70044 BELARUS: NOTE on the REFORM of INTERNAL AUDIT The government of Belarus requested that the World Bank provide a policy brief on the nature of reforms and capacity development initiatives to modernize the internal audit function in the public sector, and how the Bank could facilitate and partner with the Government to launch this transformation process. The purpose of this initiative is to create a collaborative structure and process to focus on and advance the internal auditing profession in Belarus’s public sector. General Background Recognizing the importance of sound public financial management (PFM) system, the Belarusian authorities have taken a number of measures for its improvement, including the introduction of program budgeting, extension of the coverage of budget by bringing most extra budgetary funds into the budget, and improvement of the quality of public investment spending. However, there still remain a number of weaknesses in public financial management, especially in the area of strategic allocation and transparency and accountability of public spending. The Belarus government had recently expressed its intention to benchmark their PFM system against international practices using the PEFA Performance Framework and improve the PFM system based on the findings of the PEFA assessment. The forthcoming PEFA report will be the first comprehensive diagnosis for overall PFM system in Belarus that could demonstrate strengths and weaknesses of the entire PFM system. Key findings on Internal Audit from PEFA report Among the various findings of the PEFA field work, the specific analysis of internal audit and control found that the emphasis is on external compliance controls by Ministry of Finance KRU, Tax inspectors, and State Control Committee. There is little evidence that these inspections uncover a significant level of error on the part of spending Ministries, whose systems are apparently sufficiently reliable. While not undermining the existing control mechanism, an effort may be made to place more of the responsibility for control onto the Ministries, and reorienting some of the work of the central inspection services as this would increase managerial efficiency for executing agencies. Also, consideration might be given to gradually introduce the international concept of internal audit, which strikes a balance between compliance and system audit (with a focus on value for money work, testing control frameworks, etc.) and, which could be coordinated by Ministry Finance KRU. Modernization of Internal Audit The Institute of Internal Auditors (IIA) defines internal audit as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.� The scope of internal audit work covers all the organization’s activities without regard for internal boundaries or geographical restrictions. The work of internal audit is based on the risk assessment, and encompasses the adequacy and effectiveness of governance, risk management, and internal control process in identifying and mitigating risks facing the organization. The risks include (i) financial and operational information may be unreliable, inaccurate or incomplete, (ii) operations may be ineffective and inefficient, (iii) assets (financial and non-financial such as information) may be manipulated or removed, (iv) the organization may breach laws, regulations or internal policies, (v) the ethical culture may support illegal or inappropriate behavior. Consistent with the recommendation of the PEFA report, it is advisable for the government to move to a system of internal audit which is based on the International Standards for the Professional Practice of Internal Audit – these standards are issued by the IIA and are also endorsed and supported by the European Confederation of Institutes of Internal Auditing (ECIIA). These standards provide guidance for the development and performance of the internal audit function and outline the systematic methodology for internal audit to deliver objective assurance. The trend in modern internal auditing is towards a decentralized model, where there is greater devolution of budget execution authority to line ministries, internal auditors usually report to the head of the spending ministry or agency, with a secondary reporting line to the central coordinating body. Regardless of which particular model of internal audit the government may ultimately choose, the five IIA core principles – independence, professional proficiency, scope of work, performance of audit work, and management of the internal audit department - are commonly found features of any well performing internal audit system. Internal auditors' unique full-time focus on risks and controls is vital to sound governance process -- and to sound financial reporting. More than ever before, audit committees and boards are looking to internal auditors for help with corporate governance issues. According to recent statistics from international news reports, in more than half of the 673 largest bankruptcies of public corporations since 1996, external auditors provided no cautions in annual financial statements in the months before bankruptcy. The need for internal auditing within corporate governance structures has never been more clearly demonstrated than by recent events. In the example of WorldCom (United States of America), $3.8 billion of dubious accounting was discovered by the internal auditor, who called the matter to the attention of the audit committee chairman when the then-chief financial officer resisted taking corrective action. In the United States, five of the seven largest bankruptcies in history, including Enron, Global Crossing Ltd., and Kmart Corp., followed annual reports with clean audit opinions from the external auditors.1 Europe has recently also seen its share of corporate fraud and cases of weak governance – Northern Rock (U.K), Siemens (Germany), Société Générale (France). 1 Bruce A. Adamec "Getting a leg up: as one of the four legs of corporate governance, internal auditors have an opportunity to provide strong support to the audit committee". June 2005 (Journal) Internal Auditor. These examples demonstrate that the larger and more complex the organization, the more difficult it is for external auditors, management, and boards to have an accurate picture of risks and controls. Internal auditors play a vital role within governance processes by keeping the board, senior management, and external auditors aware of risk and control issues and by assessing the effectiveness of risk management, and strengthening the organization’s efforts to combat fraud and corruption. This challenge equally applies to the public sector as well as pressures increase to not only make public expenditure more efficient and effective but also to better manage risks and to reduce the incidences of waste, fraud and corruption. In transforming the role and function of internal audit, there must be a strong commitment to improve overall governance, and the internal audit contribution to that effort, over