Internal Controls and External Oversight

Transcription

1 Internal Controls and External Oversight Indian Institute of Public Administration New Dehli,, November 16, 2005 Presenter: Ivor Beazley, World Bank

2 Objectives today Understand the objectives and value added of internal controls and internal audit Look at concepts of risk management in the public sector and the role of IA Examine relationship with external audit and oversight Think about the critical factors for ensuring IA can be effective Assess current IA practices in the public sector in India Look at changing contexts and way ahead Identify resources for policies and best practices

3 Any thing else?

4 Handout material INTOSAI Internal Control Standards UK Government Internal Audit Good Practice Guide Canada Government Internal Audit Policy IIA Code of Ethics Canadian Gov t,, risk management framework

5 Organizations increasingly concerned about: Risk Management Governance Control Assurance

6 Risk management - definiton: risk management is a process.designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Source: COSO Enterprise Risk Management Integrated Framework COSO.

7 COSO Entity Risk Management Framework Oct

8 The ERM Framework Entity objectives can be viewed in the context of four categories: Strategic Operations Reporting Compliance

9 The ERM Framework ERM considers activities at all levels of the organization: Enterprise-level Division or subsidiary Business unit processes

10 Risk Response Identifies and evaluates possible responses to risk. Evaluates options in relation to entity s risk tolerance, cost vs. benefit of risk responses, and degree to which a response will reduce impact and/or likelihood. Selects and executes response based on evaluation of the portfolio of risks and responses.

11 Risk management Model

12 Control Activities Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. Occur throughout the organization, at all levels and in all functions. Include application and general information technology controls.

13 Internal Control A strong system of internal control is essential to effective enterprise risk management.

14 Definition of Internal Control A process within an organization to provide reasonable assurance regarding the following primary objectives: Definition of Internal Control: Definition of Internal Control: Internal control is a management tool the Internal organization, control policies is a management and procedures tool used the to help ensure organization, that government policies and programs procedures achieve used their to help intended ensure that results; government that the resources programs achieve used to their deliver these intended programs results; are that consistent the resources with the used stated to deliver aims and these objectives programs of are the consistent organizations with concerned; the stated that aims programs and objectives are protected of the organizations from waste, fraud concerned; and that mismanagement; programs are protected and that from reliable waste, and fraud timely and information mismanagement; is obtained, and that maintained, reliable and reported timely and used information for decision is obtained, making. maintained, reported and used for decision making. -- INTOSAI, Guidelines for Internal Control, June INTOSAI, Guidelines for Internal Control, June 1992 The The reliability reliability and and integrity integrity of of information information Compliance Compliance with with policies, policies, plans, plans, procedures, procedures, laws laws and and regulations regulations The The safeguarding safeguarding of of assets assets The The economical economical and and efficient efficient use use of of resources resources The The accomplishment accomplishment of of established established objectives objectives and and goals goals of of operations operations and and programs programs Source: The Institute of Internal Source: The Institute of Internal Auditors Auditors

15 Key Concepts of Internal Control Internal control is a process process affected affected by by people. people. It s It s not not merely merely policy policy manuals manuals and and procedures, but but people people at at every every level level of of the the organization can can be be expected expected to to provide provide only only reasonable assurance, not not absolute absolute assurance assurance to to an an entities entities management & stakeholders geared geared to to the the achievement of of objectives objectives Source: Committee of Sponsoring Source: Committee of Sponsoring Organizations of the Treadway Organizations of the Treadway Commission (COSO) Commission (COSO)

16 Control Procedures Procedures Clear instructions to staff and appropriate training on the objectives, policies and code of conduct of the ministry or agency An unambiguous definition of the responsibilities of staff Clear separation of function and duties between staff members in handling financial transactions or resources issues, e.g., contracts Development of an open culture to encourage staff at all levels to draw attention to non-compliance and irregularity Requirements that staff at all levels are aware of and apply all relevant instructions Support from effective internal audit procedures

17 Categories of Internal Control Physical: Physical: e.g., e.g., security security procedures procedures intended intended to to control control access access to to documents documents and and records records Procurement Procurement Controls: Controls: e.g., e.g., rules rules for for advertising advertising and and tendering tendering major major contracts contracts Accounting Accounting Controls: Controls: e.g., e.g., requirement requirement for for all all cash cash receipts receipts to to be be deposited deposited daily daily in in a a bank, bank, internal internal procedures procedures to to detect detect and and report report anomalies anomalies Separation Separation of of Duties: Duties: Both Both a a control control measure measure and and an an indispensable indispensable element element of of many many control control systems systems at at least least two two officials officials should should be be involved involved in in any any transaction transaction to to avoid avoid risk risk of of improper improper actions actions Process Process Controls: Controls: e.g., e.g., issuance issuance of of a a purchase purchase order order or or the the approval approval of of a a sizeable sizeable contract contract may may require require documentation documentation from from the the requesting requesting official, official, review review by by a a purchasing purchasing clerk, clerk, and and approval approval by by a a supervisor supervisor Management Management of of Financial Financial & Other Other Records: Records: Essential Essential to to establish establish audit audit trail trail

