International Perspectives on Internal Control & Audit Systems in the Public Sector

Transcription

1 International Perspectives on Internal Control & Audit Systems in the Public Sector Laurent Sauvage Senior Auditor AFTFM, The World Bank Internal Audit Conference Khartoum, Sudan February 15-17, 2010

2 Overview 1. Three Lines of Defense against Risk 2. In the Public Sector the Lines are Often Blurred 3. Internal Control and Financial Control 4. What Happens When Internal Audit is Used as a Synonymous of Internal Control 5. What is Internal Control? 6. Components of the System of Internal Control 7. What is Internal Auditing? 8. Objectives of External Audit in the Public Sector 9. Three Basic Approaches to Public Sector Audit: Compliance, Financial, and Performance Audits 10. Emerging Trend: Assurance at Entity Level 11. Balancing Performance and Compliance Audit 12. Internal Audit Focuses on Risks and Controls over Key Processes 2 2

3 Overview (continued) 13. The Value of Risk-Based Auditing 14. Managing Stakeholders Expectations 15. Conditions for an Effective Internal Audit 16. Institutional Set-Up for Internal Audit 17. Examples of Good Practices 18. Good Practices between SAI and Internal Audit 19. Internal Auditing in Sudan 20. Technical Assistance on Risk Based Auditing 21. In Conclusion 22. International and National Standards and Frameworks for Internal Control, Internal Audit & External Audit 23. Useful Websites and Blogs 3 3

4 Three Lines of Defense against Risks Internal Control Internal Audit External Audit Management Activity Inform an Entity s Management and Personnel Internal Governance Activity Inform Senior Management and Board External Governance Activity Inform External Stakeholders 4 4

5 In the Public Sector the Lines are Often Blurred Internal Control Internal Audit External Audit Financial and Administrative Controls? Responsible for Internal Control? Internal Auditor of the Public Sector? 5 5

6 Internal Control and Financial Control In many public sector traditions, control is synonymous of financial control procedures exercised ex-ante by an external authority (e.g. MOF). In more narrower terms, internal control is too often confused with the checks performed by an auditor or by the agent who verifies compliance with procedures prior to processing a transaction. In international standards and frameworks, internal control refers to management s responsibility to manage risk and increase the likelihood that established objectives and goals will be achieved. It can be financial, operational or managerial, and is not owned by a single function. 6 6

7 What Happens When Internal Audit is Used as a Synonymous of Internal Control? The tendency to confuse internal audit with internal control may result in serious control deficiencies: Internal audit s independence and objectivity may become impaired if it has primary responsibility for designing, implementing, maintaining and documenting all or any part of the internal control system [except IA itself of course]. The three lines of defense become two It is important to maintain the two concepts separate in order to: assign responsibilities and maintain management s overall accountability for the IC system; and define clear accountability of the IA function. 7 7

8 What is Internal Control? Internal control is an integral process that is effected by an entity s management and personnel and is designed to address risks and provide reasonable assurance that in the pursuit of the entity s mission, the following general objectives are being achieved: 1. executing orderly, ethical, economical, efficient and effective operations; 2. fulfilling accountability obligations; 3. complying with applicable laws and regulations; and 4. safeguarding resources against loss, misuse and damage. [Source: INTOSAI, Guidelines for Internal Control Standards, 1992;revised 2001 for alignment with COSO] 8 8

9 Components of the System of Internal Control Monitoring Information & Communication Control Activities Risk Assessment Control Environment [Source: INTOSAI, Guidelines for Internal Control Standards, 1992; revised 2001 for alignment with COSO] 9 9

10 Examples of Internal Control Processes Control Activities: The authorization by the payment authorization officer of a payment order. The daily bank reconciliation of the Treasury Account Information and Communication: The communication by MOF of the ceiling for funding for the next quarter, based on the budget authorized by the Parliament and the cash projections. Risk Assessment: A vulnerability assessment of the IT system. Control Environment: The reporting to the same authority of the payment authorization officer and the internal control agent. The announcement by the Secretary General of the Ministry that two procurement staff have been fired for unethical behavior. Monitoring: the verification by the financial comptroller that the commitments at the end of the month are within the authorized ceiling. a statistical sample by the auditor to verify that payment orders issued over the last 12 months were properly authorized by the payment authorization officer

