Internal Audit in the Public Sector: Underdeveloped and Underused

Posted by Sanjay Vani 

Of 107 countries in which Public Expenditure and Financial Accountability (PEFA) assessments have been undertaken, only 2 scored A (or A+) and only 4 scored B (or B+) for the indicator on internal audit (performance indicator (PI) 21 in the PEFA methodology, see www.pefa.org). The vast majority—101 countries—scored either C or D for the effectiveness of internal audit. The internal audit indicator is the only PEFA indicator that has been uniformly rated so low across a broad spectrum of countries:  high income/middle income/low income, Anglophone/Francophone, and stable/fragile status. Even Norway, a high-income country, scored D for the internal audit indicator. We can therefore conclude that globally internal audit is not yet as firmly established in the public sector as external audit. This post analyzes some key factors that have contributed to this situation.

Structure of the Public Administration. One of the most important factors, in my view, is that historically, the public sector has been organized as a centralized, control-oriented, and hierarchical structure whose complex bureaucratic procedures have provided a certain level of comfort to those responsible for the use of public funds.  Because the system involved layers of control, those responsible rarely felt the need for another institutional layer—internal audit—to provide additional assurance.  We must remember that until the 1980s, even in the private sector internal audit was largely confined to checking compliance with organizational policies and procedures and verifying the existence of assets. In the public sector, this work was essentially carried out by different layers of the bureaucracy, and thus the need for additional internal audit was never acutely felt.

Evolution of Internal Audit.  Modern internal audit, as we understand it today, really evolved after the landmark 1987 report of the Committee of Sponsoring Organizations (COSO) on fraudulent financial reporting.  In the United States the implementation of the 2002 Sarbanes-Oxley Act further increased the breadth and depth of the professional work carried out by the internal audit (IA) community. The main objective of the modern IA function is to assist management in making decisions “by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”  The public sector’s traditional bureaucratic layers cannot be expected to provide such a service. Even countries that already have an IA function, including OECD countries, are undertaking major reforms to modernize that function.

• In Canada, the government has undertaken significant internal audit reforms with the introduction of the new Policy on Internal Audit in 2006.
• The United Kingdom is now involved in a major Internal Audit Transformation Project.
• In France, at the behest of Minister for Civil Service and State Reforms, the Inspector General of Finance has recently prepared a blueprint for a modern State Internal Audit Systemthat is separate from the financial inspectorate.
• The European Commission has developed a  new internal audit benchmarkfor assessing compliance by candidate countries through relevant amendments to the Acquis Communautaire (chapter 32)— requirements differ considerably to those applicable to countries that joined the European Union between 1995 and 2004. 

Role of the Supreme Audit Institutions.  A related factor is that in many countries the supreme audit institutions (SAIs) were in the past much more actively involved in budget execution, thus providing an additional layer of control and comfort to those responsible for public funds. For example, up until 2004 Turkey’s Court of Accounts was empowered to issue “visa”—that is, the authority to incur expenditure. SAIs have been shifting their focus on ex-post review of transactions and systems, this has created a gap for internal audit to fill.

Turf Battles. In many countries the newly established IA function is fighting turf battles with the “inspection/control” agencies that traditionally carried out compliance work with a view to discovering instances of malfeasance and misuse. There is still a lack of clarity in many countries about the exact role of IA; it is often still equated with “pre-audit” or “ex-ante” control. For example, in France until now, the internal audit function was embedded in the nspectorate of finances while the European Commission separated internal audit from the ex-ante financial control function as recently as in 2001.

Lack of Qualified Professionals. The lack of experienced IA professionals further exacerbates the problem. In many countries IA as a profession is still nonexistent or, at best, in its infancy, countries that are trying to establish an IA function in the public sector (some under pressure from the donor community) are finding it difficult to recruit and retain qualified and well-trained IA professionals., IA staff is often untrained in risk and control assessments and often duplicates the work of the inspection and control agencies. So, not surprisingly, decision makers many times do not see that the IA function adds any significant value.

The January 2010 Internal Audit Strategic Improvement Plan Consultationpaper prepared by the UK’s Treasury aptly summarizes this situation: “The general story is that within organizations there are multiple sources of assurance that are not well harnessed by senior stakeholders, nor cost effectively aligned to key strategic risks. These misalignments include the role of internal audit.”  When decision makers are not convinced of the value of IA, the function receives meager budget allocations—and the vicious circle of ineffective IA function (as reflected in the PEFA scores discussed above) continues.

Lack of International Standards and a Global Forum.  Finally, public sector IA has remained largely underdeveloped because there are no internationally accepted IA standards and no global forum for public sector IA professionals. The Institute of Internal Auditors (IIA) has developed internationally acceptable IA standards that are applicable mainly in the private sector, but the public sector has unique aspects—for example, issues in the internal audit of tax administration, or the roles and responsibilities of inspection agencies vis-à-vis the IA function—that need to be covered in public sector IA standards.  Internationally acceptable IA standards for the public sector are still lacking. By comparison, in the area of public sector audit INTOSAI has developed public sector audit standards, and in public sector accounting the International Public Sector Accounting Standards Board (IPSASB) has developed public sector accounting standards. In addition, the public sector IA area has no forum similar to INTOSAI, which would bring together the public sector IA community and provide opportunities for peer learning and sharing of best practices.

Conclusion.  The need for an effective public sector IA function is becoming more acute today as government operations get more dispersed and decentralized, citizens’ demand for accountability grows ever stronger, and SAIs’ increasingly tighter budgets constrain their ability to expand the depth and breadth of their audits. Modern IA, as we understand it today, has really evolved only in the past three decades, and many large OECD countries are still undertaking major reforms to modernize their IA function accordingly. In many countries, however, there will be a long, uphill march before the public sector IA function is truly recognized as an important and valuable function.  In any country, a conducive and enabling internal environment, coupled with external/international developments in the public sector IA profession, will ultimately lead to strengthening of the public sector IA function.

[1] COSO is a voluntary US private sector organization dedicated to improving organizational performance and governance through effective internal control, enterprise risk management and fraud deterrence. COSO is jointly sponsored by the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute of Internal Auditors (IIA).

[1] Definition of internal audit by the Institute of Internal Auditors.