What are the CAEs and the internal audit functions responsibilities regarding governance?

Abbreviations and Acronyms

I. The Renewed Interest in Government Internal Audit

The audit function has always been viewed as an integral part of government financial management, and increasingly as an instrument for improving the performance of the government sector. Auditing covers a broad range of activities, which have different objectives. Traditionally, it has been a mechanism for assuring the government or its ministries (internal audit), and the legislature (external audit), that public funds are received and spent in compliance with appropriations and other relevant laws (compliance audit), and that the government’s reported use of funds fairly and accurately represents its financial position (financial audit). The audit function has evolved in many countries to take a more comprehensive view of the economic and social implications of government operations—often termed “value-for-money” or performance audit.

While internal audit (IA) and external audit face similar issues, generally most attention has been paid to the latter. However, recently, there has been increased interest and more emphasis placed on the IA function. This has arisen from a number of sources. In OECD countries, the demand for improved accountability and greater transparency within government has resulted in a call for more information about government programs and services. Through its procedures in objectively acquiring and evaluating evidence, external audit provides credibility to the information report by, or obtained from, management. At the same time, its existence improves financial reporting and performance more generally, with an adverse audit report acting as a “deterrent” to poor performance. In turn, the increased emphasis on accountability and improving public sector performance has caused managers to “protect” themselves by improved IA procedures that will provide them some minimal assurances of meeting these external demands, and avoiding adverse audit reports.

Recently, there has been progress in reaching a consensus of what audit standards governments should meet. Both the International Organization of Supreme Audit Institutions (INTOSAI)2 as well as the Institute of Internal Auditors (IIA) have issued auditing standards to guide the auditing and accounting professions.3 While such standards do not have mandatory application, they are generally regarded as reflecting “best practices,” so that while countries may develop their own public sector auditing standards, generally it is expected that they will keep them consistent with the international standards. This is especially pertinent for many transitional economies, which are transforming their institutions to conform more closely to those found in OECD countries, as well as to developing countries which are being forced by the donor community to improve their governance standards.

However, these new international IA standards do raise some fundamental questions. First, there are concerns about their relevance to many developing and transitional countries. International experience in strengthening and building up IA systems has revealed a number of common problems, which are not entirely addressed in the new standards. Indeed, it will be argued below that these standards appear more in line with the role of IA found in advanced countries, and perhaps even a restricted group of these countries which have modelled government IA on the private sector best practices. Second, even if one were to accept this latter approach, one could question the practicality of implementing such standards in most developing and transitional economies.

This paper offers a brief review of OECD countries that reveals a variety of IA models. It is not easy to see which model would meet the particular circumstances of different types of developing and transitional economies which have inherited different institutional approaches and operate completely different public expenditure management (PEM) systems. Indeed, to design a workable IA system, it is argued, one cannot fail to take into account the wider PEM system in which IA must operate. An international review of such systems reveals a wide variety of institutional arrangements, each of which implies some constraints on the IA function, and raises doubt over the applicability of a “general” IA model.

A discussion of some of the practical problems faced when designing or restructuring IA systems highlights some of the difficulties in meeting commonly accepted objectives of the IA, most of which form the basis for the international standards. For example, ensuring “internality” of the process in centralized versus decentralized PEM systems, or ensuring some degree of independence of the IA to ensure objectivity when there are major governance problems and where there is a poor external audit to provide a safety net. Nor can one ignore the practical problems of meeting required professional standards, or improving the management of IA services in environments where there are severe limitations of skilled staff and government pay scales are poor. This international perspective may hopefully offer some suggestions for viable strategies for developing the IA in hostile institutional environments.

II. Progress in Defining Internal Audit Standards

Internal control has been a constant interest to the INTOSAI, who in 1992 offered general standards for an internal control structure.4 This offered a framework for modelling internal control structures. Internal management controls, broadly defined, include all the means by which an organization ensures that its operations are carried out efficiently and effectively—describing control processes that ensure effective planning, resourcing and coordination of the organization’s activities, and the feedback of the results of these activities into the initial prioritization and planning phases.5 Emphasis focused on the information needs to ensure internal control and ways of ensuring its relevance, timeliness, and objectivity, where the IA was seen as making a substantial contribution.

Recently, there has been a move to define in even more detail international auditing standards by the IIA, both for private and public sectors in the soon-to-be-published revised Internal Auditing Standards (see Box 1).6 This is based on the view of the IA role as:

• “an objective assurance and consulting activity that is independently managed within an organization and guided by a philosophy of adding value to improve the operations of the organization;” and

• in assisting “an organization in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control, and governance processes.”

This broad view of the IA’s role certainly places it more centrally as an important element of PEM. Moving beyond a narrow compliance viewpoint, the IIA has adopted a wider definition of internal control, with more emphasis on management controls and information and communications processes. This adopts the view of the IA’s role as to review, appraise, and report to budget managers the soundness and adequacy of internal controls (e.g., safeguarding assets, ensuring reliable records, promoting operational efficiency, monitoring adherence to policies and directives).7 That is, to provide managers and supervisors some “reasonable assurance” that improprieties have not occurred, and if they have, they will be reported and appropriate follow-up action will be taken. Part of that management control, is the manager’s control of the IA system itself through the continuous monitoring of its effectiveness. Consequently, it is natural to place the IA under the budget institution’s management, indicating a decentralized institutional approach—an approach reinforced by a trend toward managerialism and decentralization in government financial management often found in industrialized countries.

Three complementary sets of standards—Attribute, Performance, and Implementation Standards—will be added to these standards, which again have important implications for PEM. The attribute standards address not only the desired characteristics of individuals carrying out the IA, but also of the IA organizations themselves. Performance standards specify required activities of IA and quality standards they should meet. Implementation standards combine the former two sets of standards to provide for specific types of IA activity standards (e.g., for compliance, fraud, systems audits, etc.).

Box 1:

Standards for the Professional Practice of Internal Auditing

• Foreword and Statement on Internal Auditing Standards (SIASs).

• Framework for the Standards for the Professional Practice of Internal Auditing.

• Summary of the General and Specific Standards for the Professional Practice of Internal Auditing.

