69835 Strategic Plan for Strengthening of Internal Audit in Government of Bihar Introduction 1. The Government of Bihar has adopted various reform measures to modernize fiscal and financial management such as passing of the Fiscal Responsibility and Budget Management Act, adoption of Government of India’s General Financial Rules and decentralization of financial powers to respective departments with a view to increasing the pace of expenditure and implementation of plan schemes. However, for decentralization to be effective the supporting public financial management systems need to be also modernized. Accordingly, the Government had entrusted a project ‘Modernization of Budget & Financial Rules and Procedures’ to Centre for Good Governance (CGG), Hyderabad. The project requires CGG to comprehensively revise the Treasury Code, Financial Rules and Budget Manual, and to provide a roadmap to modernize and strengthen internal audit function in the government. With respect to internal audit, the terms of reference for the project provide the following: ‘review the existing systems and practices, scope, methodology, reporting arrangements, staffing skills, etc and provide a road map for modernization including (i) preparation of an internal audit manual incorporating modern approaches and techniques of internal audit; (ii) assist internal audit department to prepare an annual audit plan; (c) design training module and deliver training of trainers and (iv) advise Government of Bihar on implementation of the new approach to internal audit.’ 2. The expected outputs from consultants are an internal audit reform/modernization plan, a manual for internal audit incorporating modern approaches and techniques to internal audit and a training module for internal audit staff. Methodology 3. Strengthening and developing Internal Audit Function typically involves the following steps:1 a. Develop a strategic view of the IA by top management, covering not only compliance and regularity audit but, depending upon the requirement, the wider role of ensuring efficiency of expenditures, especially planned reform initiatives in other areas; b. In the light of this strategic view, restructure audit practices to move to higher level audits; c. Review IA function and staffing, and redesign the organizational structure and responsibilities; d. Prepare IA manuals based on the new vision of the IA service; e. Based on these manuals, design a training programme for internal auditors to fulfill their new role; f. Encourage IA involvement in the development of new financial and accounting systems to ensure that adequate controls are built into these systems. 1 Role of Internal Audit in Government Financial Management: An international Perspective (IMF Working Paper – WP/02/94) Strategy for strengthening Internal Audit in GoB 4. CGG has firstly studied the existing organization structure of the internal audit function in GOB, the skills and capacity of the internal audit staff, the working conditions in the main office and divisional offices, the perception of others about internal audit and so on. They have visited the main office in Patna and the divisional office in Gaya. After identifying the strengths and weaknesses of the system, a road map has been prepared for strengthening the internal audit in the government. The recommendations have been made keeping in view the international best practices and Internal Auditing Standards issued by Institute of Internal Audit (IIA) and the auditing standards and guidance on internal controls issued by the International Organization of Supreme Audit Institutions (INTOSAI) Internal Controls and Internal Audit 5. Internal Control is an integral process that is operated by an organization’s management and personnel and is designed to address risks and to provide reasonable assurance that in pursuit of organization’s mission, the following general objectives are achieved:  executing orderly, ethical, economical efficient and effective operations;  fulfilling accountability obligations;  complying with applicable laws and regulations;  safeguarding resources against loss, misuse and damage 6. ‘Simply defined, internal control is the process by which an organization governs its activities to effectively and efficiently accomplish its mission’ (INTOSAI). 7. Committee of Sponsoring Organizations (COSO) has developed an internal control framework that has come to be accepted as the standard all over the world. The key concepts of COSO framework include:  Internal controls are an on-going process, a means to an end, and not an end in themselves;  Internal controls are affected by people at all levels of an organization and not just policies and their documentation; and  Internal Controls will never eliminate risks but can provide a reasonable assurance that controls are in place to mitigate risks. Internal control system exists to help organizations to meet their goals and objectives. They enable management to deal with the changes in internal and external environments. They also promote efficiency, reduce risk of loss, and help ensure financial statement reliability and compliance with laws and regulations. The COSO Framework for internal control system consists of five interrelated and equally important components:  Control environment: The control environment sets the tone of an organization influencing the control consciousness of its staff. Firstly, it is important that the organization recognizes the importance of personal and professional integrity, competence and ethical values. Secondly, the roles and responsibilities should be clearly spelt out so that there is no ambiguity in determining accountability. Lastly, the management should not normally Centre for Good Governance 2 Strategy for strengthening Internal Audit in GoB override internal controls for reasons of expediency, which would send a wrong message to staff that they are not important.  