MIG PROGRAMME CONTROL AND RISK SELF-ASSESSMENT WORKBOOK FOR MUNICIPALITIES

WORKBOOK INDEX

A. Control and risk self assessment presentation

B. Introduction to control and risk self assessment

C. Control and risk self assessment template

D. Audit procedures

MIG PROGRAMME CONTROL AND RISK SELF-ASSESSMENT PRESENTATION TO MUNICIPALITIES

PRESENTED BY THE MIG MACRO CONSORTIUM

Presentation Outline

Principles of the Municipal Infrastructure Grant (MIG) Objectives of MIG MIG governance challenges? What is self-assessment? Why perform a self-assessment? Who performs a self-assessment? How is self- assessment accomplished? What is done with the self-assessment results? Key questions?

Principles Of MIG Programme

Is a conditional grant in terms of DoRA:
n Focus on infrastructure required for a basic level of service n Targeting the poor n Maximising economic benefits n Equity in the allocation and use of funds n Decentralisation of spending authority within national standards n Efficient use of funds n Reinforcing local, provincial and national objectives n Predictability and transparency n Geared to achievement of objectives in one or more separate but

overlapping categories
1

Objectives Of MIG Programme

Is a conditional grant in terms of DoRA:

n Fully subsidise the capital costs of providing basic services to the

poor households
n Distribute funding for municipal infrastructure in an equitable,

transparent and efficient manner

n Assist in enhancing the development capacity of municipalities,

through supporting multi-year planning and budgeting

n Provide a mechanism for the co-ordinated pursuit of national

policy objectives with regard to basic municipal infrastructure programmes

n The devolution of responsibility to the lowest level

What Is Self-Assessment?

CRSA is a process through which internal control effectiveness is examined and assessed. The objective is to provide reasonable assurance that all business objectives will be met CRSA is a process that generates information on internal control that is useful to management and internal auditors in judging the quality of business processes and controls

Why Perform A Self-Assessment?

The CRSA process allows management of the PMU and the municipality directly responsible for the MIG Programme to:
n Participate in the identification and assessment of risks n Evaluate risks n Develop action plans to address identified weaknesses n Asses the likelihood of achieving MIG objectives n Measure, monitor and report on financial input and outcomes

Who Performs A Self-Assessment?

The CRSA process can be performed by two groups of people:
n Line management n Internal audit

The real benefit is derived when management and staff take ownership of the system of internal controls and uses CRSA as a proactive risk management tool that makes a difference and adds value to the business environment and control environment

How Is Self-Assessment Accomplished?

CRSA Approaches:
n Facilitated team meetings n The questionnaire approach n Management-produced analysis

CRSA Process:
n Control-based n Process-based n Risk-based n Objectives-based

We have made use of a combination model of the first three based models
6

Process- Based Approach

Mega Major
Controls

Objectives Major
Risks

Sub
Controls

Sub Activity
Controls

Risks

Sub

Risks

Risk - Based Approach

CRSA Template Risk and Control

CONTROL AND RISK SELF-ASSESSMENT TEMPLATE MIG PROGRAM
Mega / Major Process and Risks STRATEGIC Stakeholder Management / Communication ST1 - No or inadequate communication and or working relationship between the municipality and critical external stakeholders (i.e. Sector Departments, Eskom, Provinces, dplg, etc.) Inherent Risk As Lik Imp Leading Practice Control Actual Controls In Place Residual Risk AD NI IA Action / Comments

20

ST2 The relationship and communication between the PMU function and the other divisions/units within the municipality is ineffective

1. A formal communication strategy and plan is in place where the critical stakeholders have been identified 2. A review of the effectiveness of the communication process is undertaken on a regular basis 3. Regular interfacing with the MIG Unit, Sector Departments, provinces and dplg 4. MIG Orientation workshops 5. Sector participation on PMITT 1. A formal communication strategy and plan is in place and has been rolled out 2. Regular meetings between the PMU function and other critical divisions/units 3. Formal minutes of meetings maintained and circulated to all attendees in a timeous manner

Action:

X Responsible Person:

Due Date: Action:

Responsible Person:

Due Date:

Internal Audit Software

10

Inherent and Residual Risk

Inherent and Residual Risk
Risk

Inherent Risk

Residual Risk

Objectives

Process

Controls

Inherent risk before assessment of controls Residual risk after assessment of controls

