Questioning the Impact of IA in the Public Sector

Transcription

1 Conference on "Public Internal Control systems in the EU Member States" Brussels, 27/28 February 2012 DG Budget Durieux Room, Charlemagne Building Rue de la Loi 170, CD 09: Discussion Paper on Internal Audit Questioning the Impact of IA in the Public Sector Nicolas Chapon 1 Introduction Internal control and internal audit (IA), as we understand it today, initially emerged in the private sector 2 as a response to the need for an acceptable quality of financial reporting. These two concepts have spread across the public sector in recent decades and have come to be known as public internal control (PIC). IA, as a major part of PIC, is now considered to be an element of good practice in public management. However, IA is not an unambiguous concept: the contributions of EU Member States to the Compendium of Public Internal Control Systems in EU Member States (hereafter "Compendium") show that the overall concept of IA is understood in many different ways. The various interpretations of IA were provided by experts in the PIC sector of the Member States, and it is possible that the understanding of IA would have been even more varied and vague if managers had also been asked to give their interpretation of the IA concept. While most EU Member States assert that they have IA in place, at least at the central government level, it could nevertheless be assumed that the goals of IA have not been perfectly achieved, given the situation of many public structures in Europe. The Compendium describes IA in the different countries mainly with regard to its design and functioning, but it provides little information about its impact, its status and the influence that it has in the different systems. Given the reported increasing number of internal auditors over the 1 The author is chief audit executive in the direction general of the French Ministry of Defense. This paper was produced by the SIGMA programme (SIGMA is a joint initiative of the EU and the OECD, principally financed by the EU) 2 More accurately, IA emerged in public-interest companies due to the need for transparency in their financial reporting to shareholders. Page 1 of 8

2 last decade, those responsible for IA are legitimately accountable to public stakeholders for its effectiveness. But can we claim that IA is up to the expectations it has evoked? Based on experience, the effectiveness of IA in the public sector is lower than one might expect. Management does not use IA when making crucial decisions. Management also does not necessarily implement recommendations in a satisfactory way. We can thus consider that management does not exploit the full potential of IA. All in all, it seems that IA does not have the impact that it is expected to have. The question is: why is this happens to be the case? This discussion paper deals with some issues that can, if poorly controlled, weaken the synergy between management and IA: the fundamental ambiguity about who IA reports to; possible reasons for the weak impact of IA on the decision-making process; the question of whether IA has the right focus and quality and, finally, the question of whether there is a silver bullet 3 to fix all problems. 1. Who does IA work for? Synergy between the management and IA A crucial challenge for IA is to maintain optimal but independent relations with public managers. These relationships are asymmetric, however, for several reasons: The internal auditor does not and should not assume managerial responsibilities; From the managers' point of view, IA is only one of a multiple set of governance or managerial techniques; IA needs to foster relations with managers, but managers can ignore or overrule the recommendations of IA. IA standards, charters and audit committees can restore the symmetry by setting up procedures or meetings where both the management and IA can exchange their views, keeping in mind that the overriding purpose of IA remains the adequate and objective assessment of the quality of the internal control system. Let us therefore define the clients of IA. Who are the clients of IA? IA in the public sector suffers from the same ambiguities as in the private sector: in order to cover a wide variety of governance systems, IA standards provide basic principles and flexible implementation. However, one of the most critical issues for IA in the public sector is not defined in clear, unequivocal terms: who are the clients of IA? IA standards specify that the chief audit executive should report to the highest level of authority in the organisation (more accurately, to a level that is high enough to fulfil his/her responsibilities ). 3 The term has been adopted as a general metaphor, where the "silver bullet" refers to any straightforward solution that is perceived to be extremely effective. Page 2 of 8

