Transforming Internal Audit in East Africa
Posted by Onesmus Ayaya, George Mang’oka and Jesse W Hughes
The IMF’s Regional Technical Assistance Center for East Africa organized a workshop for government internal auditors from the region in Nairobi, Kenya, from November 6-9, 2012.
PEFA diagnostic assessment results and external audit reports indicate that reforms of internal audit (IA) have lagged behind. The workshop discussed modalities of strengthening internal audit in relation to the various themes: the legal mandate for IA, the governance structure, coordination with public sector integrity institutions, participation in the work of professional bodies, the contribution to the control environment, and capacity building. The main issues are summarized below.
Legal and regulatory changes accompanying PFM reforms have not provided a strong legal and regulatory framework for IA. In some member countries, IA functions were established through administrative circulars or ministerial regulations without prescribing competency levels and the scope of required work. Recent reviews of PFM legal frameworks have incorporated enabling clauses on IA and risk management in the primary PFM legal instruments.
Countries of the region have established IA functions that differ in size, structure and mandate. In some countries, all internal auditors in central government and sub national governments are employees of the Ministry of Finance (MOF). In other countries, they are employed by the ministries in which they work. In all countries except Eritrea, there is a central IA unit in the MOF responsible for supervising government-wide IA services and providing guidance on good practices, training and other support.
Coordination Mechanism with Public Sector Integrity Institutions
Significant overlap exists between the work of integrity institutions and the work of internal auditors in government. Some member countries have inspection units as part of MOF’s internal audit function while in others inspection is a separate function. Some countries have an anti-corruption body that is mandated to carry out investigations and has prosecuting powers that have not been accorded to government internal auditors. Coordination of IA, fraud prevention and investigation, risk management and compliance assurance reporting through a central harmonization unit - as recommended by the EU’s Public Internal Financial Control Framework - is an alternative model that could be considered in the region, but would require a complete overhaul of existing financial governance and accountability frameworks.
Reliance on IA Reports by External Auditors
In general, across the region, little or no reliance is placed on IA work by external audit agencies. This can be attributed to the poor quality of audit field work and documentation. Audit committees, with external membership, can provide a coordination mechanism through which IA plans can be shared with external auditors and other public sector integrity institutions.
Control Environment and IA Focus
The prevalence of qualified audit opinions on the government’s financial statements issued by external auditors across the region is indicative of a weak internal control environment. Indicators of corruption are also high throughout the region. Auditors should factor fiduciary risks into their audit plans. Internal auditors can use the recommendations of external audit reports to facilitate the design of reform measures that address significant weaknesses in the control environment.
Efforts are underway to move away from pre-audit to risk-based audit. Focusing IA on compliance issues and voucher verification, however, is not considered to add value to the control environment. Three countries in the region have established specialized units to conduct value for money studies, forensic audit, IT audit and technical audit.
Audit of Performance Information (AOPI)
Most countries in the region are planning to adopt program-based budgeting and reporting. This will require auditors to evaluate performance information, but few of them have yet developed the appropriate skills and methods in this area.
Professional qualifications in IA vary widely across the region. The standards promulgated by the Institute of Internal Auditors have only been implemented to a limited extent. Public sector participation in professional bodies lags behind the private sector. None of the countries has yet established an IA certification program for the public sector. Ad hoc reliance has been placed on CIA certification. The most common qualifications pursued by internal auditors are ACCA/CPA, CFE and CISA.
Institutional Risk Management
No separate risk management units have been established in member countries. IA units have spearheaded the setting up of limited institutional risk management arrangements and management accountability of the process is generally lacking.
Countries of the region that have established an effective system of government audit committees, including external members, are a minority. Such committees need to be embedded in a country’s legal framework. Where established, the lack of acceptance by senior management and the external audit authority has often limited the role of the committees to “management audit”. Finding officials with the required expertise to serve as members of the audit committees is also an issue in most countries. In two countries, a central audit committee has been established to support the executive in monitoring the implementation of external and internal audit recommendations.
Capacity Building and Resourcing of Government Internal Audit Functions
Training programs for auditors vary significantly. In most countries, induction courses for newly recruited staff are used. However, there is a lack of continuing professional education. Too much reliance is placed on the preparation of audit manuals and templates in an attempt to “standardize” IA practices. There are no shared audit training resources or programs organized both for internal and external auditors.
Limited investments have been made in audit management systems (e.g., TeamMate) and data analysis tools such as IDEA and ACL. These tools are necessary to increase audit efficiency and effectiveness, and there is scope to improve their impact through training. All member countries are developing an IFMIS to automate their financial management operations. Training of auditors to operate in a computerized environment, however, remains a challenge for most IA units. Unfortunately, arrangements for the outsourcing or co-sourcing of IA operations are not currently used to alleviate limited in-house capacity.
Participants in the workshop agreed on the following:
- Technical assistance and financial support to build capacity will continue to be required in the next three years.
- Countries should be encouraged to undertake an assessment of their legal regulations, skills, and staffing to determine the gaps in these areas that need to be filled.
- Countries could also benchmark their systems against the Public Sector Internal Audit Maturity Framework, and draw up a prioritized capacity development plan.
- Government IA services need to be planned and resourced on a multi-year basis consistent with the adoption of multi-year expenditure frameworks in the region.
Participants found the workshop very informative. They requested follow-up events and TA to facilitate implementation of the tools and procedures discussed during the event.
 Eritrea, Ethiopia, Kenya, Malawi, Rwanda, Tanzania, Uganda, and Zanzibar. The Republic of South Sudan also participated in the workshop, although it is not a member country of AFRITAC East.