• The Detailed Internal Auditing Standards, comprising:

  

  100 Independence		340 Economic and Efficient Use of  Resources
  	110 Organizational Status
  	120 Objectivity		350 Accomplishment of Established Objectives and Goals for Operations
  200 Professional Proficiency
  	The Internal Auditing Department	400 Performance of Audit Work
  	210 Staffing		410 Planning The Audit
  	220 Knowledge, Skills, and Disciplines		420 Examining and Evaluation Information
  	230 Supervision		430 Communicating Results
  			440 Following up
  	The Internal Auditor
  	240 Compliance with Standards of Conduct	500 Management of the Internal Auditing Department
  	250 Knowledge, Skills, and Disciplines
  	260 Human Relations and Communications		510 Purpose, Authority, and Responsibility
  	270 Continuing Education		520 Planning
  	280 Due Professional Care		530 Policies and Procedures
  300 Scope of Work		540 Personnel Management and Development
  	310 Reliability and Integrity of Information		550 External Auditors
  	320 Compliance with Policies, Plans, Procedures, Laws, Regulations, and Contracts		560 Quality Assurance
  	330 Safeguarding of Assets

• Statement of Responsibilities of Internal Auditing

• The Institute of Internal Auditors of Code of Ethics

The more precise definition of the IA’s role, and specification of how it should be organized, and how it should function, is very valuable. It is also pertinent to the EU candidate countries where EU regulations require the IA to comply with internationally accepted auditing standards.8 However, the recognition that IA has evolved in a particular institutional, legal, and political environment, which varies markedly in different groups of countries, raises an important question of the wider applicability and practicality of these standards, especially for the government sector. Even within OECD countries, there is wide disparity in the role assigned to the IA, as well as the way it is organized, which results in diverse IA practices. Such diversity is also reflected in the other parts of the world where the IMF has offered advice in strengthening and reforming the IA.

It can be appreciated from the content of the above standards that, for many parts of the world, each requirement poses problems:

• Independence to make objective judgement implies that the auditor will have no direct management responsibility for what is being audited, he is to be free to choose any transaction/topic for audit, and is allowed access to all necessary information to come to an informed judgment. Unfortunately, in many countries, systemic governance problems often imply real difficulty in assuring the IA’s independence.

• Professional proficiency assumes an appropriate audit methodology, technical competence, and sufficient level of resourcing for the IA function. In many countries it must be recognized that audit skills are in short supply, and professional proficiency can be very low, or the government’s pay scales cannot attract or maintain suitable staff. These factors often represent an important constraint on attempts to strengthen the IA.

• Scope of the IA described in these international standards is based on the broader view of the IA as a tool of management, where the IA function closes the loop in the PEM management cycle to ensuring the efficient and effective use of resources.9 This, in turn, assumes a mechanism under which audit reports are followed up and acted on. For many parts of the world, the IA has often been, and continues to be, defined rather narrowly— focusing on financial compliance and regularity, rather than broader management issues. Moreover, governance problems and lack of professional competence also constrains the IA to this role and hinders its ability to generate timely and relevant reports.

• The management of the IA function is critical to its effectiveness. In many countries, management of the IA is often poor—poor work practices, lack of planning and personnel management, with little support from external audit. Additionally, management is constrained by the institutional arrangements for IA, which often compromise the role of the IA as an aid to internal management.

Given these considerations, it is perhaps not surprising that one of the significant problems often identified in countries’ PEM systems is that the audit function—both internal and external—is weak and ineffective. In many countries, it is felt that this weakness prevails to such an extent that it impacts more generally on fiscal transparency and governance issues. This judgment may need to be qualified in two ways. First, the IA should be regarded as a necessary rather than a sufficient condition for ensuring sound PEM. Although important, the most effective IA system is not a substitute for good financial management. It could be argued that devoting resources to improve the IA may be misdirected in the absence of a sound PEM system, and that resources would have been better employed in improving the latter. Secondly, IA cannot be expected to enforce good governance on its own without the existence of other workable controlling mechanisms to enforce accountability. In particular, it cannot substitute for external audit or compensate for a weak external audit system. Rather, the two systems should go hand-in-hand and complement each other. In many countries which suffer from a lack of personnel with the required skills to carry out I A, ways must be found to economize in the use of this scarce manpower both in terms of the design of the IA and restricting its functions so as not to dilute its impact. Unfortunately, to be successful in achieving the latter requires management skills, which are likely to be lacking in IA, as in other sectors of the government.

Accepting these qualifications, even as a conditioning factor, the IA’s importance to the PEM process is not often given enough emphasis. There are signs in recent years on a number of different fronts that this is changing. The new focus on crisis prevention and governance issues has given rise to a number of recent international initiatives in addressing these problems in developing and transition economies. For some of these transition economies, preparation for EU membership has also highlighted weaknesses in IA. While the acquis communautaire sets few obligations for external audit, it delineates many requirements for internal financial control, where IA is seen to play a key role. Even in more advanced countries, including some belonging to the OECD, the move to introduce greater managerial freedom and to decentralize government operations to improve service delivery in the public sector has required greater emphasis on managerial internal controls, such as the IA.

However, the way in which IA is practiced varies considerably among OECD countries.10 In recent years a number of countries have reoriented internal audit away from compliance towards performance issues. In Anglo-Saxon and northern Europe the emphasis has been in introducing result-based budgeting associated with the New Public Management approach, emphasizing performance rather than compliance and taking a more decentralized approach. Others have established internal performance review units separate from internal audit. In continental Europe, with a much stronger legal tradition there is more focus on ex ante (pre-audit) compliance auditing, often undertaken primarily through central agencies.11 This causes some difficulty in defining best practices as a guide to other countries in strengthening and developing their IA systems.

III. Different Models for Internal Audit: the OECD Countries

In terms of broad characterization, while IA varies greatly among OECD countries, two main traditions can be identified, at least among European countries. These can be characterized as the centralized approach as opposed to the decentralized approach (see Annex I). These approaches have been referred to as the “third party ex-ante approach,” found in such countries as France, Portugal, and Spain, derived from a legal tradition based on the Napoleonic Code as opposed to the “management responsibility approach” found in countries like the Netherlands and the United Kingdom.12

In the centralized model, the Ministry of Finance (MOF) not only plays a key role in budgeting and allocating funds to line ministries (LMs), but also directly intervenes in ex-ante controls, placing its own staff in the LMs. In this environment, the IA is focused on a specific organization performing certain control functions, traditionally a centralized ex-ante financial control organization, an inspectorate general, or a treasury external audit service. In the more decentralized approach, each LM takes full responsibility for spending its own budget and for ensuring appropriate checks and safeguards on the way this is spent. In this environment, the IA is focused on the overall system of organization, controls, rules, procedures and regulations set up to ensure the most economic, efficient and effective use of resources. To do this, the IA control system includes the range of ex-ante controls, systems, performance, and IT audits.

However, it must be recognized that there are other models, some of which appear to mix internal and external audit functions. For example, in Germany the IA is not part of a government agency’s control system, but can be viewed as a component of external audit. While the IA cadre operates within agencies, they are subject to technical and professional guidance, as well as supervision, by the German supreme audit institution, the Federal Court of Audit. They report only to the supreme audit institution, and perform a “pre-audit” role rather than a traditional IA role.13 Similarly, the Swedish Audit Office occupies a somewhat ambiguous position, being part of the central government administration within the Ministry of Finance. Nevertheless it operates independently of the executive and has full independence in the selection of topics and in reporting. The Auditor General is appointed by the Cabinet for a six-year term.

