October 2011 Online Exclusive

Ensuring Public Sector Integrity and Accountability

An OECD survey explores how the public sector can enhance the contribution of public administration’s risk management, control, and governance processes to the prevention, detection, and reporting of fraud and corruption.

Experts on integrity and public governance and internal and external audit professionals came together to share their experiences, debate ways to address public sector integrity and accountability, and identify best practices as part of the 50th anniversary of the Organisation for Economic Co-operation and Development (OECD), held in Paris in April 2011. The seminar theme, “Internal Control and Internal Audit: Ensuring Public Sector Integrity and Accountability,” was based on a survey conducted by the OECD in the second half of 2010. The seminar was co-organized by OECD Internal Audit and the OECD Public Governance and Territorial Development Directorate, in partnership with IFACI, the French institute of The Institute of Internal Auditors.

The survey was sent to chief audit executives and inspectors general in central public administrations, gathering 73 responses and showing trends across 12 countries. The participating countries included Bulgaria, Finland, France, the Netherlands, Sweden, the United Kingdom, Canada, the United States, Brazil, Japan, Australia, and South Africa. The survey’s main points were presented to seminar attendees.

The survey questions focused on how internal controls can be used to mitigate risks within public administrations, how transparent reporting and follow-up by internal audit is used to mitigate risks of fraud and corruption, and how countries develop capacity and professionalize internal audit to promote integrity and prevent fraud and corruption. In addition, respondents were asked to identify four factors out of 13 proposed that they consider the most important for success in enhancing contributions to preventing, detecting, and reporting of fraud and corruption. Responses were recorded, clarified when necessary, and analyzed during the second half of 2010.

Seventy-five percent of respondents, including those in Canada, France, and the United States, state that internal audit reports to the highest level of authority within its ministry. This type of reporting line is ranked as the second most important criterion to improve the contribution of internal audit in preventing, detecting, and reporting fraud and corruption.

Such a reporting line assures greater independence for internal audit to establish and execute its annual work plan and to draft recommendations. In addition, it increases the capacity of internal audit to have access to relevant information and resources, and to coordinate its activities with external audit and investigation functions. 

AUDIT COMMITTEES
Forty-six percent of ministries sampled in the report — mostly from Australia, Canada, the Netherlands, South Africa, and the United Kingdom — have an audit committee, while half of participating ministries in France do not. As a result of the recently launched global reform of public policies by the French government, an internal control framework should be adopted shortly, including the formalization of internal audit services and the establishment of audit committees within the different French ministries.

In Canada, the mandate of audit committees is defined in the Directive on Departmental Audit Committees. Although this includes the monitoring of actions undertaken to mitigate identified risks, the monitoring of the advancement of the work plan, execution, and the follow-up to implementation of internal audit’s recommendations, it does not specifically refer to fraud and corruption. 

With regard to internal audit’s reporting lines, the case of the United States is specific, and merits particular attention. The Inspector General Act of 1978, which requires the creation of an Office of Inspector General within all government departments and agencies, states that the inspector general, appointed by the President of the United States, report directly to the head or deputy head of the institution concerned, and not to any other official in the department. In addition, the Inspector General reports to Congress and informs it of any problems and deficiencies, including cases of fraud. Although there is no audit committee, these two reporting lines contribute to the independence of the Inspector General.

Three scenarios were identified in the allocation of responsibilities between internal audit and investigation functions with regard to fraud and corruption:

• Internal audit and fraud and corruption investigation functions exist together under the same head, which is notably the case in the United States.  

• These two functions exist as separate entities within the same ministry. This is the most common configuration, and is found mainly in Australia, Canada, France, and the United Kingdom.

• The two functions exist as separate entities, but in some ministries the fraud and corruption investigation functions exist outside the ministry. This is the case for some ministries in Brazil and South Africa.

Relatively little can be concluded from the survey responses as to whether or not integrity is more effectively supported if the internal audit mandate includes specific responsibilities in relation to fraud and corruption investigation, or if this mandate is assumed by a separate entity (in the same or in a separate ministry). However, the results do suggest that the risk of nonpursuit of control deficiencies increases if the mandate for fraud and corruption investigation is assumed separately, even more so if it exists separately and outside the ministry.

The responses of sampled ministries show that communication between internal and external audit can range from minimal — where access to officials and internal audit files is granted to external audit on request — to significant, as is the case with one participating ministry in the United Kingdom where both external and internal audit participate in all meetings of the audit committee. While the relationship between internal and external audit is rather close in Anglo-Saxon countries (Australia, Canada, South Africa, the United Kingdom, and the United States), this is less the case in countries such as France, Japan, and Sweden.

Ninety-one percent of respondents state that they have adopted an internal control framework covering control activities, control environment, risk assessment, and a monitoring mechanism (making their framework comparable to The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control–Integrated Framework). However, several responses show that the internal control and risk management framework is not adequately formalized. Many respondents said this framework only concerns budgetary and financial operations. The existence of a formal and comprehensive internal control framework is ranked as the most important factor for combating fraud and corruption.