the long term. As such, any reform of internal audit must be anchored in the government’s vision and reform for the overall public financial management system. Public Internal Financial Control Public Internal Financial Control (PIFC) is the framework used across the European Union member states from the former Eastern Bloc as a means to implement the basic control systems to safeguard public resources. PIFC is comprised of two primary components: (i) financial management and control systems and (ii) internal auditing. With regard to internal auditing, the PIFC framework is based on IIA Standards for the Professional Practice of Internal Auditing. While PIFC practices may vary from one EU member state to another, the variations are permitted as long as they are in alignment with the framework and standards. The flexibility of PIFC enables structures to be adapted and optimized to suit the national administration system of any country. PIFC outlines the objectives and outcomes to be obtained through reform/modernization but does not prescribe who or what institution should be responsible for each process or how each control process should be articulated.2 Public Sector Internal Auditing Capability Maturity Model (IA-CMM) This is an assessment and development tool used to determine the level of internal audit capability appropriate and optimum to its public sector organization and environment. The resulting analysis provides a roadmap to define, implement, measure, control and improve internal audit processes and practices. This model is based on the mandatory guidance of The IIA International Professional Practices Framework (Definition, Code of Ethics and the International Standards for the Professional Practice of Internal Auditing). This analytical model will review in detail the governance, standards. Organization structure, technical capacity and services of the internal audit function, and the results will be benchmarked against IIA-defined performance levels (the levels range from basic functions to world class organizations). This model will address the primary roles for internal auditing and the key aspects of the elements needed for success at different levels of capability – strongly anchored in the structure of the public administration’s 2 Alain-Gerard Cohen, Public Internal Financial Control – A New Framework for Public Sector Management (2007). organization and governance. It will also describe the path for development and transformation by elaborating the steps a government can follow to strengthen its internal auditing capacity. Upon completion of the initial review under the IA-CMM Framework, a roadmap for the reform of Internal Audit will be established. This plan will highlight training needs for public sector employees, and propose a specific series of technical assistance and advisory services to develop and deliver modern tools and techniques for modern internal audit. The development of training and skills development curriculum would be modeled on the internationally recognized certification programs (e.g., Certified Internal Auditor or Certified Government Audit Professional). Additionally, the application of the IA-CMM Framework would help to establish the governance structure to strengthen the long term sustainability of the internal audit reform and it would also assist the government to develop a communication strategy which will further facilitate the development of high quality internal audit programs across the public sector. Annex 1 - Recent EU Accession and other Country Experiences Several countries recently acceding or preparing for accession to the EU underwent internal audit reform and harmonization exercises. Common features of reform in these countries worth considering in developing Belarus’ policy on internal audit and internal control include:  Designating some office as the key harmonization unit for reform efforts, providing on-going review of Public Internal Financial Control (PIFC) system operations  Creating a higher-level, inter-ministerial committee to oversee reform efforts  Movement away from inspection functions and central, ex-ante controls towards modern internal audit as an advisory function  Creation of ministry-level internal audit bodies, even if there remains a central internal audit body to provide oversight, set standards, and conduct audits  Emphasis on creating an internal audit training program, and perhaps formal certification programs  Attention to legal refinements necessary to assure the independence of internal auditors at the ministry level Lithuania Traditionally, Lithuania relied on a partly centralized inspection function overseeing public financial management – there was no internal audit function as defined by INTOSAI or other international standards. In 1998, Lithuania began public administration reform, including planning for modernization of the public finance and public internal control framework. These reforms included the introduction of strategic planning, program budgeting, a focus on performance management and results, and efforts to clarify responsibility and accountability in the public sector. The strategic changes embodied in the reforms included a government-wide emphasis on program results rather than only inputs, emphasizing efficiency and effectiveness in program operations rather than compliance with rules, and shifting the central financial inspectorate function from a policing role to advisory role for program managers. By 2001, internal audit functions had been established, supporting legislation adopted, and a policy paper adopted by Government laying out the internal control framework for the public sector. In late 2002, Lithuania had consolidated reforms and EU concepts into a new Internal Control and Internal Audit Law, as well as supporting legislation, regulations, and guidance. By end 2003, Lithuania had established 184 internal audit units at central government, 60 units at municipal levels, and had more than 350 internal auditors in place. An important dimension of the progress made, and for future progress, was development of formal internal audit training programs with the support of the EU, and establishment of an internal auditor certification program. To implement these reforms, Lithuania established two bodies: (i) a Commission for Coordinating the Functioning of Internal Audit3 to oversee the reform to internal control frameworks, and, (ii) a Central Harmonization Unit4, a new office within the Ministry of Finance (MOF) tasked with developing standards and guidelines for the new internal control framework. Hungary During the 1990’s, Hungary had embarked on improvements to public financial management to support macro-fiscal discipline. Changes introduced included:  converting the central internal financial inspection service into the Government Control Office (attached to the Prime Minster’s Office, conducting audits of current and ex-post government operations on selected issues),  establishing a strong external audit body