On the surface, the United States appears to have adopted a decentralized model. The GAO is responsible for external audit assessing an agency’s performance with respect to the priorities of the congress. In contrast, the internal auditor is recognized as being responsible to the management of the organization. The original model was adopted from the private sector: IA organizations, independent from the operating and financial components of a company, reporting to the company’s top executives, typically covering the entire spectrum of management controls.14 However, this original model has been modified. Following the 1978 Inspector General Act, an inspector general (IG) was created in almost all agencies, as head of the IA. The IG, is kept separate from the rest of the agency, and is required to have direct access to the head of the agency, although the latter is prohibited from preventing the IG conducting any investigations he deems necessary. Under this Act, the IG is required to submit all reports directly to the head of the agency and also is required to keep congress informed of their work. The IG is required to submit semiannual reports on audit and inspections to the head of the agency who, after adding his comments, must submit the report to congress within 30 days. This compromises the decentralized view of IA as a service to management, and in reporting to congress, albeit indirectly, it has assumed an external audit responsibility.

IV. Internal Audit in Other Systems

As indicated, while country practices within the OECD can be roughly categorized into two groups—basically centralized and decentralized models—these approaches are reflected in other parts of the world. However, it must also be recognized that some regions have inherited their own unique institutions and approaches to the IA.

A. Anglophone African Countries

The United Kingdom, the origin of the Anglophone countries’ systems, has basically decentralized the I A. The IA staff are employed and managed by the LMs and report to the chief financial officer of the ministry, the “accounting officer.” In the U.K. internal audit is well developed across departments and agencies, tending to concentrate on systems and efficiency issues. Standards and guidelines for internal audit are set centrally by the Treasury. The external auditing function for the government sector relies on the staff of the Comptroller and Auditor General (C&AG) of the National Audit Office (NAO).15 It should be noted that the Audit Commission, established at the same time as the NAO, is responsible for local government, police and the national health service. The Commission appoints auditors to all local governments and National Health Service bodies and regulates their audit.16

The present U.K. decentralized IA system, albeit with centralized guidance, has evolved from the period when many Anglophone African countries became independent. However, they all inherited what is termed the Westminster model of government which allows some flexibility in IA arrangements. Following this Westminster model, the MOF is regarded primarily as an office of superintendence and appeal rather than an office of administration. While it lays down the procedures to be adopted, and will at times be expected to advise and assist “accounting officers” as far as possible in the administration of and accounting for public moneys, it cannot be held responsible for any irregularity of financial management except in regard to funds directly administered by itself. Rather, the responsibility and accountability for public funds rests with the “accounting officers” appointed by the treasury—usually the permanent secretaries in charge of spending departments—who are required to control and direct expenditure after it has been sanctioned by parliament, and to provide the accounting for this expenditure to the C&AG, the external auditor answerable to parliament.

However, the Westminster model allowed flexibility in interpreting the rights of different actors in the budget process. In this type of system the IA function is usually established in accordance with the powers and functions bestowed upon the treasury with regard to the responsibility for management, supervision, control, and direction of all matters related to the financial affairs of the government. The IA can be viewed as support to the MOF, assisting it in the monitoring of compliance by ministries and departments with various financial regulations, instructions, and accounting procedures. Alternatively, it can be viewed as assisting all levels of management in the effective discharge of their responsibilities through the submission of reports on their examinations and, when justified, appropriate action-oriented recommendations for corrective action. The demarcation between these views depends on the importance attached to the delegated responsibility given to accounting officers (AOs).

This ambiguity in the Westminster model allowed two basic interpretations of the IA function in the Anglophone system:

A means of central control

In the colonial U.K. system, this aspect was heavily emphasized. In practice, this view has prevailed in many Anglophone African countries who have adopted quite centralized IA systems. Kenya, Uganda, and Malawi can be classified in this group, though in Malawi the IA is very weak and is still in the process of being established. The MOF has an office of I A, which has a centrally managed cadre of internal auditors. These internal auditors are posted in the LMs but their personnel and work management are performed by the MOF. The report of the IA is given to the LM AO and to the MOF.

For example, in Kenya internal auditors report directly to the Office of the Internal Auditor General (IAG) in the MOF, with copies sent to their AO. They have their work programs determined by the IAG, and are funded from the IAG’s budget. Unlike other centrally administered cadres seconded to the LMs, the LM views the internal auditors as part of the MOF administration. In the Nigerian federal government, internal auditors are part of the same service as accountants under the Accountant General of the Federation, posted to the various line ministries. Recently, a central Inspectorate has been created in the Accountant General’s Office to supervise this work.

A service provided to the AO

In other African countries this is the predominating view, where the internal auditors are envisaged as providing the AO with a service, and as part of his management team would report directly to him and only copy the MOF. In this way, they would be on par with the other MOF centralized cadres seconded to LMs. Thus some Anglophone countries adopt the approach similar to the U.K. system. In South Africa and Ghana,17 internal auditors are recruited and managed by the LMs. There is no central MOF guidance or control on the internal auditors.

There is always a certain tension in the Anglophone system arising from the need to strike a balance between the centralized responsibilities of the MOF and the internal management requirements of the AO. Over time, some of these countries have oscillated between the centralized inspectorate approach and the decentralized service approach, such as Kenya.

B. Francophone African Countries

France, the origin of the Francophone countries’ systems, has rather centralized IA function. The Inspector General for Finance (IGF), who is the internal auditor for the MOF, inspects not only the MOF but also the whole government sector. However, most LMs with the exception of relatively small ones have their own internal auditors, who are managed by, and report to, the ministry’s management. The internal audit function is performed by “public accountants,”18 a centrally managed cadre, with the State Audit Office checking that the internal audits have been properly carried out. At the same time the General Inspectorates undertake an important review function. The IGF, reporting directly to the Minister of Finance, covers every organization receiving public funds and tends to take a wider review function than mere compliance. In addition there are 21 other General Inspectorates covering either specific ministries or particular activities (e.g. social affairs, armed forces, etc). Like the IGF, they have an oversight and inspection role, as well as undertaking special studies and surveys.

In addition every ministry has a Financial Controller (FC) who exercises a pre-audit role. No administrative commitment with financial consequences can be undertaken without his approval or “visa.” Since the FCs are posted to LMs from the MOF to control budget execution, the role of the IA is a little circumscribed, although large ministries (e.g., Social Affairs, Transportation, Interior) have more power than IA bodies which perform an investigative function. This work is often carried out on conjunction with the IGF. The external audit agency, the State Audit Office, has a distinct role, reporting to the President on concerns in financial management and also presenting the annual accounts with commentary to parliament.

In most Francophone African countries, the system is similar to that of France. However, the LMs’ IA functions in some countries are not yet established, and in other countries, though they exist, they are undeveloped with a limited role.

In the Francophone African system the expenditure process is divided into two main phases:19 an “administrative” phase, where each ministry undertakes commitments on the basis of its budget allocation through the ordonnateur. As a check in the system, the latter is independent from the accountant, the “comptable,” who is charged with processing the payment and undertakes the accounting phase of the expenditure process. Thus the administrative phase encompasses the commitment, verification and payment order stages. The accounting phase is the final payment stage, which besides recording the transaction also includes controls over the regularity of the payment order. For some payments, with little discretion, such as wages and pensions, these two phases run together. With sound treasury accounting, the two phases should be reconciled at the end of the year through a compte administratif and a compte de gestion.

