« Improving Tax Collection Using XML and Object-Oriented Technologies | Main | Budget Reforms in Uganda: From Vision to Reality - A Personal Account »

August 31, 2010

Internal Audit in the Public Sector: Underdeveloped and Underused

Posted by Sanjay Vani 

Of 107 countries in which Public Expenditure and Financial Accountability (PEFA) assessments have been undertaken, only 2 scored A (or A+) and only 4 scored B (or B+) for the indicator on internal audit (performance indicator (PI) 21 in the PEFA methodology, see www.pefa.org). The vast majority—101 countries—scored either C or D for the effectiveness of internal audit. The internal audit indicator is the only PEFA indicator that has been uniformly rated so low across a broad spectrum of countries:  high income/middle income/low income, Anglophone/Francophone, and stable/fragile status. Even Norway, a high-income country, scored D for the internal audit indicator. We can therefore conclude that globally internal audit is not yet as firmly established in the public sector as external audit. This post analyzes some key factors that have contributed to this situation.

Structure of the Public Administration. One of the most important factors, in my view, is that historically, the public sector has been organized as a centralized, control-oriented, and hierarchical structure whose complex bureaucratic procedures have provided a certain level of comfort to those responsible for the use of public funds.  Because the system involved layers of control, those responsible rarely felt the need for another institutional layer—internal audit—to provide additional assurance.  We must remember that until the 1980s, even in the private sector internal audit was largely confined to checking compliance with organizational policies and procedures and verifying the existence of assets. In the public sector, this work was essentially carried out by different layers of the bureaucracy, and thus the need for additional internal audit was never acutely felt.

Evolution of Internal Audit.  Modern internal audit, as we understand it today, really evolved after the landmark 1987 report of the Committee of Sponsoring Organizations (COSO) on fraudulent financial reporting.  In the United States the implementation of the 2002 Sarbanes-Oxley Act further increased the breadth and depth of the professional work carried out by the internal audit (IA) community. The main objective of the modern IA function is to assist management in making decisions “by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”  The public sector’s traditional bureaucratic layers cannot be expected to provide such a service. Even countries that already have an IA function, including OECD countries, are undertaking major reforms to modernize that function.

• In Canada, the government has undertaken significant internal audit reforms with the introduction of the new Policy on Internal Audit in 2006.
• The United Kingdom is now involved in a major Internal Audit Transformation Project.
• In France, at the behest of Minister for Civil Service and State Reforms, the Inspector General of Finance has recently prepared a blueprint for a modern State Internal Audit Systemthat is separate from the financial inspectorate.
• The European Commission has developed a  new internal audit benchmarkfor assessing compliance by candidate countries through relevant amendments to the Acquis Communautaire (chapter 32)— requirements differ considerably to those applicable to countries that joined the European Union between 1995 and 2004. 

Role of the Supreme Audit Institutions.  A related factor is that in many countries the supreme audit institutions (SAIs) were in the past much more actively involved in budget execution, thus providing an additional layer of control and comfort to those responsible for public funds. For example, up until 2004 Turkey’s Court of Accounts was empowered to issue “visa”—that is, the authority to incur expenditure. SAIs have been shifting their focus on ex-post review of transactions and systems, this has created a gap for internal audit to fill.

Turf Battles. In many countries the newly established IA function is fighting turf battles with the “inspection/control” agencies that traditionally carried out compliance work with a view to discovering instances of malfeasance and misuse. There is still a lack of clarity in many countries about the exact role of IA; it is often still equated with “pre-audit” or “ex-ante” control. For example, in France until now, the internal audit function was embedded in the nspectorate of finances while the European Commission separated internal audit from the ex-ante financial control function as recently as in 2001.

Lack of Qualified Professionals. The lack of experienced IA professionals further exacerbates the problem. In many countries IA as a profession is still nonexistent or, at best, in its infancy, countries that are trying to establish an IA function in the public sector (some under pressure from the donor community) are finding it difficult to recruit and retain qualified and well-trained IA professionals., IA staff is often untrained in risk and control assessments and often duplicates the work of the inspection and control agencies. So, not surprisingly, decision makers many times do not see that the IA function adds any significant value.