18 Limitations of Internal Control No No system system of of internal internal control control can can provide provide an an absolute absolute guarantee guarantee against against the the risk risk of of wronging wronging or or error. error. The The proper proper goal goal of of internal internal control control is is to to provide provide reasonable assurance that that improprieties will will not not occur, occur, or or if if they they do do occur, occur, they they will will be be revealed, revealed, reported reported and and appropriate action action taken. taken. Collusion Wrongdoing by top managers Poor response to reported anomalies Poor implementation Design flaws

19 Internal Audit - Definition Internal auditing is an independent appraisal function established within an organization to examine and evaluate it s activities as a service to the organization. The objective of internal auditing is to assist members of the organization in effective discharge of their responsibilities. To this end, internal auditing furnishes them with analyses, appraisals, recommendations,, counsel, and information, concerning the activities reviewed.

20 IA s s role in risk management IA plays play an important role in monitoring risk management, but do NOT have primary responsibility for its implementation or maintenance. Assist management and the board or audit committee in the process by: - Monitoring - Examining - Evaluating - Reporting - Recommending improvements

21 What does the Internal Auditor Look For? Systems & Procedures How well do the systems and procedures of internal control function? Resource use Are the systems and procedures in place to ensure that resources are used in accordance with the relevant rules and regulations? Objectives Achievement Have programs and actions achieved their intended objectives? Procurement In the procurement field, has there been adequate publicity for calls to tender, are there satisfactory procedures for receiving and evaluating tenders, is the justification for contract awards in accordance with national requirements?

22 Critical factors in determining the effectiveness of IA Access to and support of top management Clear and broad mandate Competence and integrity of staff Application of standards in the actual work Control environment

23 Internal Audit Different Institutional Models Many countries of the Court of Accounts tradition have a central (independent) internal control agency located within the Ministry of Finance In some cases these have an extensive pre-audit role Generally wide powers of inspection and review, and in many cases a prosecutorial role In the Auditor-General tradition, internal audit is usually reflected in internal audit units of individual ministries or agencies, reporting directly to top management Such internal audit units may also exist in the Court of Accounts tradition Other variations US Inspector General of each agency reports to agency management and to the Congress The external auditor (SAI) may use the work of the internal auditor

24 Independence of the Internal Auditor Not equivalent to the independence of the Auditor General. The internal auditor is is responsible to the head of a ministry or agency and is is part of the staff of that organization. Internal auditors are independent when they carry out their work freely and objectively. Independence permits internal auditors to render their impartial and unbiased judgments essential to the proper conducts of audits. It It is is achieved through organizational status and objectivity. Status and weight of internal auditor can be enhanced by having an audit committee chaired by the head of the ministry or agency. The internal auditor should not be involved in in the internal control process which he is is required to assess and judge. Source: The Institute of Internal Source: The Institute of Internal Auditors Auditors

25 Support of top management The environment in which IA operates is largely determined by the attitudes of the people in charge. Resources. Decisions about resourcing of IA, and action taken in response to IA reports send important signals to staff about the management attitude to governance. Access to all relevant documents

26 Approach and mandate Internal Audit Approach Different levels Value for money Financial Compliance Program System Transaction

27 Competence and Integrity Achieved by effective HR policies. Professional qualifications and experience Ethics and standards Independent evaluation of IA

28 Internal audit selling points: As a tool for managing risks, reviewing the design and operation of control systems critical to the organisation s success Alerting managers to problems and systemic weaknesses which will have an adverse impact on performance Promoting a culture of probity and compliance supporting corporate governance Providing constructive advice on how to improvement control systems mitigate risk.

29 Internal auditors can demonstrate value for money: Implementing a risk-based approach to planning and executing the internal audit process. Challenging the basis of management s s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies. Identifying potential savings and efficiency gains.

30 Relationship to external audit External audit is founded on the principle of independence from the executive. Report to: Shareholders in the private sector Parliament and the public in the public sector Internal audit reports to management

31 Reliance on internal audit Trend towards external auditors making use of internal audit findings, \ May have co-ordinated ordinated approach where ext. auditor is satisfied that IA is compliant with generally accepted auditing standards

32 Issues in IA in India Modern IA approaches rapidly adopted by private sector Public sector far behind How to develop an effective model for the public sector?