Internal control in this system is carried out at two main points in the spending process. At the commitment stage, as in France a financial comptroller, belonging to the MOF but located in the LM, checks the regularity of the commitment before the LM can enter into any future payment obligation by issuing a visa. The comptroller is also required to keep records of the commitments made. At the payment order stage, the accountant checks the payment order’s conformity to the visa’s specification of the commitment, and then subsequently records the payment order. Before payment is effected, the accountant made an ex-ante control by examining the payment order before proceeding to payment. The comptroller and the accountant, who are MOF staff, although institutionally separated, therefore share internal control. Financial comptrollers are attached to the Budget Directorate while public accountants are under the Public Accounting Directorate. As in France, there is a centralized IA function, the IGF, which has an investigative function.20 Often this function is not well specified, and tends to be ineffective. Some ministries do have their own internal auditors, but again the function is usually weak, and where they exist they tend to be subservient to the financial comptroller in the Ministry.

The experience of most African countries is that these processes have been under strain in the face of continued fiscal stress. In addition, the francophone system is a complex one, requiring a fair degree of management skills. When these were deficient the PEM systems have degenerated. To patch up the systems many adaptations have been introduced. For example, in some countries a centralized payment order system has been introduced, typically by creating a specific division in the MOF. Others have exploited mechanisms to bring flexibility to the system, and in the process have by-passed controls, considerably weakening the comptroller and accounting functions. For example, commitments are made, but not registered, or due to resource constraints the emphasis on the payment order control point has meant that commitments are made that have no payment order issued.

C. Latin American Countries

Many Latin American Countries inherited the institution of the Court of Accounts from Spain, as the institution where the chief AO of a budget institution was required to render accounts for purposes of ensuring legislative compliance. After World War I major changes that had been made in U.S. accountability systems were reflected in various Latin American countries through the Kimmerer Commission, an international TA initiative in the 1920s and 1930s. This initiative, among others, advanced strong comptroller generals’ offices to provide central accounting, for government institutions. Several Latin American countries adopted this approach. 21 In this system, the AO presented accounts to the comptroller general for verification as to their legality and regularity. While the United States after World War II made drastic changes to its financial management system, these did not spread with any speed in Latin America. Many countries persisted with comptroller general’s offices, although the scope of their functions does vary. Some are heavily involved in precontrol and accounting, while others limit themselves to external audit.

Although many countries have evolved or are evolving from this system, as originally operated, the Contraloría was given prime responsibility for the control of central government expenditure including internal and external controls. Through this institution, the legislative branch exercised its watchdog responsibilities over government agencies, which also provided internal control, accounting, and payment services for those agencies. As originally formulated, the Contraloría represented a powerful institution, in charge of public accounting, with centralization of fiscal information and the preparation of financial reports. The Contraloría was typically responsible for the verification and consolidation of assets and liabilities accounting, as well as for budgetary accounting. Thus one arm of the Contraloría prepared the accounts of agencies, which were audited by another arm of the Contraloría in its report to parliament. This puts the Contraloría in a somewhat ambiguous position—an auxiliary organ of the legislative branch in charge of both the internal and external controls over the execution of central government expenditures.

Subsequently, there has been a movement to correct this situation by reallocating fiscal responsibilities more clearly between the legislative and executive branches. For example, in Venezuela, following a 1983 Commission Report on Fiscal Reform, the 1995 Organic Law transferred the IA function to the government agencies, and the Office of the Controller General of the Republic the Contraloría assumed the more standard role of supreme audit institution.22 Colombia, between 1993–94, consolidated and standardized the IA function in agencies, and in 1996 an advisory council for internal control was created as a consultative organ of the executive, in the President’s Office. While the practice of putting a Contraloría representative in each agency was discontinued, and with it pre-audit, its mandate to centrally guide IA remains. However, the Contraloría in its traditional form, still functions in other countries such as Chile, Honduras, and Panama. A particular problem in switching from the centralized to decentralized approach has been the lack of preparedness of the government organizations to carry out this function. Under the Contraloría system, internal controls were narrowly defined to include limited aspects of ex-ante controls and small-scale administrative enquiries, usually prompted by special requests. One major problem is the emphasis that has been placed on the precontrol or “preaudit” function—i.e., the verification of the legality, propriety accuracy and overall authenticity, budget approval for a financial transaction before its implementation. Many Latin American legislatures have imposed this function on the supreme audit institution, often the Controlaría, and sometimes special units in the MOF.

The legacy of the Contraloría system has left a bias to a rather narrow view of IA. Internal controls tended to be narrowly defined to verify compliance with the law and adherence to the principles of sound financial management in all administrative activities, which have financial repercussions. As indicated, several Latin American countries have reformed their internal control procedures toward OECD models, re-defining and widening the role of internal and external audit. In this redefinition, it should be noted that many countries have seen a role for a central institution to regulate and administer government IA. For example, Argentina has the office of the National General Comptroller’s Office, Brazil has the Federal Control Secretariat, and in 1997 Venezuela introduced an audit superintendency. However, there appears agreement that in the region, as a whole, there is much work still to be done to develop the IA.23

D. Countries of the Former Soviet Union

These republics, like many central and eastern European countries, which were influenced by the old soviet system, have no tradition of the IA. Rather, these countries inherited a control department in the MOF, which operated as an investigative rather than preventative institution carrying out special investigations on alleged irregularities and fraud. Overlaid on this traditional audit function most republics, like Russia, have instituted an external audit institution. Unfortunately, there has often been confusion in the separation of the roles of both institutions. While lines of reporting have been different—the IA to the MOF and the external audit to the legislature—some overlapping functions are evident.

For example, in Russia there has been a move to refocus the work of this MOF central department, which has been renamed the Department for State Financial Control and Audit. However, the approach retains the concept of a central inspectorate, and also the strong emphasis on control and investigation of irregularities. In some respects, there is a concern that there is overlap in the role of the external auditor, the Accounts Chamber (AC), and the IA. The AC has been given extensive responsibilities not only in monitoring budget execution but also in providing an input in budget preparation—serving the needs of the legislative branch in this regard. Apart from blurring its ex-post function, the AC has often been diverted from a systematic work program by the intervention of ad hoc investigations requested by the legislature and an enforcement role with respect to implementation of audit findings and penalties. Increasingly, it is being recognized that there is a need for legislative amendment to clarify the role of the AC, refocusing its mandate to ex-post audit. In many of the former Soviet Union republics the same confusion over the role of internal and external audit prevails. This needs to be clarified, and reinforced by more suitably qualified personnel and associated training programs, before much progress can be expected in developing this function.