Risk assessment: Risk Assessment is the process of identifying and analyzing relevant risks to the achievement of organization’s objectives. As part of the risk assessment, an organization should identify the risks that it (or a scheme) is exposed to, evaluate the probability of the risk actually occurring, assess the consequences and lastly, develop a response viz. treating transferring or tolerating the risk.  Control activities: Control activities are the policies and procedures established to address risks and to achieve organization’s goals. They are in the form of various controls that either prevent or detect wrong doing. Generally, they would involve procedures for authorization, approval verification, segregation of incompatible duties, reconciliations, reviews, supervision. Controls should be such that they are appropriate, cost effective and comprehensive.  Information and communication: Controls would be pointless if they are not communicated across the organization.  Monitoring: Working of internal controls should be continuously monitored in order to assess their effectiveness. One of the important means of monitoring internal controls is internal auditing. 8. Internal auditing is defined by Institute of Internal Auditors (U.K. and Ireland) as 'an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve effectiveness of risk management, control and governance processes.' 9. Internal audit is a part of an organization's internal control framework because it is a master control that checks whether all other controls are working effectively. Internal Audit is 'a managerial control which functions by measuring and evaluating the effectiveness of other controls' (The Institute of Internal Auditors, New York). In this sense, internal audit is an overarching control over all other controls. It seeks to find out whether all other controls are satisfactorily working in practice by subjecting them to compliance tests. Where the compliance is either weak or absent, the internal audit conducts substantive checks in order to evaluate the impact of the non-compliance. Thus, it provides the management with a periodical assessment of the functioning of internal controls within the organization and recommends measures for strengthening them. 10. For being effective, IA should be manned by trained and competent staff and supervisory officers. Secondly, its independence must be ensured through proper reporting arrangements and a clear mandate. Lastly and most importantly, the effectiveness of IA would ultimately depend upon the importance that the organization attaches to its reports, which is reflected in the action taken. Centre for Good Governance 3 Strategy for strengthening Internal Audit in GoB 11. Duties and responsibilities of internal audit2 involve all or some of the following depending upon the charter: a. Reviewing the compliance with the existing government financial regulations, instructions and procedures; b. Evaluating the effectiveness of the internal control systems; c. Appraising the economy and effectiveness with which financial and other resources are being used; d. Reviewing the reliability and integrity of record keeping and reporting on financial and operating information systems; e. Pre-audit of payments and other important activities; f. Verifying and certifying periodical financial returns such as pending bill returns, expenditure returns, revenue returns etc. g. Investigating irregularities identified or reported; h. Ensuring that revenue and other receipts due to the government are collected promptly, banked immediately and fully accounts; i. Carrying out spot checks on areas such as revenue and receipt collection points, projects, supply, and delivery sites to ensure compliance with procedures and regulations; j. Reviewing budgetary controls on issuance of warrants, commitments, expenditures, revenue collections and accounting from time to time; k. Ensuring that government physical assets are appropriately recorded and are kept under safe custody; l. IA should be involved in systems and program development to ensure that adequate controls and risk management processes are built into the system. 12. Audit may be classified according to the nature of the coverage or the subject of such coverage. Taking the nature of the coverage, audits may be categorized as follows:  Regularity audit: Audit against rules, regulations, etc.  Audit against provision of funds: Checking compliance with the legislative directions expressed through budgetary appropriations.  Propriety & Performance Audit: Checking the economy, efficiency and effectiveness of expenditure.  Information Systems Audit: Auditing a computerized system to see whether the controls are adequate to ensure that transactions are correctly processed and outputs obtained are as they should be.  Financial Audit: Certifying the true and fair view of financial statements of an organization. 