(i) Objectives of an Effective Internal Control System
An effective internal control system plays a vital role across every pillar in addressing risks and providing reasonable assurance that operations meet the four control objectives:

• Operations are executed in an orderly, ethical, economical, efficient, and effective manner;
• Accountability obligations are fulfilled;
• Applicable laws and regulations are complied with;
• Resources are safeguarded against loss, misuse and damage.

(ii) Components of Internal Control System in Relation to the PEFA Framework (COSO Framework)
The five components of the integrated framework of internal control are:

Control Environment
The control environment describes a set of standards, processes, and structures that provide the basis for carrying out internal control across the organisation. According to the Institute of Internal Auditors (IIA), a control environment is the foundation on which an effective system of internal control is built and operated in an organisation that strives to achieve its strategic objectives, provide reliable financial reporting to internal and external stakeholders, operate its business efficiently and effectively, comply with all applicable laws and regulations, and safeguard its assets.
PEFA’s consideration of control environment focuses on:

• The personal and professional integrity and ethical values of management and staff, including a supportive attitude toward internal control constantly throughout the organisation
• Commitment to competence
• The “tone at the top” (i.e. management’s philosophy and operating style)
• Organisational structure
• Human resource policies and practice

Risk Assessment
The risk assessment forms the basis for determining how risks will be managed. A risk is defined as the possibility that an event will occur and adversely affect the achievement of organisational objectives. Risk assessment requires management to consider the impact of possible changes in the internal and external environment and to potentially take action to manage the impact.
PEFA’s risk assessment entails:

• Risk identification
• Risk assessment (significance and likelihood)
• Risk evaluation
• Risk appetite assessment
• Responses to risk (transfer, tolerance, treatment or termination)

Control Activities
Control activities are actions (generally described in policies, procedures, and standards) that help management mitigate risks in order to ensure the achievement of objectives. Control activities may be preventive or detective in nature and may be performed at all levels of the organisation.
The control activities considered under PEFA include the following:

• Authorisation and approval procedures
• Segregation of duties (authorizing, processing, recording, reviewing)
• Controls over access to resources and records
• Verifications
• Reconciliations
• Reviews of operating performance
• Reviews of operations, processes and activities
• Supervision (assigning, reviewing and approving, guidance and training)

Information and Communication
Information is obtained or generated by management from both internal and external sources in order to support internal control. Effective communication ensures that relevant information is shared in a timely manner to enable staff to carry out their responsibilities.
PEFA’s focus on information and communication includes:

• Generation and use of relevant, quality information to support internal control
• Effective communication of information internally and externally to support decision-making and accountability

Monitoring Activities
Monitoring activities involve ongoing or periodic evaluations to ascertain whether the components of internal control are present and functioning. This ensures that internal controls remain effective over time.
PEFA’s monitoring activities include:

• Ongoing monitoring of internal control effectiveness
• Periodic evaluations and audits to identify deficiencies
• Follow-up on corrective actions to address identified weaknesses