E. Countries of the Former SFR Yugoslavia

In the states of the former SFR Yugoslavia, it has been recognized there is a need to move from the system inherited from the past. The latter was based on a central inspectorate concept of the IA service, as an investigative arm of the MOF to follow up on reported cases of financial irregularity and abuse. Without the existence of an external audit body reporting to the legislature, the budget control department of the MOF assumed this external watchdog role. Apart from the MOF investigative audit, routine audit of budget management tended to be cursory, and depended heavily on the standard day-to-day inspections of payments and accounts that was undertaken by the payments bureau, a somewhat unique institution to the SFR Yugoslavia.

The payments bureau, before the disintegration of the SFR Yugoslavia, called the “Sluzhbata na Opshestvenoto Knigovodstvo” (SDK), or Social Accounting Service, was a rather unique institution created in 1963, and inherited by all the emerging republics. Originally, it exerted widespread functions in the fields of payments execution, tax collection, statistics compilation, and the auditing and control of enterprises and government agencies. It was uniquely placed to perform the latter function. As soon as any legal entity in the SFR Yugoslavia was legally established, it had to register itself with the SDK, and open a single so-called “giro account” in the SDK local office where that legal entity was situated. Such a requirement did not apply to households or individual business. As a result, the SDK undertook the functions that clearing houses and other netting arrangements performed in other countries.

As a by-product, the SDK had an important audit function through the information stemming from payment orders. In addition to some basic pre-audit checks on payment orders executed in its system, the SDK was legally bound to receive different reports submitted by all legal persons, including government agencies, concerning their financial activity. Enterprises had to submit quarterly reports on taxes paid and other legal obligations; and half-yearly reports with income statements and balance sheet. Other legal entities were obliged to submit yearly reports. This information was the basis for the general audit functions assigned to the SDK. These audit functions centered on the legality aspects, rather than on performance criteria. Following independence there were early demands for the reform of the SDK, which was viewed as an anachronism of the past command economy, and its control functions were widely resented. However, so critical was this institution to the basic financial functions of an economy (in particular payments execution, government accounts keeping and tax collection) that no republic implemented a speedy reform for fear that this might endanger such critical functions for which there will be no immediate replacement. It was generally agreed that reform required the separation, and institutionalizing elsewhere, of the major functions carried out by the SDK, including developing a separate external audit institution as well as developing internal audit within government.

V. Strengthening the Internal Audit Function in Developing and Transitional Countries

The previous review has highlighted a need for redesigning the IA function in transition economies and strengthening it in developing economies. To accomplish this, are there any lessons to be learned from the way IA functions in OECD countries?

Whichever their IA approach, there are some general principles which seem common among OECD countries. First, the IA is viewed as a central component of internal financial controls aimed at protecting the government’s financial interests. The important concept is “internality” of this executive function distinguishing it from external audit. Second, IA activities although including traditional compliance and regularity operations, can be defined quite widely to include substantive tests, systems, performance and IT audits.24 Third, to function effectively, the IA must be functionally separated from the day-to-day management of an organization, (otherwise the accountability of designated managers will be diluted), but at the same time have an input to top management to ensure its findings and recommendations result in corrective action. Fourth, internationally recognized auditing standards should be applied.

However, accepting these general features, other desirable attributes that can be imported from OECD systems must be couched in terms of what is relevant and what is feasible. Recognizing that there is a pressing and immediate need to strengthen internal financial management systems, where the IA plays a key role, at the same time it must be recognized that the problem is a longer-term one of capacity building or capacity restoring. The question arises on what should be the strategy in developing the IA function? This strategy is inevitably constrained by a number of factors. Not only are administrative procedures and institutions weak and ineffective, but also the staff is in general not proficient. In most developing and transition countries, the environment for audit is very weak. Apart from the general political environment, basic infrastructure is lacking: fundamental documentation, specification of the IA responsibilities, separation of duties, and most particularly a supporting departmental internal control framework. It could be argued that it is difficult to maintain an effective IA function in the absence of a strong external audit. However, in most cases, the external audit function is weak,25 making the IA more ineffective. The strategy therefore involves two elements: developing the IA service and creating a more enabling environment.

The usual strategy adopted to developing the IA is outlined in Box 2. The most important step in constructing this development plan is undoubtedly the first step—deciding on the role of the IA in a country’s budget management. This has involved a number of design issues, and in particular deciding on:

• control versus a management orientation—a question of objectives to be pursued by the IA;

• degree of centralization in the organization of the IA—a question of the organization of the IA function;

• relationship with external audit—a question of responsibilities and coordination; and

• codifying work practices—a question of implementing reform.

Each element is discussed in more detail below.

Box 2.

Advice in Developing the Internal Audit Function

• Develop a strategic view of the IA by top MOF management, covering not only compliance and regularity audit but, depending on each country’s situation, the wider role of ensuring efficiency of expenditures, especially in the context of any planned reform initiatives in other areas.

• In light of this strategic view, restructure audit work practices, to move the IA away from pre-payment checking to free resources for systems and other types of audit.

• Review the IA function and staffing, and redesign the organizational structure and responsibilities.

• Prepare IA manuals based on the new vision of the IA service and the associated improved work programs.

• Based on these manuals, design a training program for internal auditors to fulfill their new role.

• Develop a program of recruitment and staff development for the IA service.

• Encourage IA involvement in the development of new financial and accounting management systems to ensure that adequate controls are built into these systems.

What are the objectives of the IA?

As indicated, from existing international practices, there are a variety of interpretations of the role of the IA. This varies from the centralized view of the IA as a support function to the MOF, assisting it in the monitoring of compliance by ministries and departments with the MOF financial regulations, instructions, and accounting procedures. The emphasis is on compliance and control. Alternatively, it can be viewed as assisting budget managers in the effective discharge of their responsibilities by maintaining a feedback on their use of public resources through the submission of reports and, when justified, appropriate recommendations for corrective action. The emphasis is on efficiency and effectiveness in the use of resources and the delivery of services. Between this decentralized approach and the centralized approach, there exist many variants, among them the existence of a central inspectorate to set standards and to assist, when required, decentralized IA units in the LMs with delegated responsibilities.

The overall design of the IA function should be geared to the specific priorities of a country. For those countries with governance problems, the first and foremost objective should be to ensure compliance with the financial laws and regulations. For those developing and transitional economies faced with a high degree of fiscal stress, the need to ensure macroeconomic objectives will be paramount. For those countries that can ensure compliance with the law and have reached a fair degree of macroeconomic stability, more attention can be paid to ensuring efficiency and effectiveness of resource use, as currently emphasized in the OECD countries. To attain the compliance and macro stabilization objectives is likely to involve a more centralized PEM system and, similarly, a more centralized approach to IA. To obtain the management objectives of efficiency in service delivery will imply a more decentralized approach to PEM, and to widening the role of the IA to performance auditing. However, it could be unwise for countries to adopt the latter approach without ensuring the first two objectives are adequately met. It is argued, therefore, that for most developing and transitional economies the appropriate budget management model is one that emphasizes compliance and stabilization issues, and consequently the approach to designing an IA system should reflect these priorities.

A centralized or decentralized approach to IA?