11

What Is Done With The Self-Assessment Results

n Used by municipal management to improve controls, risk

management and expected outcomes

n Used by internal audit to report on control adequacy and improve

scope of audit work

n Used by Audit Committee to determine control status n Gives MIG Unit reasonable assurance and comfort

12

What Are The Benefits Of Self-Assessment

n Attention is focused on key processes, risks and controls n It encourages the idea that improvements to processes and control

should be continuous, empowering staff to remove inefficient or ineffective practices

n It assists all employees at all levels to assume responsibility and

accountability for managing risks and effective control

n Corrective action may be more effective as staff own control and

risk improvements
n Improves managements ability to comment on the overall

effectiveness and state of internal control and risk management

n Identifies important issues faster n Provides a proactive tool to asses the control environment

13

No problem can be solved from the same consciousness which created it

Albert Einstein

14

Questions and Answers

Its a state of heart and mind and not a pure discipline

15

MUNICIPAL INFRASTRUCTURE GRANT (MIG) PROGRAMME INTERNAL CONTROL AND RISK SELF-ASSESSMENT AT MUNICIPAL LEVEL

1. Introduction
The vision of MIG

To provide all South Africans with at least a basic level of service by the year 2013 through the provision of grant finance aimed at covering the capital cost of basic infrastructure for the poor. Through the application of MIG funds, Free Basic Services would be realised for the poorest of the poor, aligning national governments aim of poverty eradication with sector targets. The MIG has thus an overall target of removing the backlog with regard to access to basic municipal services over a 10-year period. The principles of MIG The MIG funds that are being made available to municipalities for infrastructure, are based on the following principles: Providing services to the poor Providing infrastructure for basic levels of service Maximising economic benefits to communities Using funds efficiently Allocating funds equitably and in a transparent manner Decentralising the spending authorities Empowering municipalities to identify, select and approve projects

The entire approach of Municipal Infrastructure Grant (MIG) Programme is focused on improving the capacity, efficiency, effectiveness, sustainability and accountability of local government. Whilst national and provincial government are responsible for creating an enabling environment with regards to policy, financial and institutional support for MIG, municipalities are responsible for planning municipal infrastructure and for utilising MIG funds to deliver infrastructure. The MIG is a conditional grant to municipalities and thus the management of the grant at municipal level must occur within the planning, budgeting, financial management and operational arrangements at local level in terms of DoRA requirements. Infrastructure development is one of the functions of municipalities. It should not be addressed as a separate function but integrated into other functions. It should be integrated into the inter-sectoral planning, Integrated Development Plan (IDP) processes, as well as the municipal monitoring and performance management systems.

2. Fundamentals of Control and Risk Self-Assessment THE ROLES AND RESPONSIBILITIES OF MUNICIPALITIES The framework of the roles and responsibilities of each sphere of government involved in the successful implementation of the MIG Programme is set out in the MIG Policy Framework [August 2003, version 8 (c)]. The Policy took cognisance of Chapter 3 and 7 of the Constitution of the Republic of South Africa, 1996, which states, among other, that the objectives of local government are to: - ensure the provision of services to communities in a sustainable manner - promote social and economic development Municipal responsibility is based on the Cooperative Governance principles reflected in section 88 of the Municipal Structures Act (Act No. 117 of 1998) which stipulates: (1) A district municipality and the local municipalities within the area of that district municipality must cooperate with one another by assisting and supporting each other. (2) (a) A district municipality on request by a local municipality within its area may provide financial, technical and administrative support services to that local municipality to the extent that that district municipality has the capacity to provide those support services. (b) A local municipality on request of a district municipality in whose area that local municipality falls may provide financial, technical and administrative support services to that district municipality to the extent that that local municipality has the capacity to provide those support services. (c) A local municipality may provide financial, technical or administrative support services to another local municipality within the area of the same district municipality to the extent that it has the capacity to provide those support services, if the district municipality or that local municipality so requests. All municipalities need to develop capacity to administer MIG funds and manage infrastructure projects because all municipalities have to address infrastructure backlogs of one type or another. The aim, therefore, is to establish project management capacity in all municipalities. However, some local municipalities do not at the moment have the necessary capacity to implement the MIG programme and it might take time to develop this capacity. In these cases, the approach is for the district municipalities to administer MIG funds and to provide project management capacity until the local municipalities are able to perform programme management. The Constitution of South Africa requires that municipalities must ensure that there is an effective system of performance management in place that is geared towards outcome achievement, while the Municipal Finance Management Act as well as the provisions of the Public Finance Management Act, as amended, requires that government entities must ensure that there are effective systems of internal control and risk management in place.