3 What does that mean in the context of the public sector and in terms of the various services that IA is supposed to provide? The situation is rather clear with regard to IA consulting activities. The client can then be any executive director, and the scope of the mission is defined on a case-by-case basis in the consulting engagement. For assurance activities, the situation is not so simple. The country contributions in the Compendium show that for some EU Member States it is the top administrative authority, such as the general secretary of a department or the general director of an agency, who is considered to be this highest level of authority in the organisation. In other countries, this authority is basically a political one, e.g. a minister. Besides these authorities, there are other stakeholders, and the situation is more complex in the public sector than in the private one. In the latter, stakeholders are shareholders, and a supervisory board or its audit committee monitors the performance and effectiveness of internal control. In the public sector, these other stakeholders can be voters, who are represented in elected bodies. Considering that these bodies can act in the same way as supervisory boards to control the administration, this situation could lead to confusion in defining the stakeholders. The definition of the internal auditor s clients in the public sector depends very much on the understanding in a given country of who actually is the highest level of authority in an administrative organisation. However, it is not always clear whether this level is the decisionmaking level. To have an impact IA should at least have the possibility of reporting to the decisionmaker. However, even when IA reports to the decision-maker, he/she does not always follow up the recommendations of the institution s internal auditors. In that case, IA still does not achieve the desirable impact. One reason for this failure may be that the work of internal auditors is not sufficiently linked to the decision-making process. 2. Is IA linked to the decision-making processes? The contributions of IA to improving PIC systems in the public sector are often not taken into account or are partially disregarded when decisions are taken. IA advice is simply not demanded in decision-making processes. In such cases, internal auditors generally blame the management and its lack of understanding of IA and its potential. But what is the contribution of IA itself to overcoming the management s perception of the position and value of IA? In many EU Member States, governance principles, laws and regulations date back further than the emergence of IA. In some cases, Member States consider that their existing control systems, such as general inspection or general comptroller (of a department) services, could be seen as prototypes of IA. It is then supposed that these prototypes would need to be adapted in order to comply with modern governance requirements. In that event, the challenge, for both the management and internal auditors, is to identify the gaps of the previously established control system that are addressed by the newly implemented concept of IA. If this issue is not correctly Page 3 of 8

4 managed, the nature of internal audit risks becoming a weakened version of the internationally defined internal audit concept. There is a cultural/linguistic component to this phenomenon, as in quite a number of countries the word "audit" is alien. In the search for translations of this word, traditional concepts like "inspection", "revision" or "έλεγχος 4 " are used, which give the wrong impression that such terms (used for control and/or inspection) can be equated with audit. In other cases, especially in agencies or local governments, the understanding of the IA concept is very recent, as no such structure on which IA could be built was previously in place. As a result, IA is often an addition to the previously established decision-making process, sometimes remaining alongside this process, but not located at the core of governance. In such cases IA needs to invest in demonstrating how it can add value if correctly used and considered by the management. The recommendations delivered by IA are not always welcome from a managerial point of view. Especially in governance systems where IA is a rather new concept, the IA recommendations are often considered to be challenging the management s authority or legitimacy, which can lead to some reluctance to implement these recommendations. Furthermore, the management sometimes has the view that internal auditors are responsible for the implementation of their audit recommendations. This is a serious misunderstanding and not in line with international standards. It is also a serious breach of the concept of managerial accountability. The management is to be held accountable for the implementation or nonimplementation of audit recommendations and for the way in which they are implemented, if that is the case. Making the internal auditor responsible for the implementation constitutes a serious conflict of interest and infringes on the independence and objectivity of the internal auditor. Such an accountability arrangement would also lead to weakened and compromised recommendations, whereas the really challenging recommendations would be marginalised or put aside. However, perhaps IA actually does not focus on the right issues, i.e. the ones that would convince the management that its more intensive use would strengthen decision-making processes for the benefit of the institution? 3. Does IA in the public sector have the right focus and the right quality? IA is expected to monitor the organisation's risk management and especially its internal control system. The debt and euro crises, which threaten quite a number of EU Member States and the EU itself, show, amongst other things, that those highly important systemic risks have not been correctly addressed in recent decades. One might ask: where were the internal auditors? To what extent can IA be held accountable for the failure to detect systemic risks? Also, if IA is addressing the relevant issues from a risk analysis point of view, the next question will concern the capacity to also ensure the appropriate human resources and IA procedures so as to enable the formulation of recommendations that really add value. 4 The Greek word "έλεγχος" (elenchos) signifies control, inspection as well as audit. Page 4 of 8

