Every internal control system needs a defined basis that regulates, basic points such as objectives, purpose and principles. The process groups were essentially specified by the Ministry's minimum standards, but can be expanded as needed. In this new version, great emphasis was placed on clearly defined responsibilities. For each function, the area of responsibility was defined together with the release levels.
- capture existing risks,
- to control them and
- to be able to ensure
- that the organisation will achieve its objectives.
the achievement of the organisational goals from the TU Wien mission statements "Technology for People", "Developing Scientific Excellence", "Providing Comprehensive Competence",
safeguarding assets against financial fraud, loss and damage,
ensuring the reliability of financial reporting and operational information,
ensuring proper, ethical, economical, efficient and effective operations,
compliance with corporate governance,
the fulfilment of reporting obligations.
- Clear, detailed and transparent regulation of work processes in written form.
- Principle of comprehensibility: Documents and processes must be documented in a comprehensible manner.
Dual Control Principle and Automatic Control
- Systematic installation of controls in the workflow.
- IT-based (automated system controls) or implementation of the dual control principle.
- Key control: Control step to minimise financial risks. The risks are recorded and evaluated in the risk-control matrix.
Separation Principle and Separation of Functions
- Preventing that important decisions are made by only one person.
- Clear separation of decision-making, executive and controlling functions.
- All services and considerations must be in reasonable proportion to each other and thus stand up to comparison with third parties.
- The approval principle requires strict disclosure of all benefits,
- services or other details received by employees of the TU Wien.
Principle of "Minimum Information" - Tasks and responsible Provision of Information
- Provision of information to the employee that is necessary for the fulfilment of the tasks.
Principle of "Minimum Rights" - Access and Access Authorizations appropriate to the Task and Responsibility
- Access authorisations (e.g. to IT systems) must be adequately limited.
- The directly supervisor must ensure that the employees only have the authorizations that are absolutely necessary to fulfill the tasks.
- Passing on the TU Wien password is strictly prohibited, as well as the use of someone else's password. Any misuse is the personal responsibility of the user.
Principle of "Regularity - ICS as a Rolling Process
- Regular and systematic review of the ICS for functionality, effectiveness and timeliness.
- Ensuring that the internal controls are permanently and sustainably effective.
- Annual ICS cycle with updates of the existing processes, review of the areas for completeness of the processes and subsequent creation of new processes.
- In the event of changes to the framework conditions, the processes | key controls are to be adapted accordingly → immediately contact the ICS officer in order to carry out updates.
Principle of "Efficiency" - Principle of Cost-Benefit Analysis - Financial Integrity
- The effort and resources involved in controls must be proportionate to the avoidable risk (extent of damage and probability of occurrence).
Corporate governance refers to all internal rules, processes and laws (corporate constitution) according to which a company is managed or operated. Accordingly, corporate governance at TU Wien is the factual and legal regulatory framework for the management and supervision of the university. The essential instruments of corporate governance include the risk and compliance management system, the internal control system (ICS) and finally the internal audit. The corresponding instruments improve the management and monitoring structures of the TU Wien and aim to ensure the sustainable development of the TU Wien.
Compliance includes, on the one hand, adherence to internal university regulations (such as statutes, ordinances, guidelines and policies) as well as (business) processes (ensuring conformity with regulations) and, on the other hand, the evaluation of potential risk areas (evaluation of risks) in order to prevent legal violations. The compliance management system is the process that makes it possible to identify specific risks in a structured manner, to react, to mitigate and subsequently to control and monitor them.
Internal Control System
The ICS focuses on purely financially relevant risks that are to be minimised or eliminated through the implementation of key controls in the course of operational activities. The ICS is therefore process-oriented, with one of the central tasks being to ensure correct internal processes.
A risk management system is understood to be the entirety of principles, procedures and specified measures that manage the structured handling of risks - regardless of whether they are financially relevant or non-financially relevant. Risk management takes a strategic and future-oriented approach. Risk management is divided into the sub-areas:
- identification of risks (risk analysis).
- risk evaluation (risk assessment).
- risk management.
- risk controlling.
The two financially relevant risks, "financial fraud/fraud" and "erroneous annual financial statements" are included in the top 20+ risks. The task of the ICS is to minimise or eliminate these two risks through established processes and defined key controls.
The task of the internal audit is to check and monitor internal work processes for their correctness, regularity, expediency and economic efficiency. The control objective is to increase efficiency and minimise risks and to point out the need for optimisation to the Rectorate and the University Council.
1st Level Rectorate
- At the highest level (management level), the members of the rectorate act as a collective.
- Second (top) escalation level in the event of delays in reporting the processes to be updated.
2nd Level Process Group Managers
- The underlying management level (control level) is where the members of the Rectorate act in their departments.