Definition of internal control Is a process, effected by a municipalities Councilors, executive management team, line management and other personnel, designed to provide reasonable assurance regarding the achievement of strategic, operational and financial MIG Programme objectives in the following categories: Effectiveness and efficiency of MIG Programme operations at municipal level Effective and efficient utilisation of MIG infrastructure assets and resources Reliability and integrity of MIG Programme financial and project management and or operating systems, measuring, monitoring and reporting Compliance with applicable laws, policies and procedures surrounding the development and future sustainability of MIG Infrastructure Assets

Internal controls are either preventive (errors, irregularities are identified and corrected before they put the MIG funds and programme at risk) or detective (errors, irregularities are identified that have already put the MIG funds and programme at risk) by nature and have a direct correlation to the inherent risk exposure. The ring-fenced municipal systems and processes together with the MIG Project Management Function are responsible for establishing the required internal control processes to ensure that the municipality stays on course toward fulfilling its financial and MIG Programme goals of developing the required basic infrastructure as determined by the provisions of the annual Division of Revenue Act (DoRA), ensuring that MIG funds have been spent for the purposes intended and that the future sustainability . Control And Risk Self-Assessment Control and Risk Self-Assessment (CRSA) is a methodology used to review key business objectives, risks and effectiveness of processes involved in achieving the objectives, and internal controls designed to manage those risks. CRSA is basically a formal process that generates information on internal control that is useful to both management and internal auditors in validating the status or judging the adequacy of the control systems in place to address the identified strategic, financial and operational risks. It can also provide a positive influence on the control environment, as operating staff (Executive Management, CFO, MIG Project Unit and the Internal Audit Function) buys into the process, while at the same time control consciousness increases. CRSA can be facilitated by any component of the municipality, including the MIG Project Unit, line management and or internal auditing staff. Regardless of who provides such facilitation, CRSA, improves the control environment of the MIG Programme within the municipality by:

Increasing awareness of the MIG Programme objectives and the role of internal control in achieving such goals and objectives. Motivating personnel to carefully design and implement control processes and continually improve the MIG Programme financial and operating control processes.

CRSA Approaches There are three primary CRSA approaches which are: Facilitated team meetings Facilitated team meetings gather internal control information from work teams which represent multiple levels within the municipality (line management, office of the CFO and MIG Project Function). Questionnaire approach This uses a survey instrument that offers opportunities for simple (Inadequate, Needs Improvement and or Adequate) responses. Both internal audit and the business/risk process owners use the survey results to assess the adequacy and or effectiveness of their control structure in meeting the MIG Programme objectives and goals. Management-Produced Analysis Is any approach that does not use a facilitated meeting or survey and basically makes use of an internal audit or management approach that producers a study of the business processes, risks and required treatments (more in line with Enterprise-wide Risk Management techniques).

It is suggested that municipalities combine the first two approaches reflected above to accommodate the specific MIG Programme and DoRA requirements and needs of dplg head office (MIG Unit) and the municipalities own control and risk assurance needs. 3. Control and Risk Self-Assessment Instructions

The responsibility for undertaking the CRSA process is normally shared among all employees of the municipality. Where there is an in-house, outsourced or co-sourced internal audit function in place, it is suggested that the internal audit function take responsibility for undertaking the CRSA review. However, where there is no internal audit function in place then the CRSA review should be undertaken by the head of the municipal MIG Project Function, under guidance of the MIG Unit (dplg head office). As a combination method of the Facilitated team meetings and the Questionnaire approach is to be used the following combination techniques will also be used simultaneously:

Control based format This format focuses on how well the management controls in place are actually working and which in turn are benchmarked against the leading practice controls that should be in place. This technique produces an analysis of the gap between how controls are working and how management intended these controls to work. In addition, this format can be effective in examining soft controls such as management ethics, training and skills, etc. Risk based format - This format focuses on identifying and managing the critical and significant MIG Programme risks at a municipal level within the requirements of the MIG Policy and DoRA. The outcome of this technique is that it examines the control activities to ensure that they are sufficient to address the identified the key MIG Programme risks.