The January 2010 Internal Audit Strategic Improvement Plan Consultationpaper prepared by the UK’s Treasury aptly summarizes this situation: “The general story is that within organizations there are multiple sources of assurance that are not well harnessed by senior stakeholders, nor cost effectively aligned to key strategic risks. These misalignments include the role of internal audit.”  When decision makers are not convinced of the value of IA, the function receives meager budget allocations—and the vicious circle of ineffective IA function (as reflected in the PEFA scores discussed above) continues.

Lack of International Standards and a Global Forum.  Finally, public sector IA has remained largely underdeveloped because there are no internationally accepted IA standards and no global forum for public sector IA professionals. The Institute of Internal Auditors (IIA) has developed internationally acceptable IA standards that are applicable mainly in the private sector, but the public sector has unique aspects—for example, issues in the internal audit of tax administration, or the roles and responsibilities of inspection agencies vis-à-vis the IA function—that need to be covered in public sector IA standards.  Internationally acceptable IA standards for the public sector are still lacking. By comparison, in the area of public sector audit INTOSAI has developed public sector audit standards, and in public sector accounting the International Public Sector Accounting Standards Board (IPSASB) has developed public sector accounting standards. In addition, the public sector IA area has no forum similar to INTOSAI, which would bring together the public sector IA community and provide opportunities for peer learning and sharing of best practices.

Conclusion.  The need for an effective public sector IA function is becoming more acute today as government operations get more dispersed and decentralized, citizens’ demand for accountability grows ever stronger, and SAIs’ increasingly tighter budgets constrain their ability to expand the depth and breadth of their audits. Modern IA, as we understand it today, has really evolved only in the past three decades, and many large OECD countries are still undertaking major reforms to modernize their IA function accordingly. In many countries, however, there will be a long, uphill march before the public sector IA function is truly recognized as an important and valuable function.  In any country, a conducive and enabling internal environment, coupled with external/international developments in the public sector IA profession, will ultimately lead to strengthening of the public sector IA function.

[1] COSO is a voluntary US private sector organization dedicated to improving organizational performance and governance through effective internal control, enterprise risk management and fraud deterrence. COSO is jointly sponsored by the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute of Internal Auditors (IIA).

[1] Definition of internal audit by the Institute of Internal Auditors.


TrackBack URL for this entry:

Listed below are links to weblogs that reference Internal Audit in the Public Sector: Underdeveloped and Underused:


It seems to me that internal audit is well established in almost all countries of the world. The challenge and the reason for the generally low PEFA scores is that there are perhaps three different functions which are called internal audit. These are pre-audit, compliance audit and systems (risk based) audit. These are just different functions with different approaches and objectives. They are not modern nor traditional internal audit. The problem is that the PEFA framework tries to assess each of these three functions as one, systems audit, and so the scores are largely based on whether internal audit “is focussed on systemic issues”. I think that Sanjay is making the same mistake by suggesting that all internal audit units should move to adopting a systems audit approach to their work.
Most internal audit in Anglophone Africa, for example, is pre-audit. This is an additional, independent, stage in the procurement process where official orders and/or payment vouchers are reviewed and certified (stamped and signed) by internal audit. Pre-audit may be decentralised, for example, in Nigeria, or centralised as in Zambia. This is not an out of date function and may still be considered necessary in many countries. This is the function undertaken by financial controllers (contrôleurs financiers) in France and, as Sanjay points out, is still a function which is considered necessary for the European Commission.
With pressure from donors there has been a move in recent years to systems audit. In most cases this has resulted in little change, or at best a move to compliance audit. Examples of non-compliance with Financial Regulations are identified and the recommendations are that compliance should occur in future.
Actual systems (or risk based) audit is not common neither in Africa, Europe nor North America (but there are pockets of excellence, at least, on all three continents). Systems audit consists of a critical review of internal control systems with recommendations for improvement or optimisation of the internal control systems. This requires a very different set of skills to that required for pre-audit or compliance audit.
In addition, systems audit may be less appropriate in centralised systems or systems regulated by centralised, detailed, Financial Regulations, as Sanjay suggests. Systems audit is more appropriate in decentralised systems where managers are given more freedom to manage and devise their own internal control systems (thus it developed to support what is often termed New Public Management in developed countries).
Thus systems audit is very difficult to introduce and has taken decades to take root in the public sector, in the UK for example as Sanjay suggested. Similarly in Africa, trying to require internal auditors, used to undertaking pre-audit, to undertake systems audit can be a slow and painful process. In both Ghana and Kenya, for example, such a move was made several years ago, but the PEFA report for Ghana found that only 20% of internal audit work was “focussed on systemic issues” last year. In Kenya the 2008 PEFA report found that around 50% of internal audit work was still based on pre-audit. In each case the internal audit service had been led by world class professionals who were clear about international standards for internal audit and were convinced of the need to move to systems audit.
In the French approach to public financial management there are four different cadre (or groups) of officials who may be considered to be internal auditors. These are service inspectors, financial controllers (contrôleurs financiers), general financial inspectors (inspection générale des finances) and general state inspection (inspection générale d’Etat).
Most line ministries have their own inspectors, eg in the ministry of health, education, police etc. These service inspectors undertake compliance type audit work in each ministry and report to their minister.
The financial controllers undertake pre-audit in each ministry, but are working for and seconded from the Ministry of Finance.
The general financial inspectors review financial management in the individual ministries, departments and agencies on behalf of the Minister of Finance. They undertake compliance audit.
The General State Inspectorate also does inspection/compliance audit, but on behalf of the State President (or sometimes the prime minister). In six Franco-phone countries they are the INTOSAI members, so I think it is better to consider them to be a type of external audit (sharing this function with the Court of Accounts).
The starting point for the reform of internal audit is to recognise these different functions and to determine which ones are really needed and which functions are currently provided. It may be that (as with the EU) that the pre-audit function in each ministry, department and agency is retained and, in addition, a central compliance/regulatory function in the Ministry of Finance is considered necessary. There may also be a systems audit function provided by a body based in the Ministry of Finance (independent of the Accountant General).
It seems to me that Ministers of Finance need to determine whether they need pre-audit and/or an inspection service to monitor compliance with financial regulations in the ministries, departments and agencies.
Second they need to consider whether systems audit is a function they want to develop. If they want both (or all three) functions then different bodies should be established for each. As Sanjay pointed out, Norway scored a D for their internal audit functions and argued that systems audit was not appropriate in their circumstances.

But the key is a proper review and clear understanding of existing practice in each country. Only from this base can recommendations be made for improvement. In addition, we should recognise that a professional, systems based internal audit service is challenging to develop in any environment, needs well qualified and motivated staff and takes years, if not decades, to develop and spread across the whole of the public sector.

Thanks Andy. this is a useful view on internal audit, reform processes and their timelag to impact the practice, as well as on some limits of the PEFA framework. I think we should add that regarding the indicator on internal audit, as well as the one on internal controls, PEFA is not designed to assess the practice, nor are there requirements for the assessment to test a representative sample of documentation in a sample of institutions: the upshot is that scores in the PEFA reports for such indicators have to be taken with a pinch of salt, agreeing that it is indicative but not representative. Though this may sound as nit picking, this is essential to guide discussions on reform. Further,
PEFA requires 50% systems based audit. So 60% of 10 staff would just pass (6 staff doing systems audit), but 20% of 100 staff would fail (20 staff doing systems audit).

