Paradigm Shift in Internal Control and Audit. Sujata Prasad & Sandeep Saxena Government of India

Transcription

1 Paradigm Shift in Internal Control and Audit Sujata Prasad & Sandeep Saxena Government of India

2 Overview Structure of IA in India Characteristics and Constraints Drivers of change The new Mandate How to Operationalize revised mandate? Compliance Orientation to Risk Based Approach Capacity Building Plans

3 Internal Audit: Definition Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. -IIA Professional Practice Framework

4 Internal Audit: Definition Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. -IIA Professional Practice Framework

5 Internal Audit UK Definition Internal audit primarily provides an independent and objective opinion to the Accounting Officer on risk management, control and governance, by measuring and evaluating their effectiveness in achieving the organization's agreed objectives. - Government Internal Audit Standards, HM Treasury

6 -Internal Audit in Canadian Federal Government, Treasury Board Secretariat Internal Audit - Canada New Policy on Internal audit repositions the function as a provider of assurance services to senior management, which focuses on: Risk management strategy and practices; Management control framework and practices; and Information for decision-making and reporting.

7 Internal Audit The Netherlands The duty of the internal audit function consists of providing additional assurance to the managing director and the management of an organization on the effectiveness and the control of the business operations. - The Internal Auditor in the Netherlands

8 Structure of Internal Audit in India Decentralized setup headed by the CCA/CAs Reports to Secretary [Who is also the Chief Accounting Authority of the Department] Annual Report to Ministry of Finance through CGA Mandate derived from the Internal Audit Manuals

9 Key Characteristics Compliance orientation Transaction Audit No scrutiny of the Quality of spending No scrutiny of the accomplishments/results Special audits / reviews of Government Programmes

10 Constraints Supply driven Negative perception by the management Low priority both by the management and by the Accountants Limited resources Low skill set

11 Drivers to Change - Internal GFR 2005 Rule 64 Outcome Budget (2005) FRBM Act, 2003 RTI Act, 2006 Significant escalation in program expenditure Public Private Partnership (PPP) for infrastructural growth Greater partnership between government & civil society organisations for progamme delivery

12 Drivers to Change - External Globally accepted view of modern Internal Audit Scope- Governance, Risk Management and Control Processes Auditing with a Managerial Mindset Adding Value-improved Operations Changing Concept of Accountability

13 New Mandate Assessment of adequacy and effectiveness of internal controls; soundness of financial systems and reliability of financial and accounting reports Identification and monitoring of risk factors Assessment of economy, efficiency and effectiveness of service delivery mechanism to ensure value for money Providing an effective monitoring system to facilitate on-course corrections - Revised Charter of FAs, June 2006

14 Operationalization of New Mandate Institutional Structure Centre of Excellence in CGA s Office Stronger Governance Mechanisms (Audit Committees) in the Ministries Systems and Processes Risk Based Approach International Internal Audit Standards IT assisted data-driven audits Peer Review Automated monitoring and tracking systems Severe action against persistent defaulters Institutional capacity Enabling environment

15 Enabling Environment Clearly defined Accountability Well documented and comprehensive financial regulations A clear framework of checks and balances Well defined performance measures Senior management support for internal audit and a climate where managers and internal and external audit co-operate for mutual benefit Organizational culture must be one of appreciation and responsiveness to the findings and recommendations of IA

16 Risk Based Approach

17 What is Risk? Probability of an event occurring that may have adverse outcomes. Factors, internal or external, that may jeopardize the success of a project or achieving a goal. Risks generally present themselves in the form of uncertainties.

18 Risk Management Framework Identify areas [and assets] that are most critical for operations Identify, characterize, and assess threats Assess the vulnerability of critical operations and assets to specific threats Determine the risk Identify ways to deal with the risks Prioritize risk reduction measures based on a strategy

19 Risk Mitigation Strategy 1. Avoid the risk 2. Transfer the risk to another party 3. Reducing the negative effect of the risk Define Preventive Measures to reduce the probability Define Countermeasures to reduce the impact 4. Accept some or all of the consequences of a particular risk.

