The growing requirements in terms of accounting and financial quality are leading public bodies to shore up their approach to risk management or internal budgetary and accounting control (“Contrôle Interne Budgétaire et Comptable” – CIBC). This formalised approach, implemented as part of the modernisation of public management, meets four major challenges:

  • Produce accounts of certifiable quality
  • Adhere to a logic of accounting and financial transparency
  • Mobilise all the school’s stakeholders
  • Reinforce the reliability of financial information

The control of accounting and financial risks responds to operational concerns such as improving the performance of management processes, reducing “non-quality” costs, and improving legal and financial security.

This approach constitutes a privileged lever for improving the institution’s management in the financial and accounting fields. As such, it is a perfect complement to the school’s quality approach.

The four levers of internal control are:

  • Organisation: clearly allocating tasks, inserting control points, etc.
  • Documentation: having complete documentation on internal procedures
  • Traceability: archiving documents, retaining justifications for operations, etc.
  • Assessment: self-assessment, back-testing supervision, internal assessment, external assessment

The internal control process is overseen by the CIBC steering committee, whose role is to define the internal control deployment strategy, define the priority projects to be addressed, and then coordinate, monitor and validate the work.

The committee is assisted by the internal control expert who is responsible for managing, leading, monitoring and controlling the deployment of internal control. The expert is assisted in his/her missions by the process leaders.

All actions must enable the institution to make progress in its internal financial control with the aim, for all stakeholders, to obtain reasonable assurance regarding the control of financial risks.

The tools used include process modelling, risk mapping and rating, the priority risk action plan and the Risk Management Maturity Model (RMMM).

Risk mapping and action plans

Risk maps and their ratings have been drawn up pragmatically with the business teams, in addition to action plans to deal with priority risks concerning:

  • Public research contracts
  • Missions
  • Markets
  • Registration fees

These action plans are monitored and updated as progress is made, and at least once a year. Risk maps and action plans are part of the continuous improvement process. They are subject to deliberation and a vote by the Board of Directors, as well as an assessment by the authority responsible for supervising the institution. The procedure is presented each year to the statutory auditors.

Risk Management Maturity Model (RMMM)

Optimised internal control is built over time by crossing different milestones. The Risk Management Maturity Model is a highly effective tool for assessing internal control. It enables an organisation to monitor changes in its level of risk control and its progress in the internal control approach. Since 2020, each year the institution has thus chosen to work on the Risk Management Maturity Model.

The RMMM takes into account the four components of internal control: organisation, documentation, traceability and steering. Based on the responses to four questionnaires and the institution’s supporting documents, a degree of maturity is assigned on a scale of 1 to 5:

  • Level 1: initialisation of the process
  • Level 2: actual installation of the “Fundamentals”
  • Level 3: approach being strengthened
  • Level 4: approach into the advanced stage
  • Level 5: guarantees of durability and efficiency

For the financial division, we have observed an improvement from level 2 to level 3, and for the accounting agency, accounting division and invoicing division, an improvement from level 3 to level 4. This proven progress over these three years was possible thanks to the involvement of the departments in the internal control approach.

Mapping, action plans and the RMMM serve to guarantee, particularly in the context of the Responsibility of Public Managers, regular monitoring of risk management systems. Updated, validated and consistent with each other, they are used to establish important management tools.