5 IA and the prevention of systemic risks Even in countries where IA is well established in the public sector, when seen from a holistic point of view, the internal control system has failed to detect and manage the systemic risks related to the sovereign debt crisis. This issue is a matter of concern for the IA services of ministries and for supreme audit institutions. Regional and local governments as well as agencies are also deeply involved and exposed because of their financial autonomy and ability to issue financial securities. Ensuring high quality levels of audit activities Where public organisations constitute two-digit percentages of GDP and cover a wide span of activities 5, the complexity of their organisation and their interdependencies present a number of challenges for the internal auditor. He/she must be able to detect the regional or local dysfunction without losing sight of the global structure. This is one of the reasons why internal auditors are expected to be high-profile experts in public affairs. Furthermore, the structures in which internal auditors work should have a high degree of standardisation and be managed well, so that they enjoy optimal conditions that guarantee their independence and objectivity. The individual skills of auditors are a crucial issue for the head of an IA structure. IA needs people who are able to handle very complex matters and yet formulate their findings in simple and implementable ways in order to establish a constructive dialogue with the management. The chief audit executive has to balance the composition of staff resources between specialisation and versatility, between technical skills and managerial skills. A good mix would necessitate hiring either auditors with different profiles or auditors who have all of the required skills. However, there are other concerns. The existence of a common management culture may cause internal auditors to adopt the same point of view as the management, in spite of the applicable standards. Temporarily hired auditors can be subject to conflicts of interest as a result of previously performed engagements. Although the standards and practices are usually clear about previous engagements, they are not so clear about the future of internal auditors when they leave the IA activity for which they were hired. There are still cases where IA reports to the correct level of authority and is clearly linked to the decision-making context, thereby ensuring a high level of professionalism and of attention to systemic risks, but the management simply does not take IA seriously and as a result the IA impact is low. Does a silver bullet exist to ensure that management takes IA recommendations on board and that IA has the desired effect? 4. Audit committees: a silver bullet for IA? In addition to a high enough status and direct access to the Board, the Audit Committee (AC) in the private sector is often seen as the appropriate means for ensuring IA independence. A few countries report that they have established audit committees in the public sector, but in a majority 5 From sovereign to social or economic activities, for instance Page 5 of 8

6 of Member States this is not the case. Discussions are ongoing, however, as to whether ACs can help to resolve many of the above-mentioned problems. The role, position and optimal composition of audit committees Audit committees (ACs) have various roles: monitoring of the commitment plan, approval of any decision to appoint or dismiss the head of IA, questioning in accordance with the conditions of IA independence, and monitoring of the financial reporting process. All of these roles aim to enhance the reliability of IA by placing it within the scope of an authority having a legitimacy that is not derived from the top management of the organisation. Therefore, the composition of this body is a crucial issue. If the principles that have inspired the composition of ACs in the private sector are valid, their implementation in the public sector must reflect the very broad spectrum of public organisations. For many public organisations, the governance systems are very similar to those of private companies. This is the case, for instance, in public sector agencies where the management is under the control of a supervisory board representing all the public authorities interested in the activity of the agency. Within this context, a classic composition of the AC is possible: a large enough panel (about 10 persons) comprised of independent administrators and experts from different fields of relevance for the entity (ministry, agency, etc.) but external to the entity and chaired by a person who is not the chairman of the board. When public organisations are more directly under the control of political authorities or elected bodies, the situation is far more complex. In that case, the seniority of political governance plays a role: political institutions were established a long time before the PIC concept emerged. Implementing PIC based on good practices needs to modify the balances between the elected bodies, the central or local governments (political level), and the management (executive level). If the AC is derived from the elected body, the question of separation of powers arises between the lawmaker and the government. In that event the political level controls the executive level of administration, which would then lead to a situation where it could be very difficult to find enough experts to fill the committees in view of the political considerations that have to be balanced. To ensure IA independence, are there alternatives to audit committees? To ensure the independence of IA in the private sector, the need for an AC is often considered as obvious. The reason for this is probably that the most significant companies 6 have to comply with laws and regulations either taken from or inspired by the principles of the Sarbanes Oxley Act (SOA) 7. Among other requirements of governance, the establishment of ACs is imperative in this context. 6 Typically, public-interest entities, such as publicly-traded companies, credit institutions, or insurance activities 7 This United States federal law, enacted on July 30, 2002, is commonly referred to as the Sarbanes-Oxley Act, but is officially known as the 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and the 'Corporate and Auditing Accountability and Responsibility Act' (in the House of Representatives). Page 6 of 8