Procedure Internal Control Risk Self-Assessment Who Must Complete the Document: Where the municipality has a staffed-up internal audit function the head of internal audit or where there is no internal audit function the head of the municipal MIG Project Management Unit function (PMU) must complete the CRSA making use of the electronically provided template Obtained from the dplg MIG Unit on www. Furthermore, a combination of the Control based and Risk based format, must be used as reflected above. Roles and Responsibilities Internal audit and the head of the MIG Project Management Unit Function are encouraged to use the questionnaire as the foundation to determine if a more in-depth review of structures, processes, systems and controls are required surrounding the MIG Programme. This determination should be based on the Councils, municipal managers, line management and or Audit Committees experience and judgement. The CRSA questionnaire does not take the place of the municipalitys performance management system but runs alongside this system. The process is conducted within a structured environment in which the process is thoroughly documented and the process is repetitive as an incentive for continuous improvement. Furthermore, as CRSA is a technique that adds value to the internal auditing profession it can effectively augment internal auditing as it judges the quality of internal controls.

The following table depicts the various areas of role and responsibility: Role Internal audit / MIG Project Management Function Responsibility Completes CRSA questionnaire Retains original document for future reference Provides a copy and results of the control environment status to the municipal manager and Audit Committee Sends copy to dplg MIG Unit Project Management Monitors implementation of management treatments Function and or actions that explain how risks are mitigated Retains submitted copies of completed forms and management actions for future reference and for access by internal audit Suggests alternative procedures to the municipality Provides status of remedial action to the municipal manager and Audit Committee Sends copy to dplg MIG Unit Internal audit Where internal audit does not complete the form but management, internal audit verifies that the responses on the CRSA are the actual processes and that the controls and treatments have been implemented as stated by management Assesses the impact of the CRSA reviews and the adequacy of the system of internal controls and consolidate the areas of risk Monitors the implementation of corrective action per municipality Provide holistic MIG Programme guidance and advice in a proactive manner

MIG Unit

When To Complete The Self-Assessment: The CRSA must be completed at least: On a bi annual basis Whenever there are significant personnel changes (MIG Project Management Function) Whenever there are significant project management system and procedure changes Whenever the financial and operational targets for a MIG project are lagging behind targets

Completing The Questionnaire: Review the CRSA document located on www in the . Area ??????? section. Where appropriate, comments have been embedded throughout the questionnaire to provide the assessor with further explanation about the questions should it be required. Making use of the Control based and Risk based approach a response to each and every question on the CRSA questionnaire must be formally captured. Refer to the municipalities MIG Programme, financial and supply chain management policies, procedures, or websites referenced on the questionnaire for additional information. If further clarification is needed, questions should be directed to a representative of the MIG Unit based in Pretoria and whom can be contacted on e-mail (.) or alternatively by land line during office hours (). Any Inadequate or Needs Improvement response require an explanation in the comment field where specific emphasis to the gap in the control is identified together with the envisaged management plan of action to address the identified weakness/es. The responsible persons name and implementation date must also be captured. For N/A responses, briefly explain why the question is not applicable. Any internal control risks identified by the municipality during completion of the questionnaire must be addressed. If at any time the municipality wishes to discuss the best control process in which to address the risk/s, the municipality should contact its head of internal audit and or the MIG Unit representative on ..(insert e-mail address).

CONTROL AND RISK SELF-ASSESSMENT TEMPLATE MIG PROGRAM

Mega / Major Process and Risks STRATEGIC Stakeholder Management / Communication ST1 - No or inadequate communication and or working relationship between the municipality and critical external stakeholders (i.e. Sector Departments, Eskom, Provinces, dplg, etc.) Inherent Risk As Lik Imp Leading Practice Control Actual Controls In Place Residual Risk AD NI IA Action / Comments

20

ST2 The relationship and communication between the PMU function and the other divisions/units within the municipality is ineffective

1. A formal communication strategy and plan is in place where the critical stakeholders have been identified 2. A review of the effectiveness of the communication process is undertaken on a regular basis 3. Regular interfacing with the MIG Unit, Sector Departments, provinces and dplg 4. MIG Orientation workshops 5. Sector participation on PMITT 1. A formal communication strategy and plan is in place and has been rolled out 2. Regular meetings between the PMU function and other critical divisions/units 3. Formal minutes of meetings maintained and circulated to all attendees in a timeous manner 1. Municipality has identified the required documentation they should have in their possession. 2. PMU function maintains the required library of the MIG documentation and or literature

Action:

X Responsible Person:

Due Date: Action:

Responsible Person:

Due Date:

Policy Management ST 3 - The municipality does not have the available MIG policy, framework, DoRA and PMU procedure, etc., in their possession

Action:

Responsible Person:

Due Date:

Risk Management ST4. - MIG risks have not been identified, assessed and incorporated into the municipal risk assessment and or risk register

ST5 - Line management has not assessed the adequacy of the system of internal controls against the business risks on a regular basis

1. A formal risk management system is in place and is operational 2. MIG risks have been identified, assessed and ranked. 3. MIG risks have been included in the risk register 4. Internal audit reviews these risks and controls as part of the annual audit program 5. The risk committee reviews the adequacy of the risk management systems and internal audit reports on a regular basis (MIG Program included) 1. Quarterly review of the risks by line management (CSA) 2. Identification of control gaps and the implementation of control actions/treatments 3. Implementation of an operational risk committee, chaired by the municipal manager 4. Quarterly reporting to the Audit Committee and risk Committee on the status of the control environment 5. External and internal audit reviews 6. Use of leading practice risk based control models (i.e. COSO, etc.)

Action:

Responsible Person:

Due Date: Action:

Responsible Person:

Due Date:

Backlogs ST6 - Inaccurate backlog targets and figures

1. Formal process and report developed (backlog studies) to determine backlog targets with implementation plan 2. Uniform and acceptable criteria utilised 3. Mechanism in place to measure and monitor the achievement of targets use of KPI dashboards and progress on removal of backlogs

Action:

Responsible Person:

Due Date:

Measuring & Monitoring ST7 - No or ineffective MIG measuring and monitoring system in place at municipal level

1. MIG performance part of the municipal managers M&M quarterly performance meetings 2. Part of Council agenda and reporting 3. Dedicated Councilor for MIG Programme

Action:

Responsible Person:

Due Date:

FINANCIAL MANAGEMENT FM 1 - Interest received on MIG funds utilised for other purposes other than for MIG projects

1. Validation of MIG funds transferred to funds received 2. Interest on MIG funds reflected separately in the books of account 3. Adherence to DoRA, MIG, municipal financial policies and procedures 4. Interest on MIG funds reflected on monthly and quarterly DoRA returns 5. Statement on how and where interest was utilised 6. CSA, external and internal audit reviews

Action:

Responsible Person:

Due Date:

FM2 - MIG funds utilised for purposes other than for MIG projects as per DoRA and MIG requirements

FM3 - MIG Funds over or understated in books of account

1. Effective financial accounting system and controls in place 2. Reconciliation between PMU function records and books of account on a monthly basis 3. If possible to have a separate bank account for MIG funds 4. Cash flow forecast per project and compared with drawdown records 5. Adherence to DoRA, MIG, municipal financial policies and procedures 6. MIG funds received and spent reflected on monthly DoRA and project list returns 7. Regular management reviews and sign-off by head of PMU function 8. Quarterly municipal management performance meetings and reports 9. CSA, external and internal audit reviews 1. Segregation of duties 2. Adherence to code of ethics and values 3. Effective financial systems records and controls in place 4. Effective expenditure and income codes 5. Comparison between WIP records maintained by PMU function and management accounts on a monthly basis 6. Regular management reviews and sign-off by head of PMU function 7. Adherence to DoRA, MIG and municipalities financial policies and procedures

Action:

Responsible Person:

Due Date:

Action:

Responsible Person:

FM4 - Financial figures and information on monthly DoRA, cash flow and Project Listing reports are inaccurate and or incomplete

FM5 - Compulsory MIG reporting information not submitted timely as per DoRA and MIG dplg requirements

8. Effective delegations of authority 9. Effective working relationship between CFO and head of PMU function 10. Quarterly municipal management performance meetings and reports 11. CSA, external and internal audit reviews 1. Skilled PMU function and CFO staff 2. Reconciliation between books of account and figures reflected on monthly returns by a third-party (i.e. CFO) 3. Reconciliation between previous months returns and new month figures 4. Quarterly municipal management performance meetings and reports 5. CSA, external and internal audit reviews 1. Adherence to DoRA and MIG reporting requirements 2. Input and monitoring from Provincial PPMU, Treasury and MIG National 3. Quarterly municipal management performance meetings and reports 1. Input from Sector Departments on capital and maintenance ratios. 2. Effective maintenance management system and plan in place. 3. Effective budgeting and monitoring systems in place

Due Date:

Action:

Responsible Person:

Due Date: Action:

Responsible Person:

FM6 - Insufficient municipal funding for M&E

Due Date: Action:

Responsible Person:

Due Date:

OPERATIONS OP1 - MIG projects registered not feasible or sustainable

OP2 No or ineffective PMU function in place

1. Input and advice from sector departments. 2. Financial and project feasibility and sustainability studies undertaken supported by formal reports and signed off. 3. EIA undertaken to ensure compliance with environmental standards and legislation. 4. Adherence to MIG funding criteria 5. Effective system of M&E in place 1. Establishment of a PMU function not required to be full time or dedicated 2. Effective capacity building program in place 3. Utilisation of MIG funds to run PMU function in terms of MIG criteria and permitted % amount 4. Effective and adequate performance management system in place. 5. Effective and adequate measuring and monitoring systems in place 6. Risk management system entrenched in day-to-day activities 7. Effective WIP accounting system in place 8. Use made of other municipalities PMU function where more cost effective and or appropriate

Action:

Responsible Person:

Due Date:

Action:

Responsible Person:

Due Date:

OP3 - The PMU function not being responsible for the administration and financial management of MIG funds within the municipality

1. Head of the PMU function having the necessary authority to have ownership over the funds and MIG system at municipal level. 2. Clear roles and responsibilities 3. Effective and adequate performance management system in place. 1. Effective procurement and supply chain management plan in place 2. Effective supply chain management system and procesess in place 3. Effective contract and project management systems in place 4. Effective financial measuring and monitoring system in place (WIP) including budgeting system 5. Reporting and action plans to mitigate the risks 6. Effective follow-up on corrective action and determining if results have been achieved 1. Effective contract and project management systems in place 2. Effective financial and operational measuring and monitoring system in place (WIP) including budgeting system and management accounts 3. Effective monthly financial and payment authorisation systems and controls in place

Action:

Responsible Person:

Due Date: Action:

OP4 - Inability to spend MIG funding in a timeous manner

Responsible Person:

Due Date:

OP5 Project overruns (Time and financial)

Action:

Responsible Person:

Due Date:

OP6 - PMU function not having an effective project management system in place

1. Formal project management policy and procedures in place 2. Formal project charters in place for each and every project 3. Coordinating and roll out of SMIF business plans 4. Formal project management system in place (i.e. Summit, Prince2, etc.) 5. Effective file management system in place 6. Effective quality management policy and systems (QMS) in place 7. Regular site visits and meetings to determine performance to targets and milestones 8. Formal site meeting minutes and governance practices 9. Follow-up on corrective action 10. Effective risk management system in day-to-day activities including SHE 11. Data capture, updating of all data and KPIs on MIS 12. Monitoring and consolidating of cash flow reports and expenditure of each project 13. Accepting only original invoices, VAT numbers, supporting documentation, etc 14. Effective reporting system in place monthly progress reports 15. Legal compliance reviews 16. Site handover meeting 17. Provincial intervention for non performance

Action:

Responsible Person:

Due Date:

OP7- PMU function not applying appropriate contract management practices for MIG projects

1. Adherence to municipalities procurement policies and procedures as well as determining those labour intensive projects 2. Formal and legal contracts entered into for all contracts awarded externally together with project charters 3. Legal expertise input and approval 4. Contracts to be explicit with penalty clauses, project defect liabilities, etc cognisance taken of contractors business status (Pty, CC, sole trader, unregistered, social initiative, etc.) 5. Ensuring that suppliers have the ability and capacity to deliver on the project mandate 6. SLAs entered into where services and construction is to be undertaken internally within the municipality 7. Use of an effective costing system to determine internal costs 8. Community based partnerships 1. Formal M&E policy and procedures in place 2. Formal M&E system and plans in place. 3. Updated asset registers 4. Effective costing and budgeting system in place 5. Capital replacement and or rehabilitation costs taken into account

Action:

Responsible Person:

Due Date:

OP8 - An effective M&E system not in place for measurement, reporting & feedback on the progress with MIG objectives and infrastructure projects?

Action:

Responsible Person:

Due Date:

KEY Inherent Risk AS LIK IMP Residual Risk AD NI IA Risk Ranking High Medium Low

Description Risk without taking the controls into account Risk Assessment Likelihood Impact Risk after taking controls into account Adequate Needs Improvement Inadequate Risk ranking scoring mechanism Impact X Likelihood = Risk Assessment Impact X Likelihood = Risk Assessment Impact X Likelihood = Risk Assessment

10