The involvement of management is perceived as a key factor for an effective internal control and risk management system: eighty-seven percent of respondents state that management is assigned responsibility for internal control, and 84 percent for risk management, but only 75 percent for fraud and corruption prevention.

While the majority of participating ministries (in South Africa and the United Kingdom, and to a lesser extent Canada) state that their mandate includes a reference to fraud, 44 percent indicate that there is, at present, no such reference in their mandate. For corruption, this figure amounts to 58 percent. The United States is the only country where a reference to corruption is mentioned by all respondents. In the Canadian participating ministries, even though no mention is made of fraud and corruption in the internal audit mandate, the degree of internal audit’s contribution to the fight against fraud and corruption is relatively high, most likely because internal audit’s mandate refers to IIA standards and/or to national regulations or directives that relate to fraud risks.

Sixty-two percent of respondents from Canada, the Netherlands, the United Kingdom, and the United States say that the procedures in place at their organization are sufficient to prevent fraud and corruption. In France, opinion is divided.

Ninety-seven percent of internal audit respondents state that they issue an annual report describing their activities; 81 percent report on significant risk exposures and control issues, including fraud and corruption risks. This periodic reporting ranks third among the 13 factors that respondents consider would most enhance internal audit’s contribution to the prevention, detection, and reporting of fraud and corruption. It was selected as an important subject by more than half of all the ministries that answered.

Eighty-six percent of respondents report that internal auditors are required or encouraged to have specific professional qualifications (knowledge of audit practices, but also of related areas such as accounting, finance, IT, or investigation). Fifty-two percent of respondents report that internal auditors are given special training to raise their awareness of fraud issues. Several countries (Australia, Canada, Sweden, the United Kingdom, and the United States) preferred diplomas awarded by specialized professional institutes. The certifications mentioned the most frequently include Certified Internal Auditor (CIA), Certified Government Auditing Professional (CGAP), Certified Information Systems Auditor (CISA), Certified Fraud Examiner (CFE), and accounting designations.

Lastly, a fairly large majority of respondents (81 percent) state that their department has put in place a quality assurance mechanism that includes internal evaluation followed by external evaluation by an independent body.

The OECD report includes proposed best practices and improvements regarding the prevention, detection, and reporting of fraud and corruption. 

1. Internal audit’s reporting lines to the highest authority within the ministry contribute to its independence. To be independent, internal audit must report administratively to the minister or to the immediate deputy. Such a reporting line should be mandatory and formalized in the internal audit mandate. An independent audit committee, reporting to the highest authority in the ministry, should also exist. Its mandate should clearly cover the monitoring of risk exposures, particularly those relating to fraud and corruption. In addition, such an audit committee should be kept periodically informed of cases of fraud and corruption. Lastly, most of its members should be recruited from outside the ministry and, where possible, from outside the public administration. Internal audit should have close ties with the audit committee.

2. In cases where internal audit and investigation functions are separate, there should be a clear mandate for each function. They should work together to coordinate rules and policies aimed at avoiding duplication, have regular meetings to coordinate work programs and results (including the communication of annual reports), and participate in joint training/awareness-raising activities with regard to the risks of fraud and corruption. There also should be systematic and rapid reporting of all fraud and corruption cases to internal audit and feedback from internal audit to other functions on deficiencies in internal controls and implementation of remedial measures. The fact that one function is tasked with investigating cases of fraud and corruption does not mean that internal audit has no responsibility in this area. As recommended in the International Standards for the Professional Practice of Internal Auditing (Standards), internal audit’s mandate should be specifically aimed at evaluating “the risk of fraud and the way in which this risk is managed by the organization.” Internal audit’s mandate must specify what this role is at each stage in an effective, fraud-combating process (detection, investigation, improvement through the experience gained, and reporting).

3. Internal and external audit should consider increasing the coordination of their activities to mitigate the risks of fraud and corruption.

4. Internal audit should play a key rolein advocating the formalization of an internal control and risk management framework that goes beyond purely financial controls to encompass the control environment in the very broadest sense, and that incorporates a code of ethics and fraud and corruption prevention plans.

5. The internal audit mandate should include an explicit reference to fraud and corruption risks. A clear reference to the Standards will boost the activity of internal audit in this area.  

6. Internal audit should periodically evaluate the quality and effectiveness of the controls put in place by managementto expressly address fraud and corruption risks.

7. Internal auditors should be required to have general internal audit skills, as well as specific qualifications so they can better assess, and better detect, fraud and corruption risks. Organizations should provide training for internal auditors to raise their awareness of fraud and corruption issues and systematically put in place a quality assurance program that is assessed externally by an independent body.

The results of this survey will feed into OECD activities, including public governance reviews, and will complement OECD work on external audit at the national level for its project, Governance at a Glance. Externally, they should complement the activities of The IIA, INTOSAI, and COSO.

A copy of “Internal Control and Internal Audit: Ensuring Public Sector Integrity and Accountability” can be downloaded at www.oecd.org.

 

---

CSR
I wanted to Understanding of internal audit,audit committees and CSR
Posted By: LIU JUNMIN
2011-11-17 1:32 PM

---

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

---

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

---