A fundamental design issue that usually has to be faced is the degree of centralization in the organization of the IA function. As indicated, country practices in the OECD vary from two extremes: the centralized approach with the IA under the MOF, compared with the decentralized approach, allowing it to function under the LM management.

The centralized approach has often been viewed as better from a capacity-building viewpoint, where it has been argued that this approach:

• Allows easier maintenance and better development of the proficiency of internal auditors: Under the decentralized approach, it is argued, in a situation of scarce skilled manpower often implies the diversion of the IA staff to other duties that will reduce the proficiency of the staff. However, if the MOF develops a special cadre it will be able to concentrate scarce auditing resources and so maintain proficiency, ensure their specialization, and develop centralized standards and training programs for the cadre.

• Maintains more independence: The audit should be operated with adequate independence. The centralized option is better in this regard, it is argued, since the IA is managed by the MOF outside the direct control of LM managers. However, it is recognized that the necessity of appropriate independence is in direct conflict with the necessity of the MOF’s close cooperation with other departments for budget management.

However, disadvantages of centralization are also evident, namely:

• Weakening accountability of the LM management: It could be argued that the prime responsibility for internal control should be the responsibility of, and be “owned” by, the LM management. However, the centralized option divides the responsibility between the LM management and the MOF, obscuring the ownership (or accountability) of this control mechanism. The LM management may be only too happy to consider the responsibility for internal control as the MOF’s,

• Of limited effectiveness because of the weak transparency: Under the circumstances found in many developing countries, the flow of information to external officials (internal auditors from the MOF), is typically limited and untimely, constraining the effectiveness of the IA.

• Fails to foster close cooperation with other departments: Close cooperation with other departments is essential for efficient IAs. However, the centralized approach does not promote such cooperation—the internal auditor is viewed as the “spy” of the MOF, rather than a member of the LM management team.

In weighing these two options—the centralized or decentralized design for the IA—there are some relevant considerations that imply the answer will be country specific. First, the danger in an entirely centralized approach, that the MOF will assume responsibility for the rectitude of financial management in budget institutions, undermining the basic accountability of budget managers, is very real for many countries.26 Secondly, if the risk of political interference with the routine budget management were high, so that the budget manager’s accountability is undermined from above, a centralized system would be more justified. In some areas of the world, a weak supreme external audit body implies that the risk of political interference must be regarded as high. Thirdly, where the administrative capacity to perform IA functions is low, in regard to the recruitment and maintenance of competence of staff, a centralized system controlled by the MOF would also be recommended. Given the time it will take to establish a professional corps of internal auditors in many areas of the world, this is a most relevant consideration.

Taking due account of the above considerations, often a centralized approach, at least initially, is recommended as the most prudent approach, although it runs counter to the basic decentralized institutional model underlying internationally accepted audit standards quoted earlier. As argued previously, the latter are based on a budget management model that may not be the most relevant to developing and transitional countries. Faced with their present economic problems, and at the present stage of their institutional development, a more relevant budget management model should stress compliance and centralized controls to ensure stabilization objectives, and have an IA system to support them.

How to ensure the independence of internal audit?

An important objective in restructuring the IA function is to give some assurance of its independence from day-to-day management and hence objectivity in its evaluations. Obviously, the degree of independence of the IA is not the same as the external audit, which reports to parliament. Rather, the IIA defines the IA independence in the following terms:

“Internal auditors are independent when they can carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audits. It is achieved through organizational status and objectivity.”

Ideally, the internal auditor should be responsible to the minister or the chief executive of the ministry or agency. In a decentralized model, the internal auditor will report directly to this top official. In the centralized approach, having the centralized office reporting directly to the Minister of Finance ensures the independence of the IA. The internal auditor is responsible to the head of the ministry/agency; he is part of that agency’s staff. While part of the chief executive’s management team, care must be taken not to infringe the cardinal rule of audit: an auditor should not audit himself.

Typically, this is handled by several institutional mechanisms. In particular, a clear and agreed definition of the internal auditors tasks is a way of clarifying the place of the IA function in the work of the budget institution, dispelling ambiguities and avoiding disputes when the internal auditor carries out these tasks. For example, taking a compliance oriented view of the IA, the typical duties and responsibilities of the internal auditor could be defined as in Box 3.

Box 3.

Duties and Responsibilities of Internal Audit

• Reviewing the compliance with the existing Government financial regulations, instructions, and procedures.

• Evaluating the effectiveness of the Internal Control Systems.

• Appraising the economy and effectiveness with which financial and other resources are being used.

• Reviewing the reliability and integrity of record keeping and reporting on financial and operating information systems.

• Pre-audit of payments documents and of all documents used in initiating commitments, as well as contract agreements.

• Verifying and certifying periodical financial returns such as pending bills returns, expenditure returns, revenue returns, staff returns, vehicle returns, etc.

• Reviewing and pre-auditing of annual Appropriation Accounts, Fund Accounts, and other accounting statements to ensure that accurate accounts are prepared to the required standards.

• Investigation of irregularities identified or reported and reporting on cases leading to wastage of resources or cases of general misuse or misappropriation of financial resources and Government property.

• Ensuring that revenue and other receipts due to the government are collected promptly, banked immediately and fully accounted for.

• Carrying out spot checks on areas such as revenue and receipts collection points, projects, supply, and delivery sites to ensure compliance with procedures and regulations.

• Reviewing budgetary controls on issuance of warrants, commitments, expenditures, revenue collection, and accounting from time to time.

• Ensuring that government physical assets are appropriately recorded and are kept under safe custody.

• Reviewing the budgetary reallocation process to ensure legislative and administrative compliance and advising when commitments are entered into when there is no budgetary provision or adequate cash.

The establishment of LM audit committees is also usually recommended, formed of the top management of the institution and technical experts in the accounting and budget fields. The aim is to act as a steering committee for the work of the IA, identifying problems as well as the corrective or preventative action. Not only does this act to strengthen the role of IA within the budget institution in enforcing financial discipline, but also gives the IA some distance between the institution’s regular operations and IA evaluations. Similarly, to enforce this distance from day-to-day management, and offer some external support, it is also recommended to have a central audit committee in the MOF to review the findings of the IA units and to pursue remedial actions. Another possible mechanism is to have an independent external review of IA practices every two or three years by outside professionals, countering any tendency for agency managers to interfere with the IA.

Independence of the IA also involves clear demarcation of responsibilities in relation to external audit. In some ways, this can be addressed by a clear and well-documented definition of the duties of internal auditors. At the same time, the relationship between the two functions should be recognized as symbiotic—it is important for the IA that there is a strong external audit, and vice versa. The external audit should use the work of the IA, and the IA should be guided by the findings of the external audit. There is a strong case for constructive cooperation, along the lines indicated in Box 4.

Box 4.

Recommended Coordination Between Internal and External Audit

• There should be proper coordination to ensure adequate audit coverage and to minimize duplication of effort.

• There should be access to each other’s audit plans and programs.

• Periodic meetings should be organized to discuss matters of mutual interest.