20 Risk Management Cycle

21 Risk Based Approach Unlikely Possible Likely Almost Certain Outcome not expected to occur Outcome might occur at sometime Outcome could occur occasionally Outcome will occur often Critical Major Moderate Minor Medium Ongoing management/ monitoring of specified improvement activities Medium Ongoing management/ monitoring of specified improvement activities Low Managed at operational level using routine procedures Low Managed at operational level using routine procedures High Review by senior executive &/or accountable senior manager High Review by senior executive &/or accountable senior manager Medium Ongoing management/ monitoring of specified improvement activities Low Managed at operational level using routine procedures Extreme Immediate action of Senior Executive / notification of Chief Executive Officer High Review by senior executive &/or accountable senior manager High Review by senior executive &/or accountable senior manager Medium Ongoing management/ monitoring of specified improvement activities Extreme Immediate action of Senior Executive / notification of Chief Executive Officer Extreme Immediate action of Senior Executive / notification of Chief Executive Officer High Review by senior executive &/or accountable senior manager Medium Ongoing management/ monitoring of specified improvement activities

22 Risk Based Approach Exposure Hazard

23 Risk Based Approach Low Risk Low Moderate Risk Moderate High Risk Unacceptable Risk Review on change of process or if circumstances change. No great effort required to reduce risk further. Provide additional training, supervision & monitoring of agreed controls until accepted as routine. Critically examine the areas of exposure in the process, and agree a timetable for completion of all agreed actions. Review on implementation, and closely monitor effectiveness of new controls. Cease work until effective interim controls are agreed and implemented, and an action plan to permanently reduce the risk to an acceptable level has been agreed with the Executive Group. This condition is mandatory.

24 Difficulties in Risk Analysis How to determine probability of occurrence? How to evaluate the severity of the consequences? How to quantify risks? Risk = Rate of occurrence X Impact

25 Risk Based Audit of National Afforestation Programme (NAP)

26 NAP - Objective To develop forest resources with people s participation, with focus on improvement in livelihoods of the forest-fringe communities

27 NAP Risk Matrix Significant risks that are less likely to occur Significant risks that threaten Scheme objectives Impact Relatively low risks to be monitored Day to day operational risks Likelihood of occurrence

28 Risks: Operational One size fit all approach Multiplicity of schemes Absence / under-preparation of nursery Planting of fast growing varieties not otherwise suitable to the surrounding eco-system Threats to survival of the plantation Diseases, grazing animals, land slide, poor soil, excess rainfall etc. Over centralization - Lack of involvement of local population Perverse incentive to deforest: For more successful JFMCs where area for plantation is limited, there is a potential threat for the funding to stop!

29 Risks: Financial Inadequate Funding Non-availability of funds at the right time Possibility of leakage Non-maintenance of Assets

30 Risks: Legal Potential changes in the legal environment Chances of conflict between the Forest Department and JFMCs Underground activities Petty offences Sheltering forest offenders, non cooperation with the Forest Department

31 Risks: General Widespread illiteracy hindering people s participation No concerted plan for awareness generation Inadequate support for maintenance and monitoring Non-compliance with the provisions of the Scheme Inadequate support from the Forest Department Lack of involvement of / coordination with other development agencies

32 Audit Conclusions The scheme is doing well, and should be continued with an increased outlay. The forest cover has shown an increase in the first 4 years of its implementation. Other agencies like DRDA, Health, Education etc. should be involved. Development has to be comprehensive to be sustainable.

33 Other Risk Based Audits Scheme for Augmenting Export Promotion of Fisheries Scheme for Shipbuilding Subsidy Swarn Jayanti Shahari Rozgar Yojana (Golden Jubilee Urban Employment Scheme) National Child Labour Project Scheme for Micro Irrigation National Rural Employment Guarantee Programme Growth Centre Scheme

34 Major Challenges IA must have a good understanding of the situation in the organization and the issues facing it IA must be able to assess key business risks IA must contribute to performance improvement IA must be proactive in communication with management Capacity creation and professionalization of Internal Audit function Recruitment and Retention are major concerns

35 Capacity Building - CGA s Strategy Ensure minimum conceptual knowledge at all levels across the department Ensure a critical mass of trained internal auditors in the organization Develop a pool of key resources by giving them professional training and first hand exposure to international best practices. Pilot IA engagements for methodology development

36 Capacity Building - Process A comprehensive 12 month Training Program at INGAF to Certify Internal Audit Professionals who can then execute World Class Internal Audits in the Government Domain Basic Technical Knowledge Audit Process Techniques Interpersonal Leadership Skills Track 3: Soft Skills Track 2: Techno-Soft Skills Track 1: Technical Skills Executive Leadership

37 Thank You Sujata Prasad & Sandeep Saxena