2 Role of Internal Audit in Government Financial Management: An international Perspective (IMF Working Paper – WP/02/94) Centre for Good Governance 4 Strategy for strengthening Internal Audit in GoB On the other hand, audit may be related to a specific activity / area of an organization such as:  Audit of sanctions  Establishment audit  Audit of Contingent expenditure  Audit of Grants-in-aid  Audit of Contracts  Audit of Stores  Audit of Deposits  Public Works & Forest Audit  Audit of Borrowings, Loans, Advances, Guarantees, Reserve Funds, Suspense Transactions and Interest Payments  Audit of Remittance Transactions  Audit of World Bank and other Externally Assisted Projects 13. As stated above, the types of audit conducted by the Internal Audit would depend upon its charter and on the maturity of the systems. Where the capacity of line departments in financial management is not well established, IA would be engaged in verifying the compliance with laws and rules in a centralized mode i.e. a centralized internal audit department functioning under Ministry of Finance. Once the government line departments develop capacity to comply with basic rules and regulations and budgetary allotments, the IA may be used for a higher level of audit to verify effectiveness and efficiency in expenditure in a decentralized mode i.e. IA would be located in the important line departments reporting to heads of those departments. Decentralized Effective & System efficient use of resources (Value for money) Macro-economic stability (Audit against provision of funds) Centralized System Compliance with financial laws/ rules and regulations (Regularity Audit) Objectives of Audit Centre for Good Governance 5 Strategy for strengthening Internal Audit in GoB Standards of Internal Audit 14. Internal audit should adhere to the standards of best practices developed by the Institute of Internal Auditors and the Comptroller and Auditor General of India. The internal Auditors are expected to apply and uphold the following principles (Code of Ethics and International Standards for Professional Practice of Internal Auditing - Institute of Internal Auditors, U.K. and Ireland): Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. Internal auditors shall perform their work with honesty, diligence and responsibility. They should be fair and just in conducting the audit. They shall not accept any inducements from any individuals of the department during the audit process. S/he shall not collude with the employees of the department by disclosing any audit findings thus compromising possible action against them. Objectivity Internal Auditors shall maintain utmost objectivity in conducting the audit and reporting their findings. They should acknowledge and incorporate all information received from the department without withholding any information which may distort the reporting of activities under review. Internal auditors shall be fair in reporting any improper activities and transactions within the department without fear or favour. Confidentiality Internal auditors should respect the value and ownership of information they receive and should not disclose the information without proper authority unless there is a legal or professional obligation to do so. Internal Auditors should not use information for any personal gain or in any manner that would be contrary to law or detrimental to legitimate and ethical objectives of the organization. Competency Internal auditors should possess thorough knowledge of the audit process and objectives of the audit. They should be competent in identifying the information needed for the audit purposes and shall not expend resources in collecting irrelevant and redundant information. They should strive to maintain highest quality of performance and should continually engage in improving their proficiency in audit procedures and techniques by acquiring additional knowledge and skills. Independence The internal auditor should not only be independent but appear to be independent of the Department under audit review. To ensure independence, the internal audit function should directly report to the audit committee appointed by the government or Principal Secretary in Finance Department or the Chief Secretary. Most importantly, internal auditors should not be involved in the regular departmental duties. Centre for Good Governance 6 Strategy for strengthening Internal Audit in GoB Existing organization, personnel, skills and capacities 15. Internal Audit Section known in GoB as Finance (Audit) Section (hereinafter referred as FAS) was set up in 19533. There is a dedicated cadre of auditors manning the Internal Audit Section which is headed by a Joint Secretary level officer viz. Chief Controller of Accounts. (Please see the Organization of FAS below) Organization Chart of Financial Commissioner Internal Audit Function Chief Controller of Accounts Controller of Audit Divisional Audit Offices Dy. COA Dy. COA Dy. COA Accounts, Office management, Audit Follow up of programming, audit reports vetting of audit reports Senior Auditors (Grades I and II) 16. Chief Controller of Accounts (CCOA) is an officer of Indian Administrative Service or Bihar Administrative Service. CCOA post has generally been held as an additional charge, though the present CCOA is full time in charge of FAS. He is assisted by a Controller of Accounts, which post is presently vacant. There are three Dy COAs posts under COA, of which one post is currently vacant. The FAS is organized into headquarters at Patna and seven field (divisional) audit offices. Each field audit office is headed by a Dy COA. Senior Auditors Grade I and II form the workforce. There are 49 and 433 posts of Senior Auditors Grade I and II respectively as against which there are 6 and 271 Senior Auditors Grade I and II respectively. The position of sanctioned strength and men in position is shown below: Post Sanctioned Men –in- Vacant Strength position Controller of Accounts 7 - 7 Deputy Controller of Accounts 23 7 16 Senior Auditor Grade I 49 5 44 Senior Auditor Grade II 433 280 153 512 292 220 3 Report of Bihar State Administrative Reforms Commission Centre for Good Governance 7 Strategy for strengthening Internal Audit in GoB 17. Public Accounts Committee has recommended filling up all vacant posts. Recruitment of 150 Auditors is stated to be pending with the Bihar Public Service Commission. Almost all Senior Auditors are expected to retire by 2011. It is also observed that most of them have not got their promotion to higher grade despite there being vacancies. 