11 What is Internal Auditing? Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. [Source: IIA, International Professional Practices Framework ; also in INTOSAI Guidelines for Internal Control Standards] 11 11

12 Objectives of External Audit in the Public Sector Specific objectives of auditing: 1. proper and effective use of public funds; 2. development of sound financial management; 3. proper execution of administrative activities; and 4. communication of information to public authorities and the general public through the publication of objective reports [Source: INTOSAI Lima Declaration of Guidelines on Auditing Precepts 1977] 12 12

13 Three Basic Approaches to Public Sector Auditing: Compliance, Financial and Performance Audit Compliance Financial Performance Focus on conformance and adherence by activity, program, entity with relevant policies, procedures, laws, regulations, contracts [LEGALITY/REGULARITY] Focus on compliance of financial statements prepared for activity, program, entity with generally accepted accounting principles [ACCOUNTABILITY] Focus on economy, efficiency, effectiveness of activity, program, entity [PERFORMANCE] Pre-Audit Not an audit activity but a type of control activity performed by audit function 13 13

14 Emerging Trend : Assurance at Entity Level Assurance on Governance, Risk Management and Control To provide an opinion on the overall adequacy and effectiveness of governance, risk management, and control processes of the organization. The audit activity is sufficiently comprehensive and coordinated with other internal control monitoring activities that it can provide reasonable assurance at an entity level that these processes are adequate and functioning as intended to meet the organization s objectives. [COMPREHENSIVE AUDITING] 14 14

15 Balancing Performance and Compliance Audit Risks Legality / Regularity Performance Accountability Stakeholders Audit Strategy Government Legislator Donors Civil Society Capacity Standards Coordination 15 15

16 Internal Audit Focuses on Risks and Controls over Key Processes In order for internal audit to add value in the internal control system, internal audit need to develop, together with management, a common understanding of the main risks faced by the Ministry. IA should focus its work on areas of higher risks, provide timely assessments of risk exposure and cost-effective recommendations to stay within accepted risk thresholds. Areas, which require constant review by the internal auditors generally include: budget management and expenditure control; procurement management; Program/project management and control; payroll management; and management information systems

17 The Value of Risk-Based Auditing Risk-based auditing is the approach developed by efficient internal audit systems to target areas of higher risk where audit is likely to produce the main impact. It promotes risk management at both entity-level and at a more granular level (key processes, functions, units, programs) to identify and assess risk, and ensure adequacy of risk responses. High Probability Routine housekeeping Pressing concern / key focus 7 Low 1 Low 5 12 Severity Major catastrophes A B C D High 17 17

18 Managing Stakeholders Expectations Building internal audit value by: Having a good understanding of issues facing the organisation UNDERSTAND THE BUSINESS AT ALL LEVELS Being proactive in communication with management TALK LIKE MANAGEMENT Being able to assess and help manage related business risk THINK LIKE MANAGEMENT AT ALL LEVELS Being proactive in meeting senior management s needs BE A SOLUTION PROVIDER Working effectively with all units or divisions MANAGE YOUR RELATIONSHIPS Contributing to performance improvement WHAT GETS MEASURED GETS DONE 18 18

19 Conditions for an Effective Internal Audit 1. Organizational independence 2. Legal mandate 3. Stakeholder support: political commitment adequate understanding of role and value by senior management supportive environment 4. Competent leadership champion to develop the internal audit function 5. Competent staff resources and incentives 6. Professional auditing standards including quality assurance 7. Unrestricted access 8. Sufficiently funded staffing level technical support, equipment 19 19

20 Institutional Set-Up for Internal Audit System International experience is silent on the best institutional setup for the internal audit system (centralized, decentralized, hybrid) but emerging good practices point to the need to establish formal quality assurance and coordination arrangements. Quality assurance of internal audit bodies is vital to help ensure that conditions for an effective internal audit system are met within the Public Sector. Coordination helps rationalize the offer of service, leverage resources, identify opportunities of collaboration with functions that have been traditionally associated with internal audit such as investigation, inspection, evaluation functions and last but not least the external audit function