In terms of Andy observation that "It seems to me that internal audit is well established in almost all countries of the world".
I would like to comment that PFTAC undertook a study of IA in 6 Pacific Island countires in 2008 and the conclusion was that "Internal audit in Pacific Countries is inadequately developed and is at best at a nascent stage of development. Unlike external audit, internal audit in the Pacific has not been given any assistance resulting in its limited functionality. The internal audit is limited mainly to conducting compliance audit, i.e. reviewing compliance with rules, regulations, policies, etc. There is now recognition for the setting up a proper internal audit system in the Pacific Island Countries (PICs). "
We (with ADB) are trying to correct this now but it will take a while.

Dear Joshi,

Many thanks. if you do have the link to this study, this would be useful to share if possible.

Thanks for posting this interesting article which gives a good picture for the need and importance of and the gap in Internal Audit capacities.

Internal Audit is an independent and objective assurance and consulting function designed to help an organization to achieve its objectives.

These objectives are stated in terms of:
• Effectiveness and efficiency of operations (programmes and projects)
• Reliability of financial and operational information
• Safeguarding of assets
• Compliance with rules and regulations
• Prevention and Detection of fraud

Frankly, governments differ in their commitment to these universal objectives.
Discussions on the effectiveness of public service internal audit shops need to be put in context to ensure that the value of internal audit in public sector is not understated.

It is also worth emphasizing that the responsibility for implementing controls remains that of Government.

The effectiveness of internal audit can only be as good as the commitment of governments to pursue these objectives.

Internal Audit adds the best value when it is accepted as a function that helps the organization and it is given appropriate authority and adequately resourced to play its desired role.

A fundamental challenge to the effectiveness of internal audit is the absence of effective performance and accountability systems in the public sector. If public sector CEOs are held effectively accountable for performance, I have no doubt that they will better appreciate the value of internal audit to help them performance.
Another challenge of internal audit (and external audit), with regard to the assessment methodologies, is that they focus on results without due reference to inputs and other intermediate processes and structures that determine their effectiveness.

IA is an important part of the PFM framework in any country. However, a change in attidue is the most important aspect of enusuring effectivenss of IA in any country. PFTAC undertook a study of IA in the Pacific in 2008 and its implementation has highilghted a very importnat issue- that of a mind set and attitude on part of IA staff. In several cases the IA staff originally came for the Auditor Genreral's office and their attitude remains that of fault finding not that of an aid to management.
A signiificant amount of effort also needs to be put into the need to change the mind set both of the line ministries where IA is conducted and in the IA staff itself. Till this is done in most places the effectivenss of IA will be limited.

This is UK specific, but a reminder of how IA can slip beneath the radar of public policy - even at times of structural change. Despite the UK Treasury document mentioned above arguing for the operational independence and the 'autonomization' of IA in the public sector, big changes are being made to local public audit, in which IA is invisible and its independence jeopardized. With the abolition of the (England) Audit Commission, the contours of local public audit are changing. Private supply is being encouraged. Private contractors may offer both external and IA. The regulatory regime applied by the Audit Commission is being broken up. One result could be the reduction of IA autonomy or indeed a back to the future move to 'pre audit'. It's noteworthy that the drafters of the legislation abolishing the Audit Commission have made no approach to the IA professional body in the UK.

I really appreciate this post. Internal Audit profession is often classified by the public and officials as the role of an Accountant. this posed a major problem to the profession as internal audit function is tied to the apron of an Accountant. An Auditor is an Accountant and an Accountant is not an Auditor.. Many Legislation favored the effectiveness of Internal Audit Functions, but organisational structure/positioning is the major problem confronting the I A. For Instance in the Public Sector of Nigeria, In most MDA's you see Director Finance & Accounts, but hardly will you come accross Director Internal Audit. Therefore many people will love to take pick up a career with recognition. In summary Internal Auditors have a low status in the public sector despite enormous functions to the organisation - This is discouraging many people to take upa career in the internal Auditing in the Public Sector. The IIA are not also penetrating well into the government to enlighten then of the Importance of effective Internal Auditing.Gb

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Back to top of page
©2007 IMF. All Rights Reserved. About Us | Terms of Use
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code)//-->