6 minute read
3.4. Key elements in the exercise of internal control and risk management
98 – 3 – SUPREME AUDIT INSTITUTIONS’ INPUT INTO POLICY IMPLEMENTATION
An increasing number of OECD countries are realising the importance of the policy enforcement phase for ensuring compliance and the quality and effectiveness of regulatory policy. With previous focus largely placed on the design of regulatory policy, OECD countries are calling for assistance in the implementation and enforcement of regulations, which is considered the weakest link in the regulatory governance cycle (OECD, 2014c). Regulatory agencies play a key role in this stage.
Advertisement
There is potential to improve regulatory inspections and enforcement processes to foster better compliance and to reassess the burdens and costs they impose. The OECD’s Regulatory Policy Committee has outlined key principles on which effective and efficient regulatory enforcement and inspections should be based.2 Although these principles fall mainly outside of the realm of “regulating inside government”, they may lend guidance to the processes of enforcing internal controls, particularly the concept of proportionality. The adoption of processes that use proportionality to weigh the allocation of resources to the level of risk can help to justify, and potentially reduce, costs and burdens.
SAI activities that assess and support:
Regulatory coherence (Table 3.3, key element C)
In addition to assessing regulatory policy tools, SAIs look at the application and management of tools that oversee and implement reforms. Half of SAIs report looking into these areas, but this is noticeably less than the activity of SAIs in implementing the budget and implementing controls. The role of SAIs in evaluating regulations ex post is discussed in Chapter 4.
Examples of SAI work in this area include:
Korea’s audits in the realm of regulatory policy have aimed to support the success of the government’s regulatory reform. BAI has examined the appropriateness of the regulation management system and the execution of regulation reforms. BAI’s 2007 Implementation of Economic Regulatory Reform assessed the performance of 12 central government agencies and 8 local governments. It examined the overall execution status of economic regulation reforms. It focused on the downstream implementation of regulatory reform, including the management system of regulatory reform, the registration and management system of regulations, financial oversight, and the appropriateness of the regulation on factory establishment. Another example is BAI’s 2009 The Implementation of
Regulatory Reform in the fields of Education, Health Services and Tourism, which examined the overall regulation management system and the execution of regulation reforms, and recommended improvement by areas of four central government agencies and five local governments.
SUPREME AUDIT INSTITUTIONS AND GOOD GOVERNANCE: OVERSIGHT, INSIGHT AND FORESIGHT © OECD 2016
3 – SUPREME AUDIT INSTITUTIONS’ INPUT INTO POLICY IMPLEMENTATION – 99
Chapter 4 of the Fall Report of the Auditor General of Canada (OAG, 2011) included; Regulating Pharmaceutical Drugs – Health Canada. This report assessed Health Canada’s regulation and monitoring procedures concerning both the introduction of new pharmaceutical drugs to the Canadian market and the review of drugs that are currently available. The report found that although Health Canada’s drug reviews are consistent and of high quality, it has been slow and does not publish sufficient information on its decision-making process.
SAIs may be mandated to oversee regulatory agencies. For example, under articles 70 and 71 of Brazil’s Constitution, the TCU is empowered to oversee regulatory agencies. As part of this work it looked more systematically at regulatory governance through its Performance Audit. Infrastructure Regulatory Agencies: Regulatory governance review; and used a performance audit report, at the request of Congress, to verify the efficiency and effectiveness of the services provided by regulatory agencies that provide telephone answering services , by telephone, to citizens (TCU, 2013a, 2010, 2008).
In some countries, special internal control institutions exist that are independent from those that they monitor. They have a role in evaluating internal control, meaning that internal control assessment functions are centralised. In others, internal control assessment is decentralised, and is the responsibility of respective line ministries. When decentralised, the internal control framework is an integrated, yet independent, part of the administration. In both cases, establishing, maintaining and reforming internal control arrangements are the responsibility of senior management, and not of staff or an audit department. The role of auditors, both internal and external, is to provide independent and objective advice on and assessment of the efficiency and effectiveness of internal control mechanisms. International principles related to the implementation of internal controls and risk management are summarised in Table 3.4. The wider adoption of ex post control has placed a new burden on managers to juggle effectiveness, efficiency, and reliability with compliance. In practice, this has required trade-offs between the inefficient but relatively certain method of checking regulatory compliance of individual transactions (ex ante), with the more efficient but relative uncertain method of verifying the proper operations of systems (ex post) (OECD, 2005). Some countries began the transition from ex ante to ex post control with a heavy focus on ex ante compliance controls, while others started from a basis where the focus was already largely on ex post external control. The move from ex ante to ex post has meant more varied controls and often more work for both audit actors and those audited (OECD, 2005). Capacity issues of internal control and audit units can pose problems, particularly when their impact is limited by controlling for risks that are not established in accordance with the real risks to an entity’s objectives.
SUPREME AUDIT INSTITUTIONS AND GOOD GOVERNANCE: OVERSIGHT, INSIGHT AND FORESIGHT © OECD 2016
100 – 3 – SUPREME AUDIT INSTITUTIONS’ INPUT INTO POLICY IMPLEMENTATION
Table 3.4. Key elements in the exercise of internal control and risk management
Stage of the policy cycle
Policy implementation Key functions of a strategic and open state
Co-ordinating and communicating Implementing the budget Implementing and enforcing regulatory policy Establishing processes for risk management and internal control
A. Functional direction is provided for risk management and internal control across government, allowing scope for tailoring to individual entities. B. Oversight bodies (audit, anti-corruption, enforcement) operate with independence in the execution of their activities, with sufficient capacity and in line with international standards.
C. Entity-level management establishes controls and assesses, treats, reports, monitors, and reviews risk in relation to the objectives the entity wants to achieve. D. Independent internal audit generates reliable information and effectively oversees internal control mechanisms.
E. There are mechanisms to capture high-quality information about the performance of an entity.
Sources: OECD (2014b), Principles for Public Administration, SIGMA, OECD Publishing, Paris, www.sigmaweb.or g/publications/Principles-Public-Administration-Overview-Nov2014.pdf COSO (2013), An Update of COSO’s Internal Control -Integrated Framework, www.coso.org/docu ments/cosoicifoutreachdeck_05%2018%2012.pdf. IFAC (2012), Evaluating and Improving Internal Control in Organizations, International Federation of Accountants, New York, www.ifac.org/publications-resources/evaluating-and-improving-internal-controlorganizations-0.
Sufficiently independent and capable internal audit is only one line of defence against risk to an entity, and should be coupled with public managers taking ownership for setting objectives, determining the level of risk that is acceptable in the pursuit of results, and implementing the relevant mix of controls. When responsibility for setting and achieving objectives and establishing the right mix of controls are treated separately, there may be an ineffective over-reliance on internal and external audit to provide assurance of financial and, non-financial (where relevant) compliance.
Line managers, as the primary risk owners, should design, implement, maintain, monitor, evaluate, and report on the entity’s internal control arrangements in accordance with the risk strategy and policies on internal control approved by the governing body. Staff in support functions (e.g., risk officers) or external experts can have facilitating or supporting roles, but should not assume line responsibility for managing risk or for the effectiveness of controls.
Overseeing the implementation of internal controls, or the compliance of audited entities to regulations, continues to be a core part of a SAIs’ portfolio. The examples below seek to outline how SAIs are assessing select aspects of internal control and risk management in relation to the key elements outlined in Table 3.4.
SUPREME AUDIT INSTITUTIONS AND GOOD GOVERNANCE: OVERSIGHT, INSIGHT AND FORESIGHT © OECD 2016