18. Although initial recruitment takes place from a general pool of candidates, for confirmation in each grade and for promotion to next higher grade one has to pass the departmental examination which comprises papers on various codes and manuals besides auditing and accounting. There is, however, very little or no further in-service training given to the FAS staff. 19. CCOA’s office has two computers while none of the divisional offices has any computers. The audit reports are still type written. There is no other office equipment such as photocopiers or fax machines in either the CCOA’s office or divisional offices. The working conditions of the CCOA’s office and Divisional Office (Gaya, which the consultants visited) are very poor. Past audit reports and other records are all kept in paper (non-digitized) form. Although they have been apparently preserved well, retrieval of reports could be an issue. Also, any analysis of data (such as particulars of objections pending against a department for certain period or particular type of objection pending against all departments) is just not possible. 20. There are about 25,000 offices (auditable units) under the purview of FAS; of these, about 2500 are large establishments4. Obviously, FAS does not have the capacity (in numbers) to audit all the offices or even a reasonable number of them in year. Therefore, the audit coverage is selective and limited to higher spending departments such as the Health, Rural Development, Irrigation, etc. According to CAG’s Audit Report for 2006-07, FAS could audit only 17 out of 334 offices of Agriculture Department from 2002 to 2007. Besides, there are frequent requests (as many as seven to eight per month) for special audits which further strain the FAS’ scarce resources and upsets regular audit programme. Special audits also take up a lot of time and tie up resources as they generally involve cases of large scale irregularities and, as a corollary, draw very little cooperation from the audited unit. 21. Due to decentralized set up of FAS, travel is limited as most divisional offices audit adjacent districts. Even so, a travel expenditure of nearly 9 crore is provided in the budget for 2008-09. It is reported that as some FAS staff claimed travel expenditure without actually visiting the places of travel it has led to the non-reimbursement of Travel Allowances across the board. There is a general sense of frustration among FAS staff on account of non-progression in career and non-reimbursement of TA/DA. On the other hand, there is a general sense of distrust of FAS staff by authorities both as to their integrity as also their capability. 22. FAS’ Audit is generally involved with checking compliance with rules (regularity audit). Occasionally, it may also conduct a value for money audit. The FAS issues about 200 audit reports in a year. Response to audit objections is poor with a large number of them pending settlement despite the directions of the Hon’ble High Court and the concern expressed by some members of Legislative Assembly. There are as many as 16,000 audit objections pending replies / settlement. The mechanism of audit committees has made small impact on 4 Source: Bihar Administrative Reforms Commission Centre for Good Governance 8 Strategy for strengthening Internal Audit in GoB the pendency. CAG has also pointed out poor response to FAS audit reports. It was pointed out that FAS had issued 338 Audit Reports in respect of Health Department during 2001-06 with money value of Rs 48.98 crore including cases of defalcation of which only Rs 4.13 lakh was settled5. 23. Bihar State Administrative Reforms Commission has made several recommendations on strengthening Internal Audit function in government. Some of them are: a. Internal Audit section should have strength of at least 1000 audit staff in order that all large offices (about 2500) are audited once every year and the smaller ones every three years; b. In order that internal audit enjoys sufficient degree of independence it should be established as an independent high powered directorate under the charge of a Commissioner level officer who should enjoy the powers of a head of the department and report directly to Finance Secretary or Finance Minister; c. Internal audit function should be headed by a senior Indian Administrative Service officer or an officer of equivalent rank from Indian Audit and Accounts Service or an officer familiar with internal audit from any other service. d. In order to facilitate concurrent audit, internal audit may be made permanently resident in some departments 24. Public Accounts in its report no. 315 strongly recommended that government should take immediate action to fill the vacancies within 6 months as also increase their strength. It also directed the departmental secretaries to monitor compliance with Internal Audit reports. Strengths and weaknesses of the present internal audit dispensation 25. The relative strengths and weaknesses of internal audit section in GOB is given in the table below: Strengths Weakness The fact that there is an internal audit The charge of FAS has mostly been held as