- First escalation level in case of message delays of the processes to be updated.
- Third release level.
3rd Level Process Manager
- The process managers form the operational level below the management level.
- First process release level.
4th Level Employees
- Operational collaboration.
- Reporting identified risks.
The tasks of the rectorate in connection with the internal control system include:
- Overall responsibility for the ICS in terms of implementation, distribution of roles, maintenance, reporting.
- Ensurance that all areas of the TU Wien are included in the ICS.
- Defining the goals of the ICS in coordination with the goals of the TU Wien.
- The regular assessment of the effectiveness of the ICS as well as the monitoring of improvements and necessary measures.
- Provision of adequate resources to ensure the functioning of the ICS.
- Commitment and leading by example in complying with the ICS rules ("tone at the top").
Process Group Manager
- The process group leaders are the members of the Rectorate and the CFO.
- The process groups are divided according to the Rectorate's rules of procedure. The processes of the finance department are assigned to the CFO.
- The role of the process group manager is not transferrable.
The area of responsibility of the process group manager includes the following:
- Appointment of process managers (only one person per process).
- Third and final process approval level.
- First escalation level in the event of delays in reporting the processes to be updated.
- Process managers are appointed by the responsible process group manager.
- Only heads of structure and governance at TU Wien can be appointed as process managers.
- The role of process manager is not transferrable.
- If necessary, the role of the process manager is to be denied by the responsible process group manager.
- The process manager assume the most central role in the ICS.
The area of responsibility of the process manager includes the following:
- Compulsory completion of the ICS training courses: General training on goals, principles, processes of the ICS and differentiation from risk management.
- Special training for the creation of ICS processes.
- Specific training on risk assessments.
- Exclusive assumption of the function of the process manager by heads in accordance with the structure and governance of the TU Wien.
- Responsibility for the completeness of the ICS in his_her area in coordination with the responsible process group manager.
- Definition of new processes and reporting to the person responsible for the process group and to the ICS officer (also during the year - the release steps of the annual update are also applied during the year).
- Annual review of existing processes to ensure they are up-to-date.
- Acting in accordance with the rules and complying with laws and guidelines.
- Risk identification and risk assessment: Define and implement the key controls of the processes.
- First process release level.
- Obtain process approval from the process group manager.
- Documentation of the control steps and checking for compliance.
- Contact person for the process group manager, the ICS officer and internal audit.
- Preparation of necessary accompanying documents.
- Communication to all people involved in the process.
Through their active participation, the collaborators are also an important part of the ICS with the following tasks:
- Implementation and participation in the processes.
- Report of identified risks that have not yet been recorded to the person responsible for the process.
- Identification of possible new processes and notification to the person responsible for the process.
- The ICS representative is appointed by the rectorate member whoes responsible according to the rectorate's rules of procedure.
- Direct reporting to the responsible rectorate member.
- If necessary, the executive person of the ICS representative can be removed by the responsible member of the rectorate.
Her_his responsibilities include the following:
- Coordination, administration, documentation and forwarding of ICS information to the rectorate.
- Support and assistance with questions about the structure and process organisation of the ICS.
- Recommendations regarding the strategic and structural development of the ICS to the rectorate.
- Initiation of measures to improve the ICS.
- Carrying out the annual random checks of the key controls.
- Administration and archiving of the risk control matrix and processes.
- Assistance in the development and updating of processes.
- Second process approval stage (quality control: checking the applied standards for correctness).
- Preparation of an annual ICS report to the Rectorate (including reporting of risks in connection with the implementation of the ICS).
Process Group Procurement
All processes that deal with the acquisition of systems are mapped under Procurement.
Process Group Finance
The financially relevant processes serve to maximise the reliability of TU Wien's financial statements. Here is a brief description of the processes covered in these categories.
- Financial Assets
Process Group Corporate Governance
The processes that deal with the granting and revocation of powers of attorney and structural changes are listed here.
Process Group PR and Fundraising
In fundraising, the focus was on processing donations.
Process Group Research
All processes related to the implementation of third-party funded projects are mapped here.
Process Group IT Usage
The PG IT Usage includes all processes that deal with the General Data Protection Regulation.
Process Group Infrastructure
Under PG Infrastructure, financially relevant processes relating to buildings and technology are recorded.
Process Group Library
This category includes all processes that are important for the ongoing operation of the TU Wien library.
Process Group Personnel Administration
All financially relevant personnel processes, such as the entry, extension or departure of employees, are represented here, in addition to payroll accounting.
Process Group Study and Teaching
In this group, those processes are listed that deal with the administration of teaching.
Regulations and guidelines are made available on the E018 Data Protection and Document Management website.