• There should be an exchange of audit reports.

• Institutional mechanisms should be created to ensure common understanding and sharing of audit techniques and methods.

• Sharing of training and exchange of staff for two-three years in each case.

• The external auditor should review the performance of internal auditors (i.e., are they performing according to their objectives and plans?). A quality assessment of their work should be included.

• The external auditor should strengthen the position of the IA by reviewing and commenting on lack of action on IA reports.

However, the coordination between the internal and external auditor can be problematic if the external auditor is seen as the supervisor or the judge of the work of the IA. Functional separation of internal from external audit is important. As seen in some systems—in the United States, Germany, and some Latin American countries—the blurring of the two types of audit can also be a potential problem in ensuring this separation. Another limitation to coordination arises from the delays in external audit reporting. In many developing countries, the lags are extreme and put in doubt a most important check on the powers of the executive branch of government. Indeed, it could be argued that rather than strengthening the IA in many of these countries, efforts should be made to improve the timeliness of external audit reporting, which would have more general benefits in enforcing the overall accountability in government.

A strategic decision to be taken in many developing and transitional countries is where to best deploy scarce audit skills. There are, however, ways to economize in the use of scarce IA resources. For example, by focusing only on priority and key weaknesses that have been identified. It is also possible to concentrate skills in specialized central teams used for special audits in budget institutions to assist the institution’s own IA unit. Improved work practices, say by moving away from 100 percent pre-audit of vouchers to a sampling approach, can often offer significant savings, as can improved management of the audit function through more efficient audit planning. These approaches are discussed in greater depth in Annex II. However, the conclusion that cannot be avoided is that IA is such a fundamental element of PEM that its proper resourcing should not be neglected.

ANNEX I

Internal Audit in OECD Countries27

Two broad approaches can be identified among OECD countries: the less centralized “northern model” (United Kingdom, Netherlands) and the more centralized “southern model” (France, Portugal, Spain).28 For each approach, main characteristics and country examples are described.

A. The Decentralized Approach

Main characteristics

• Each LM takes full responsibility for spending its own budget and for ensuring appropriate checks and safeguards. The LMs do not receive specific ex-ante controls by FCs from the MOF. Ex-ante controls are considered to be incorporated into the budget implementation process.

• The MOF sets standards and coordinates LMs’ internal audits.

• This model can be found in the United Kingdom and the Netherlands.

United Kingdom

• Each AO (the Permanent Secretary) in a LM takes the responsibility for spending. The AO is required to have an IA service by Treasury’s manual “Government Accounting.” The staff are employed, managed, and report to the AO.

• The IA assures the AO of the effectiveness and efficiency with which moneys are spent, the compliance (with policies and regulations), the safeguarding of assets and interests, and the integrity and reliability of data.

• The Treasury (the Internal Audit Service) sets the standards in the “Government Internal Audit Manual” which internal auditors must follow. The Treasury is also responsible for ensuring the effectiveness of internal control systems in the LMs, including the Treasury’s own IA unit

Netherlands (specifically the case of agricultural expenditure)

• The Minister of Agriculture takes the responsibility for agricultural expenditures. However, the responsibility of daily management of spending lies with six paying agencies (Commodity Boards).

• The Audit Department of the Ministry of Agriculture performs IAs mostly in a system-oriented approach. If the department finds essential shortcomings in the management and control system, it demands more substantive compliance tests including on-the-spot checks. The department’s main function is certifying annual accounts.

• Physical on-the-spot checks and scrutiny of the documents are carried out by the General Inspection Service of the Ministry of Agriculture and by the Customs Service of the MOF.

• The Dutch Court of Audit (the external auditor) makes extensive use of the IAs carried out by the audit departments of ministries.

B. The Centralized Approach

Main Characteristics

• The MOF intervenes each LM’s spending directly with an ex-ante control by its own FC placed in the LM. The IGF in the MOF is responsible for ex-post financial control of all public expenditure and revenue of the government, and the IGF reports directly to the Minister of Finance.

• However, each LM has its own internal auditor, the IG. Subordinate and supervised agencies are subject to each LM’s IA.

• This model can be found in France, Portugal, Luxembourg, and Spain.

France

• The IGF, the internal auditor for the MOF, inspects not only the MOF but also the whole government sector. However, most LMs, excluding relatively small ones, have their own internal auditors, who are managed by and report to the management of the LM.

• Since the FCs are posted to LMs from the MOF to control budget execution, the LMs’ own IA functions are rather circumscribed, and tend to be investigative in nature.

Portugal

• The responsibility of financial control over the whole government is centralized: the Inspectorate General of Finance (MOF) is responsible for the overall financial control of all public revenue and expenditure; the General Budget Directorate is responsible for the implementation of the state budget; and the Financial Management Institute of Social Security is responsible for the social security budget.

• The Inspectorate General in each ministry carries out sectoral internal control function. It concentrates the activity of internal control at the operational units.

• The audit sections of operational units perform IAs. They concentrate on the verification of the management activities. These become fundamental inputs to higher-level audits.

ANNEX II

Improving Internal Audit Work Practices 29

In this paper it has been argued that for most developing and transitional economies the most relevant budget management model dictates a more compliance-oriented IA system. Accepting this approach, the following gives a brief overview of the main recommendations generally made in this area.

Extend the scope of IA

IA can play an important role in many areas, but given the lack of resources, a decision usually must be made to focus on priority areas and key weaknesses identified. Some typical areas, which may benefit from IA reviews are:

• Evaluation of internal controls: One of the main functions of the IA is to examine and evaluate the adequacy and effectiveness of internal controls in the existing systems, as well as the new systems before these are introduced. This clearly implies that the entire system of internal controls in the government has to be reviewed for each ministry/department/agency, as well as function-by-function. This area needs to be emphasized because, if there are strong internal controls, the system will automatically have its own checks and balances and negate the possibility of errors, irregularities, and fraudulent manipulations.

• The reports by LMs: LMs are expected to prepare regular financial statements and reports for purposes of monitoring performance. Internal auditors for reliability and integrity on a regular and consistent basis should review these reports. They should highlight any alarming trends.

• Checking of payroll and pension systems: Typically, payroll is both a central and ministry function. Therefore, control over the payroll has to be done at the ministry as well as at the central level. The central teams should review the functioning of the overall systems based on the inputs from the various ministries as well as the controls/record keeping in different ministries. Internal auditors should be involved in checking of computerized payroll/pension systems. They should review the adequacy of various payroll input data, the effectiveness of the control mechanism, the susceptibility of the process to clerical errors, the adequacy of supervision of those who handle payrolls, necessary checks and balances and security features of the system. They should also review any sudden or unauthorized addition to the authorized strength of permanent and temporary staff.

• Collection of revenue: Typically, much emphasis is placed on the audit of tax administrations, which have their own specialized IA units. However, at the same time, there are many nontax revenues and receipts, e.g. license fees, registration fees, visa fees, royalty, recovery of loans and advances, grants-in-aid, etc., which typically do fall under the same IA scrutiny. Usually, the IA of such revenues is nominal and is not given due importance. The IA should ensure that all revenues and other receipts due to the government are collected promptly, banked immediately, and be fully accounted for.