7 The contributions to the Compendium show that these SOA-inspired regulations do not apply in the public sector. In many EU Member States, IA is only bound or induced to apply internationally accepted standards 8. However, these standards are quite weak on this issue: the establishment of ACs are merely a possibility, not an obligation. The standards only require that the chief audit executive testify once a year to the board that his/her service is independent. Thus we should raise the question as to whether an AC, which fails to be a mandatory requirement, is the only good practice to ensure the independence of IA in the public sector. Are there other ways of achieving this goal, if we define independence as the freedom from conditions that threaten the ability of the IA activity to carry out IA responsibilities in an unbiased manner? Whether or not organisational independence is yet in place, some countries rely, for their PIC system, on strong statutes for internal auditors. Like other public professions 9 that enjoy strong personal guarantees to ensure that they are free from any pressure, some internal auditors also enjoy a personal/professional status that ensures an honourable career and cannot be challenged by another authority. This is the case, for instance, in Napoleonic administration systems, where the "internal audit" of a ministerial department has been held by two century-old general inspections. In France, for instance, the regulation that established a general inspection complies with nearly all of the standards of IA. The main issue is rather cultural: how can inspectors be turned into auditors? However, this general inspection model is not the only way of mitigating the lack of ACs with regard to IA independence. Auditors can be directly protected by IA laws and civil service laws, which regulate their rights and obligations, and, for example, by the involvement of the supreme audit Institution in appointment and dismissal procedures involving the head of an IA unit (Netherlands) 5. Conclusions Most EU Member States, in their contributions to the Compendium, provided a summary description of the PIC systems, including internal audit that have been set up. However, it is questionable whether IA is actually as effective as expected, as there are some structural or conjuncture issues which, if not correctly addressed, can weaken the impact of IA in public structures: 1. First of all, due to the very wide span of public organisations, the clients for whom IA works and to whom it reports are not as obvious as asserted. It can be the higher administrative level of the organisation, a political authority or an elected body, keeping in 8 For instance, the International Standards for the Professional Practice of Internal Auditing (SPPIA, or the standards ), issued by the Institute of Internal Auditors (IIA). 9 For instance, judges are protected by the Constitution as part of the independent judiciary. At a lower level, some civil servants in general inspections have strong protection that is established by laws and regulations. Page 7 of 8

8 mind that the efforts of internal auditors are due to the citizen, the taxpayer or the user. A lack of clarity concerning this topic may lead to the structural malfunctioning of IA. 2. Secondly, the connection of IA to the actual decision-making process of the organisation may be undermined, either because the governance system ignores the value that IA can bring or because of the cultural gap that sometime exists between managers and internal auditors. 3. Thirdly, the tuning of the focus of IA is probably more difficult in public structures than in private companies. The success of a public policy cannot be reduced to the publication of a net income. Public IA should therefore be very proactive in demonstrating the value that it adds and should ensure that it maintains the internal quality process to sustain its effectiveness. 4. There is also the crucial issue of the independence of IA. Audit committees are usually considered as the best means of ensuring IA independence. However, there are some public structures or governance systems where the establishment of ACs may be very sensitive. In addition, some Member States rely on other mechanisms, such as giving to internal auditors a strong personal status so as to grant them independence. Page 8 of 8