attached to Parliament, conducting ex-post audits and later attestations to financial reports,  establishing a fully modern treasury operation with key controls (e.g. assuring proper documentation, sufficient budget, prior to payment of invoices) inside the Ministry of Finance (MOF),  supporting a strong macro-fiscal forecasting unit in MOF as well as a modern, highly skilled debt management department. By the time EU accession discussions began, Hungary had most elements of a modern public finance system, including internal control systems, in place. One area Hungary had not addressed was creation of internal audit units directly within spending ministries. This emerged as an issue with the EU as early as 1997-8, given the expectation that EU funds would in many cases flow directly through line ministries (particularly agriculture, water, and environment). Despite having a central internal audit office operating on modern principles, with responsibility for overseeing government wide internal control and audit, Hungary created a Central Harmonization Unit with the Ministry of Finance and assigned it the tasks formerly held by the Government Control Office for oversight of the government internal audit functions. Hungary established several offices to support reform of the internal control framework, including:  A central harmonization unit within the Ministry of Finance in charge of restructuring the internal control system to EU conformity. This office 3 This commission is chaired by the Undersecretary of the Ministry of Finance, and includes representatives from the budget and state treasury department, municipal associations, Government Chancery (Prime Minister’s Office), Ministry of Internal Affairs, Training Institute, and a Central Harmonization Unit. 4 This unit also served as the key counterpart to EU internal control and audit offices, and was responsible for harmonizing Lithuanian frameworks with EU regulations. included a unit on financial management control, internal audit, and a legal coordination unit.  Within the legal coordination unit, a Hungarian National OLAF Coordination Unit was established as the primary counterpart to the European Anti-Fraud Office (OLAF)  A Consultative Inter-ministerial Steering Committee was established to oversee the entire PIFC system, and including representatives from the Ministry of Finance, State Secretariat for Public Asset Affairs (in the Prime Minister’s Office), the Internal Audit Association of Hungary, the Chamber of Auditors, and representatives from Higher Education. This body advises the Minister of Finance on ways to strengthen the over-all PIFC framework. Key tasks Hungary faced in 2003 on the eve of accession included:  Resolving over-lapping responsibilities between the Central Harmonization Unit in the Ministry of Finance and the Government Control Office (GCO) through primary legislation framework law and secondary legislation via decrees.  Modify regulations and decrees to move from central supervisory audits every three years by the GCO to planned audits, based on risk analysis, by each spending ministry.  MOF development of internal audit methodologies and standards (fortunately these could build on work previously undertaken by the Government Control Office) (commonly called tertiary regulations)  Developing a broader training and certification program for internal auditors  Clarifying the independence of ministry-level internal auditors Poland Poland, like other transition countries, did not have a tradition of internal audit. In 2001, Poland amended its public finance law to establish internal audit units in spending ministries. While many of these units have been set-up as of 2005, the quality of the internal auditors is weak. The amended public finance law also established unique structures, including:  An Internal Auditor General, reporting to the Minister of Finance, and able to conduct audits of any entity in Government spending or receiving funds --- excluding commercial enterprises (regardless of ownership).  A Financial Control and Internal Audit unit within the Ministry of Finance, reporting to the Internal Auditor General, and conducting government-wide audits upon written instructions from the internal auditor. This unit also was assigned the task of coordination with the EU anti-fraud unit (OLAF), and jointly conducting investigations with EU authorities as appropriate. The FCIA is also supposed to conduct formal assessments of line ministry internal control operations. While the Public Finance law, as amended, does not give internal audit authority over public enterprises, the Supreme Audit Institution (NIK) does have jurisdiction over any entity receiving public finds. Poland’s White Paper does include a section addressing Fiscal Control (treasury review and audit of tax administration) for all entities owing the State money, and Customs Control to verify the rate of payment and compliance by those entities importing goods or services. Bulgaria The Bulgarian 2002 Public Internal Finance Control Law proposed several specific measures to further improve its internal control and audit regime, including:  Creating independent financial controllers in each budget spending center, superior to the chief accountant and subordinate to the head of the agency (no explanation is given of what benefit this will provide, or why it is being undertaken).  Repealing PIFCA financing through the collection of fines and penalties;  Transfer financial management and control harmonization functions from PIFCA to another unit in the MOF;  Eliminate the ability of PIFCA to assume direct ex-ante control over agency financial management  Initiate a broad training program for internal auditors  Introduce modern audit and control standards and practices  Further automation of the financial management information system The law, which has been in effect since January 2003, has not only modernized the internal audit function but also has brought Bulgaria’s internal audit practices into alignment with EU standards. Ukraine Ukraine is undergoing a similar transformation process – enacting reforms similar to the principles in the PIFC, which will modernize and upgrade the performance of its Main Control and Revision Service (KRU). Having adopted the concept of Public Internal Financial Control through the 2005 Cabinet of Minister’s Decree, the program will establish an independent Central Harmonization Unit (CHU) for PIFC, which after a transition period will be re-located within the Ministry of Finance. The program will also develop, KRU’s capability, during the transition period, to conduct centralized internal audits (as required by the Cabinet of Ministers) with the aim of establishing a decentralized and functionally independent internal audit system in the public sector and to re-focus inspection activities on forensic auditing. Ukraine is benefitting from a twinning arrangement and peer-assistance provided by the government of Sweden’s National Financial Management Authority.