• Adapt to the IT environment: The increasing use of IT presents new challenges for the internal auditors. In organizations that have a mixture of old and new systems, as is often the case in developing and transitional economies, the complexities in performing IA are more pronounced. Though the objective of audit remains the same in a computerized environment, auditors need to bring about changes in the techniques of auditing. IA should be involved in systems and program development to ensure that adequate controls and risk management processes are built into the system. This is particularly important when Electronic Data Processing systems are being developed. These controls would include both general controls and application controls. General controls relate to the environment under which the system operates and application controls are built into the system and into computer programs.

The creation of special teams

In examining the IA of developing and transitional economies, it is not unusual to discover that there are many functions which are either not being performed, or the coverage is superficial because of inadequate staff, lack of specialized skills, etc. Often the most productive use of limited IA staff is in special central teams earmarked for conducting special audits in government agencies with the assistance of IA staff already stationed there. Examples of specialist skills that can be usefully dedicated to cover such areas are:

• audit of internal controls, information systems, systems audit;

• procurement/contract audit;

• IA review of critical areas, such as pending bills, commitments, revenue collection, loan recovery, and debt management;

• audit of payroll and pension systems, manpower audit; and

• cost assessment audit in assigned ministries.

These teams should also be reserved for more complex and specialized tasks or for any special requests from budget institution managers or the MOF. They can also be utilized for special investigations, including cases of fraud. These teams should not be viewed as external audit teams. Rather, these staff will be temporarily deployed from MOF headquarters to supplement the efforts of the IA units in the ministries/agencies until they have adequate strength and skills to undertake such audits themselves.

Formulation of work plans

Existing operational standards for IA require that the Internal Auditor adequately plan, control, and record his work. Such planning should be done not only for individual audit assignments, but also for varying periods such as a quarter, a year, and even longer periods of three to five years.

The use of work plans is indispensable for the proper management of the IA. The approach to the audit planning process involves the following steps:

• Identifying the audit population: The audit population should cover the full range of activities, processes, policies, systems, financial and other records, procedures and information reports. This should be linked to the detailed list of duties of Internal Auditors for the ministry/department/agency, etc.

• Evaluating the risk factor: In planning IA activities, an assessment of relevant risk factors and their significance is important. The Internal Auditor should examine these risks and put a relative value on each risk, e.g. high, medium or low. Based on the risk assessment, it can be decided where to assign limited audit resources and to define the timing, frequency, and approach of the audit.

• Establish audit work schedules: These should include activities to be audited, timing of the audit, estimated time requirements taking into account the risk factor and scope of audit work planned. The schedule should be sufficiently flexible to cover unanticipated demands on the IA department.

• Formulate associated staffing plans and financial budgets: These will flow out of work schedules and will include an estimate of the number of auditors required and the qualifications/skills required of each of them. The IA unit may examine at this stage the adequacy of its resources in relation to the audit work schedules.

• Review planned audit coverage with top management: The audit work plans should be reviewed by the AO or the IA headquarters and the Audit Committee to ensure that all areas considered important or requiring special attention have been included in the planned audit coverage.

• Performance reports: These should be submitted to the AO or the IA headquarters, and should compare performance with audit work schedules. Major reasons for variations should be explained. Performance against work plan and list of reports should be issued. Aspects of performance to be covered:

  1. list of major and important observations, and significant issues raised by the Internal Auditor;

  2. pending action on important observations and recommendations;

  3. cases where payments were made despite objections from the internal auditor and high value vouchers not shown to audit;

  4. cases where records were not being shown or required information were not being furnished to the Internal Auditor;

  5. financial reports, accounting statements sent to the MOF without checking by the Internal Auditor;

  6. any cases of theft, loss, and fraud detected during the month;

  7. any compensations or costs settled out of the court;

  8. any risk areas needing priority attention;

  9. any other important comments or constraints faced by the IA unit; and

  10. based on these reports, the central IA authority should send a consolidated monthly report to top MOF management for information and intervention wherever necessary, with a copy to the external auditor.

To ensure that the monthly performance reports have an effective input in resource management, it is necessary to ensure they are completed in a timely manner. The IA report to top MOF management should include a description of which ministries’ IA units did not produce adequate/comprehensive reports, and the reasons why.

Create audit committees

There is a need to establish audit committees in LMs to strengthen the role of the IA in instilling financial discipline. The committees should be formed within the ministries and departments consisting of top management and technical experts in the accounting, and budget fields. The main functions of the Audit Committee will be:

• To review the work of the IA, to identify important areas where the Internal Auditor should focus in addition to his normal work;

• To review the important findings of the IA and the C&AG and identifying important areas where corrective or preventive action is necessary;

• Evaluation and effectiveness of action on audit recommendations of the C&AG and the Internal Auditor; and

• To ensure implementation of Legislative budget committee reviews and reports.

It is also useful to have a central IA committee in the MOF. A committee consisting of top MOF management, a head of the IA service, and a head of accounting service can be constituted to review the important findings reported by the IA and the action to be taken, to review cases where no action has been taken or objections of the IA have been bypassed, and to identify any critical areas where the IA should focus its work. This committee can also review action taken on Legislative Budget Committee recommendations.

External review of the internal audit system

In addition to the review of adequacy and effectiveness of the IA by quality assurance teams of the IA headquarters, there should be an independent external review of IA practices every three years by outside professionals. They should:

• identify and correct substandard practices;

• check whether internal auditors are fulfilling their mandated responsibility; and

• check whether they are observing professional standards.

Give suggestions to improve their performance and add value to the services being rendered by the IA. To ensure the effectiveness of the IA service, and its future development, it is recommended measures be taken to:

• clarify and agree on the duties of internal auditors;

• formulate IA standards relevant to the each country’s context;

• prepare and update an IA manual; and

• develop a training program for the IA staff, with a clear career development path.

Listing duties of internal auditors

Crucial to the proper management of the IA staff is the need to have a clear and well-documented job definition for an Internal Auditor. Such a clear definition of tasks would have several advantages:

• allow a clear appreciation of the work of the IA in the organization. If such a list of duties is suitably disseminated to all levels in the organization, ambiguities and resulting disputes with regard to the jurisdiction of the auditor can be avoided;

• enable proper planning of audit work and effective use of audit resources, and prevent dissipation of audit effort and manpower on just a few tasks;

• serve as an instrument of management control and supervision as actual performance can be matched against designated tasks; and

• facilitate construction of proper audit guides that will have to be developed.

Emphasize qualifications, skills, and experience for the auditors, and thus determine training needs of the individual IA units.

What are the CAE's and the internal audit function's responsibilities regarding governance?

What role does internal audit play in governance?

What are the functions and responsibilities of an Internal Auditor?

What are the role of internal audit in governance, risk management ethics and internal control?