSO-ERM, CoCo) in assessing the functionality of internal control and risk management. The use of a generally accepted assessment framework supports a systematic, documented assessment of internal control. The assessment framework must always be adjusted to meet the agency's needs.


Contact details

Jaana Kuusisto, Government Controller-General
Tel. 02955 30051
[email protected]

Sirpa Korkea-aho, Ministerial Adviser
Tel. 02955 30252
[email protected]