21 Good Practice: the Central Harmonization Unit of the EU Accession Process Concept of Public Internal Financial Control (PIFC) EU accession process PIFC Framework has three pillars: CHU, generally in MOF, coordinates and harmonizes control and audit methodology; underpins the other two pillars Auditors in all budget and spending centers [may be centralized or decentralized] Managers at all levels are accountable for the activities they carry out Functionally Independent Internal Audit Managerial Accountability (FM and control systems) 21 21

22 Role of the CHU Good Practice: the Central Harmonization Unit of the EU Accession Process The European Commission has recently taken the view that two CHUs should be established: one for Financial Management and Control Systems and one for internal auditing. The tasks of the CHU internal audit can be divided into four categories: Drafting and disseminating secondary legislation [audit manual, code of ethics, charter, status of auditors, audit standards] Quality assurance, follow-up of observations and recommendations Arbitration in case of conflict Developing and delivering training to public sector auditors The task of the CHU Internal Financial Control can be divided also in four similar categories: Guidance and standard (audit trail, internal control manuals, mandatory controls) Quality assurance, review of tertiary rules (guidelines or guidance) Arbitration Training of internal control coordinators or specialists in line institutions

23 Good Practice: the Comptroller General in Canada Role of the CG The comptroller general (distinct from the General Auditor (SAI)) has the following key responsibilities: Provide effective functional leadership of IA across government; Develop and support effective human resources strategies and plans; Determine the professional standards to be used for internal auditing; Develop and support the implementation of effective internal auditing methodologies and procedures; Ensure ongoing practice inspections and assessments of the departmental internal audit activities; Identify horizontal risks as well as audits to be included in departmental internal audit plans as part of government-wide coverage; Undertake or lead horizontal audits that address government-wide, sectoral or thematic risks or issues in accordance with government-wide audit plans; and Support departments in undertaking internal audits of information management and technology as well as audits that are conducted in a fact-finding or forensic mode

24 Other Good Practices: the Autorité Supérieure du Contrôle d Etat in Burkina Faso Role of the ASCE The ASCE is emerging as a good practice model for internal oversight bodies within Francophone African countries. The ASCE was created in late 2007 as a result of the merger of the former Inspection Generale de l Etat and the Anti-Corruption Commission. assumes a coordinating role vis a vis other public sector internal oversight bodies (Inspection Generale des Finances, Sector Inspectorates), particularly when it comes to reviewing and analyzing their audit reports for systemic trends and adequate follow-up of audit findings and recommendations ensures that the respective roles and responsibilities of internal and external oversight bodies are clearly understood and respected and foster the conditions for good coordination with the Court of Accounts

25 Good Practices between SAI and Internal Audit Systems To ensure adequate coverage and minimize duplication of effort, SAI and internal audit systems should consider: Access to each other s audit plans and programs. Periodic meetings to discuss matters of mutual interest. Exchange of audit reports. Sharing of audit techniques and methods. Sharing of training and exchange of staff. External audit review of internal audit work to determine extent to which it can be relied upon. External audit review of actions or lack of action by management on IA recommendations

26 Internal Auditing in Sudan Major PFM initiatives provide solid foundations to improve IA: Federal Government: Amendment in 2007 of Financial and Accounting Act of 1995 Internal Audit Law Significant strengthening of Internal Audit Directorate Pilot Initiatives on performance auditing Many challenges still remain: Coverage by Internal Audit of the entire Public Sector Coordination Federal State Local levels Capacity to conform with international standard for the professional practice of internal audit. Comprehensive assessment of risks Common understanding of the Internal Control framework IA is too often traditional pre-audit and routine reviews of documents and transactions for accuracy and compliance - instead of focusing on performance and whether the objective of government entities has been achieved. Need for advanced training in performance and risk-based auditing

27 Capacity Building for Internal Audit Recognizing these challenges, the Government has successfully applied to participate in a World Bank-sponsored technical assistance program to introduce risk-based auditing in pilot Ministries under the leadership of the Internal Audit Directorate. The World Bank is supporting improvement in internal audit in Africa. One of the most successful example is in Kenya where risk based auditing has been introduced, and risk management practices are explicitly required in each Public Sector entity

28 Key Components of the Envisioned Technical Assistance Program on Risk Based Auditing before September 2010 HLF 1 day: High Level Forum Risk Based Audit Workshop Conduct Audit Engagement Roll Out Decision 2 to 3 days: Key Concepts [25-30 participants] 5 days: Risk Based Audit Plan for Participant Ministries 2 days: 1 Audit Engagement Plan per Participant Ministry 1 day: Presentation of Plans to Senior Management and Workshop Participants immediately after workshop: Conduct of Risk Based Audit Engagements in Participant Ministries immediately after audits in selected sectors: Lessons Learned Mainstreaming Training of Trainers 28 28