33 ACCOUNTING FOR PUBLIC EXPENDITURE SWARNAJAYANTI GRAM SWAROZGAR YOJANA (RURAL SELF EMPLOYMENT PROGRAMME FOR POVERTY ALLEVIATION) Expenditure reported by by the State Government Rs crores Expenditure test checked Rs crore (41.53 per cent) Expenditure on programme Rs crore (37.8%) Amount diverted/ unused/advanced etc. Rs crore (62.2%) Deposits into PLA/PD/Bank/ Rs crore (31.9%) Amount lying unutilized Rs crore (21.0%) Advances treated as final expenditure Rs crore (20.1%) Misuse of funds/diversion to other activities not related to the programme Rs crore (9.9%) Expenditure on works not permissible Rs crore (3.4%) Other irregularities Rs crore (13.7%) 38 % OF FUNDS WERE SPENT WITHOUT ANY IRREGULARITY Source: CAG Report

34 PERFORMANCE INFORMATION Income Tax: 72,000 persons >Rs10 Lakhs while 1 in 18 Households in Delhi reported income of Rs.. 10 Lakhs. How much parked in PD Accounts? Heavily Qualified Audit opinions in almost every Power Sector Company % T& D Losses PIL Filed in the Supreme Court: 1.75 Lakh crore Excess needed Regularization- $ 40 Billion Cost and time overruns poor management and corruption reported by CAG TI India 9 th from bottom in the international league table for corruption.

35 SFAA Findings Well developed internal control framework, although restrictive and in need of modernisation Big compliance gap and lack of follow up or effective enforcement No IA standards adopted, manuals IA work almost entirely transactions based, no element of systems audit or performance review Audit programming weak and not linked to risk IA has low status within Government Seen as a tool for harassment rather than improvement

36 IMF Concerns about the IA Standards Concepts based on managerialism and decentralized PFM PEM system restricts scope for internality Governance problems restrict independence Serious skills and training shortages Low pay and corrupt earnings Jack Diamond Oct 2002 IMF FAD The Role of Internal Audit in Government FM: An International Perspective

37 Incentive Issues Why does internal audit thrive in the private sector but not in the public sector? Success measured in terms of money spent, rather then outcomes Out of date internal controls are seen as a hindrance to delivering results, so government has connived at bypassing them There is little effective sanction against officers who break the rules, even when identified Will junior officers criticise senior officers in the Indian administration?

38 GOI IS MOVING FORWARD Planning and Budgeting towards a medium term outlook and output based budgeting FIA is coming into force General Financial rules are being updated Accounting Standards are being developed for the public sector External Audit Guidelines are being revisited Disclosure Practices are being modernized Transactions recording is being computerized (IT) Web sites are being introduced and e-governance e introduced into areas such as procurement

39 External Audit CAG modernising approach in response to international trends and changes at home Performance auditing introduced, planning to expand this to 50 % of audit work Bringing in other technical specialists to help Computer audit techniques Moving from regulatory to attest audit Developing public sector accounting standards Helping to simplify control frameworks for local governments Internal audit needs to catch up

40 Public Accounts Committees These committees play a vital role in ensuring compliance with internal controls Key principles which ensure their effectiveness are: Timely reporting by the CAG Powers to summon the most senior officials Independence from the executive (opposition party chair) Open hearings Adequate resources to do research Experienced committee members with long tenure

41 Civil Society involvement Conventional principles of internal control break down at level of PRI Not cost effective to maintain classical controls or do conventional audit WB experience shows that alternative models of social audit can be highly effective Transparency is key (Uganda Education)

42 Way forward on Internal Audit Enlarge the mandate of internal audit to look at systems and program effectiveness Adopt international IA standards Promote IA s s role as a management tool Make it inter-disciplinary Consider outsourcing in the short term to kick start the process and raise skill levels Set up audit advisory committees in ministries and departments

43 Resources: Professional Standards 1 INTOSAI Guidelines for Internal Control Standards 2 Standards for the Professional Practice of Internal Auditing See: INTOSAI at See: INTOSAI at and IIA at and IIA at

44 Should governments follow the internal audit standards of the IIA or guidance from INTOSAI? Canada example The Institute of Internal Auditors maintains and continually updates Standards for the Professional Practice of Internal Auditing.. These standards are recognised internationally as containing sound guidance for internal auditors. Internal auditors in the Canadian Government are to utilise these standards in carrying out their internal auditing responsibilities

45 What does The IIA offer? Networking Certifications Guidance Training Benchmarking Research/Publications Professionalism Internet

46 Final messages Internal controls are a vital tool for governments to ensure that t they can meet policy objectives within the resources at their disposal As government moves towards away from measuring success in terms of money spent and towards accountability for results public sector managers are more likely to appreciate the value of IA as a management tool Best practice now views audit as being forward looking and having g a decision support role which is linked to the processes, techniques es and tools employed by an organization to achieve its strategic objectives. the success of an internal audit function into the future will depend d importantly on the extent to which it is effectively resourced and a integrated into the wider governance framework. Equally a sound control environment is an integral part of a robust corporate governance framework