Internal Controls and Internal Audit in the Public

Internal Controls and Internal Audit in the Public Sector CORE PFM TRAINING PROGRAM SANJAY VANI LEAD FINANCIAL MANAGEMENT SPECIALIST

Internal Controls and Internal Audit in the Public Sector � Overview Internal Controls Components of Internal Control � Control Procedures/Activities � Role of Internal Controls � Responsibilities for internal controls � Assessing Internal Controls � Recent trends in financial controls in the Public Sector � Internal Audit Different Models � Internal Audit Standards � State of Public Sector Internal Audit � Major reforms in Public Sector Internal Audit � Establishing Internal Audit Function in low capacity countries � Inspection and Investigation

Internal Controls � COSO defines internal controls as: a process effected by an entity's management and other personnel designed to provide reasonable assurance regarding i) Effectiveness and efficiency of operations; � ii) Reliability of financial reporting; and � iii) Compliance with laws and regulations. � � Important point to note here is that internal controls may exist in an organization but its effectiveness may change over a period time. If internal controls were effective last year does not guarantee that they will be effective this year too. (COSO = Committee of Sponsoring Organizations, USA)

Components of internal controls �Control Environment – tone at the top - foundation �Risk Assessment-forming a basis for how the risks should be managed �Information and Communicationidentification, capture, and exchange of information �Control Activities-the policies and procedures �Monitoring-quality of internal control performance over time. (Source: COSO)

Components of internal controls � Control Environment � Risk Assessment � Information and Communication �Control Activities - automated or manual -ex ante or ex post � Monitoring

Components of internal controls � Control Environment � Risk Assessment � Information and Communication �Control Activities – some examples Segregation of duties Authorization of transactions Retention of records Supervision or monitoring of operations Physical safeguards (e. g. cameras, locks, physical barriers) Top-level reviews IT Security Controls over information processing (e. g. edit checks) � Monitoring

Who is responsible for internal controls? • • • According to the COSO Framework, everyone in an organization has responsibility for internal control The top manager of the department or ministry has the overall responsibility for designing and implementing effective internal control. More than any other individual, the top manager sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. The internal auditors and external auditors also have a role in assessing whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control.

Assessing internal Controls �Important points internal controls may exist in an organization but may not be effective, and effectiveness may change over a period time. �So the assessment should not just evaluate the existence of internal controls but must assess their effectiveness.

Assessing internal Controls �Assessment of internal controls in any ministry or department needs to review not only the control activities or procedures but also the overarching control environment (tone at the top - is the top management serious about adhering rules or pays only lip service), the risk assessment process within the ministry or department (who does the risk assessment and how often is it done), the communication/reporting system within the ministry (are lapses or willful contraventions reported, are the rules clear, transparent, and easily accessible), the monitoring process (to ensure that loopholes are fixed, actions taken on contraventions).

Assessing internal Controls �It is important to consider that internal controls exist not just in the accounting or treasury function but are part and parcel of every activity and department. For example, internal controls in procurement function or human resource function.

Assessing internal Controls � Sometimes it is useful to review internal controls in-depth over the entire process/value-chain rather than reviewing individual components of the entire process separately. For example, while assessing internal controls in the purchase of medical equipment, it may be necessary to review controls across the entire process beginning with the � � � procurement function (how specs are developed for ordering, bidding procedures, bid evaluation procedures, time lag in bid receipt and evaluation etc), physical receipt of the item (how are equipment checked and tested vis-à-vis the specification, physical safeguarding etc), invoice processing (invoice processing procedures, approval authorities, time lag etc), bill payment (payment procedures, time lag), accounting (invoice accounting and payment accounting, time lag etc), fixed asset (procedures for periodic physical verification, fixed asset register etc).

Recent trends in financial controls in the Public Sector • In many countries, the treasury or the Ministry of Finance continues to play an important role in financial controls by checking/verifying every request for payment – a final control procedure before public funds are disbursed. • In recent years, the concept of “managerial accountability”, where the authority and responsibility for programs/activities rests with the “manager” (or the department head), is becoming more popular. This concept has become part of the requirement for the European Union accession candidate countries. In one variation of this model, a Mo. F representative is deputed to the line ministry or department, who performs the financial control function. In a pure form of this model, the line ministry or department is given full authority (without the intervention of a Mo. F representative) with full accountability for the financial stewardship. • Yet another trend is the implementation of IFMIS in many countries which has enabled automation of several manual controls (e. g automatic checking of expense with budget appropriation) and introduction of new controls.

Internal Audit �Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. �It is important to note that the nowhere in the definition the word “audit” is used – the emphasis is on risk assessment and value addition. �It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal Audit Models �Organization of Internal audit in the public sector can be broadly categorized into two basic models – centralized and decentralized.

Centralized Internal Audit Model �In a typical centralized model, Ministry of Finance carries out internal audit in all ministries and departments either through IA staff placed in the ministries or though staff located within the Mo. F. �Variations of this model can be found in France, Portugal, Luxembourg, and Spain. �Centralized models are quite common in former Soviet Union countries such as Ukraine although functions and responsibilities of these organizations do not necessarily equate with the concept of modern internal audit.

Centralized Internal Audit Model France The Office of the Inspector General of Finance’s (Inspection générale des finances) core assignment is to oversee the decentralized services of the finance ministry. The inspectors of finance are empowered to obtain all documents necessary for purposes of oversight. They are responsible for verifying the quality of financial procedures and their implementation, the regularity of operations, combating fraud, and monitoring the ethical behavior of civil servants. (Note: IGF is currently designing and implementing a modern state internal audit system, which envisions a decentralized model). Ukraine The State Control and Revision service (KRU) is a centralized inspection and audit body (having regional offices) responsible for financial control/audit and verifying the credibility of accounting and financial reporting. KRU has the authority to issue an “act” (order) against persons violating laws.