29 High Level Forum [1 day] Explicit support from Government Organized by the IA Directorate with support from WBG. Attended by representative of MoFNE, Head of IA Directorate, representatives of the SAI, Senior Managers from the ministries, senior staff of the IA Directorate, WBG representatives, AFIIA (observer), donor community. Objective is to deepen the knowledge on risk-based audit and identify expected benefits. Prior to Forum: IA Directorate to initiate preparation of a risk profiling of their audit portfolio. Prior to Forum: IA Directorate to identify list of participants for a two weeks workshop, and key staff from the selected line Ministries who will be interviewed for risk assessment. Participants should be able to cover key components of audit universe and may be assessed as potential future trainers

30 Risk Based Audit Workshop Key Concepts [2 to 3 Days] Role of the audit function. Fundamentals of risk management. Understanding the business, its processes and identifying auditable activities. Entity-level risk mapping: identification, assessment and response. Fraud risk specificities. Developing risk responsive entity-wide audit plans. Audit engagement plan: objectives, scope, approach, risk matrices. Process level risk and control mapping. Testing design effectiveness and operating effectiveness of controls. Evaluation of audit results, risk-based audit reporting. Follow-up process

31 Risk Based Audit Workshop Audit Plan of the Ministry [5 Days] Workshop participants in their respective ministries: Identify and catalogue auditable entities Identify and weigh appropriate risk factors Gather information from appropriate sources Complete the risk assessment Employ information to allocate audit resources Prepare audit plan Communicate with Senior Management Have audit plan approved by Governing Body 31 31

32 Risk Based Audit Workshop Audit Engagement Plan [2 Days] Workshop participants work in their respective ministries on one pilot audit engagement: 6 Develop Audit Objectives & Program 1 Understand Processes and Objectives Identify Risks 2 5 Evaluate and Prioritize Risks 4 Evaluate Controls and Estimate Probability Measure Potential Impact(s)

33 In Conclusion Clearly there is leadership and commitment for improving internal audit in Sudan. This conference and the participation of the Government to the pilot program to introduce risk based auditing is a testimony to this leadership and commitment. The World Bank is ready to assist

34 International and National Frameworks & Standards for Internal Control & Internal Audit Frameworks & Standards Focus Internal Control System Internal Control-Integrated Framework, Committee of Sponsoring Organizations of Treadway Commission (COSO) INTOSAI Guidelines for Internal Control Standards for the Public Sector 2004 INTOSAI Internal Control: Providing a Foundation for Accountability in Government Internal Audit System International Professional Practices Framework IIA Government internal audit standards April 2009 UK Treasury [one of the first public sector IA standards adapted to new IPPF] Private sector US/Global Public sector Global Private/public Global Public Sector National (UK) 34 34

35 International and National Frameworks & Standards External Audit Frameworks & Standards Focus External Audit System International Standards of Auditing (ISA s) issued by International Auditing and Assurance Standards Board (IAASB) or the International Federation of Accountants (IFAC) [basis for ISSAI s Level 4] Private sector Global International Standards of SAI (ISSAI): Level 1- Founding Principles, Level 2-Prerequisites, Level 3-Fundamental Auditing Principles, Level 4- Auditing Guidelines Public sector Global 35 35

36 Useful Websites & Blogs IIA Institute of Internal Auditors. INTOSAI International Organisation of Supreme Audit Institutions. IFAC International Federation of Accountants. COSO Committee of the Sponsoring Organizations of the Treadway Commission. IMA Institute of Management Accountants. Association of Certified Fraud Examiners. CIPFA Chartered Institute of Public Finance and Accounting. ODI Overseas Development Institute

37 Useful Websites & Blogs (continued) AFROSAI SADCOSAI Southern African Development Community Organisation of Supreme Audit Institutions Assembly of English Speaking Supreme Audit Institutions in Africa. ECSAFA Eastern Central and Southern African Federation of Accountants. IMF Public Financial management blog: World Bank

38 Questions? 38 38