Decentralized Model �In a decentralized model, each line ministry has its own internal audit department reporting to the head of the line ministry. �In this model, generally, the Mo. F sets the IA standards, which are then implemented by internal audit departments within line ministries. �Variations of this model can be found in the United Kingdom, the United States of America, and the Netherlands. �The decentralized model is recommended by the European Commission for adoption by candidate countries

Decentralized Model The United Kingdom The United States of America Departments and agencies are required to have Inspector General. IGs employ criminal investigators (often armed), auditors, forensic auditors, and a variety of other specialists. Their activities include the detection and prevention of fraud, waste, abuse, and mismanagement of the government programs within their parent organizations. Some Inspectors General are appointed by the President and confirmed by the Senate. The remaining IGs are designated by their respective agency heads. The IGs serve under the general supervision of department/agency head. Yet, by statute, IGs have a dual and independent reporting relationship to the agency head and to the Congress. Every government department/agency is required to have an internal audit unit. The head of the department is charged with organizing internal audit in accordance with the definition and standards. The Head of Internal Audit should be of appropriate grade or status, have wide experience of internal audit and management, should hold the Government Internal Audit Certificate and meet the level of competence set out in the Internal Audit Training and Development Handbook. The HIA reports operationally to the head of the department. The main purpose of internal audit activity within central government is to provide the head of the department with an objective evaluation of, and opinion on, the overall adequacy and effectiveness of the organization’s framework of governance, risk management and control.

Internal Audit Standards � The most recognized standards in the area of internal audit are the standards developed by the Institute of Internal Auditors (IIA). � The Standards are principles-focused consisting of: Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance; and Interpretations, which clarify terms or concepts within the Statements. � The Standards are divided between Attribute and Performance Standards. Attribute Standards address the attributes of organizations and individuals performing internal auditing. Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured.

Internal Audit Standards �Many countries have adopted the IIA standards, which are then supplemented by additional requirements specifically applicable for their situation. For example, the UK has adopted the IIA standards in addition to issuing additional requirements for UK central government. Canada too has adopted IIA standards in addition to formulating specific standards for reporting. �Given their different mandate, the Office of the Inspectors General in the USA has separate standards for audit, investigations, and inspections and evaluations. For audit, the OIG uses the audit standards issued by the GAO.

State of Public Sector Internal Audit �Not yet firmly established in the public sector. �Why? public sector is more centralized and hierarchical with layers of control - those responsible rarely felt the need for internal audit �Even in the private sector internal audit was largely confined to checking compliance until 1980 s.

Major reforms in Public Sector Internal Audit �Many OECD countries are undertaking major IA reforms

Canada �Significant internal audit reforms in 2006 Departmental heads responsible for soundness of risk management, control and accountability Organizational independence of internal audit Departmental heads responsible for ensuring appropriate IA capacity Independent audit committees including members from outside internal audit reports accessible to the public respective Minister briefed periodically on significant matters Consequences for non-compliance with IA Policy

United Kingdom �Undertaking a major Internal Audit Transformation Project Integrated audit planning across organizational boundaries new people and resourcing model – Heads of IA will operate at a sufficiently senior level new internal audit group structure � may reflect a departmental led group � may reflect groups of entities performing similar functions � may reflect combining those which do not have sufficient critical mass as individual bodies prime focus on key strategic risks - internal audit will NOT provide assurance on routine risks

France �The Inspector General of Finance has recently prepared a blueprint for a modern State Internal Audit system that is separate from the financial inspectorate A ministerial internal audit service Each ministry will have a IA Committee with outside members A Committee to harmonize State internal audit policy chaired by Minister for Budget and Public Accounts Internal audit standards based on IIA Implementation phased manner

Establishing Internal Audit Function in low capacity countries • Important to remember � � � Internal audit is an integral part of the overall PFM in a country and any reforms in internal audit should be designed as part of the overall PFM reform program. Introducing internal audit reforms in isolation of other PFM reforms are unlikely to succeed. Internal audit will not be effective in a country with extremely weak internal controls or where managerial accountability is absent. The establishment of internal audit should be done in a gradual and phased manner. Even advanced countries such as France are implementing internal audit system in a gradual and progressive manner. The sequencing of internal audit reform may require first enacting a legal framework followed by extending risk management procedures beyond accounting and finance functions, creation of central harmonization unit to establish standards and procedures, recruitment, and extensive training not just internal audit staff but also management and other personnel.

Inspection and Investigation � “Inspection” agency - compliance work with a view to discovering instances of malfeasance and misuse including fraud and corruption. � Objective of inspection/investigation agencies is quite different from the objective of modern internal audit departments. The inspection agency carries out “audits” with a view to discover instances of “wrong-doing”, whereas the objective of modern internal audit is to evaluate and improve the effectiveness of risk management, control, and governance processes in an organization. � Despite these different set of objectives, which necessitates existence of both the agencies, there is often a lack of clarity as to the exact role of internal audit since both the agencies often use similar methods of “audit” to carry out their respective work. � In countries where both inspection and internal audit agencies exist, it is important that there is a formal mechanism to exchange work plans and coordinate their work. Once the internal audit function is firmly established and becomes effective, the role of inspection/investigation agencies will not be eliminated but will dramatically change requiring a much smaller work force.