section working directly under Finance additional charge and did not therefore Department for the past more than five receive the required attention of the head. decades is in itself among the most significant strengths of internal audit function in GoB. A dedicated cadre of auditors, a system of There are far too many auditable units for departmental examinations for them, 512 internal audit to cover in a reasonable period sanctioned posts (notwithstanding 50 which is further aggravated by vacancies. percent vacancies), and a Joint Secretary level officer as head of FAS are other 5 CAG Audit Report (Civil) for 2005-06 Centre for Good Governance 9 Strategy for strengthening Internal Audit in GoB major plus points Demand for special audits detracts internal audit from its main task and this firefighting only worsens the compliance system There has been very little or no in-service training (continuing education) of internal audit staff Working conditions are very poor with very little or no modernization of internal audit office The morale of the staff is very low due to lack of promotions, poor working conditions and lack of new learning opportunities as also denial of travelling allowance. Although audit committees have been doing reasonably good work, compliance with internal audit observations / recommendations has otherwise been extremely poor making it ineffective in practice 26. Internal Audit function in most state governments and also in the central government is either non-existent or in a very nascent stage. In the GoI, the internal audit is done by the Chief Controllers of Accounts and is in the nature of inspection. To that extent it is not an independent oversight or internal audit in a true sense. On the other hand, it must be said in favour of GoB that it has a centralized internal audit department with a recognized cadre and sanctioned strength. This is a major plus point because many states do not meet this fundamental prerequisite. Therefore, GoB can start from building upon the foundation that is already there. Centre for Good Governance 10 Strategy for strengthening Internal Audit in GoB Strategy for strengthening Internal Audit function 27. The strategy for strengthening the internal audit may be seen from several perspectives viz. the internal auditing standards that set out the benchmarks or the expectations of the stakeholders i.e. the legislature, the executive and the internal audit section itself, etc. An attempt has been made to examine the subject from various standpoints. When making recommendations, it has been recognized that what might be ideal may not be practicable; or, while ideal solution may be feasible in the long run, a practical solution may be immediately implementable. Therefore, wherever possible both ideal and practical solutions have been offered. Recognize Internal Audit as an assurance function 28. Any discussion about the internal audit must begin by examining the assumption underlying the expectation from audit i.e. that internal audit helps catch the wrong doer and therefore deters others from wrong doing or that it is basically an oversight mechanism or a master internal control that it is. 'The fear of audit' is supposed to keep a check on malpractices in government departments. While there may be an element of truth in this, it is not quite correct to view auditing as a policing or a regulatory function for two reasons. Firstly, it does not encourage ethical behaviour as a value in itself. Instead, it places the burden on the audit to 'catch' the wrong doer. This can be an expensive exercise because when audit's aim is to 'catch' wrong doer its coverage has to be higher. For instance, even though a school or a taluk level office is not material enough to warrant audit, it would still need to be audited to 'enforce' discipline. Even so, one would do well to remember that one of the standard disclaimers given by any audit is that ‘its procedures are not designed to detect each and every instance of fraud’. Secondly, an agency which is so used (as any regulator) would need to be insulated from threats, inducements, etc. which again call for higher expenses. 29. Traditionally, internal audit was seen more as an inspection mechanism concerned with identifying and reporting compliance with rules and procedures. While this objective remains relevant even today, internal auditors are now looked upon more as assurance providers to endorse soundness of processes within the organization. The establishment and monitoring of the internal controls is the primary responsibility of the management. In other words, they set the tone through their actions, policies, and communications which result in a culture of either positive or lax control. As part of internal controls the managers are expected to plan, implement, supervise, and monitor the internal controls. This is part of their stewardship responsibility over the use of government resources. The internal auditor provides an independent and objective assessment on their adequacy and offer suggestions for improvement. ‘The managerial accountability principle is the first and most important lock in a double-lock system for sound financial management; the second lock is internal audit supporting management in analysing and understanding the weak areas of the control systems developed by management.’6 6 PIfC – Public Internal Financial Control – An European Commission initiative to build new structures of public internal control in applicant and third party countries Centre for Good Governance 11 Strategy for strengthening Internal Audit in GoB Internal Management Controls Internal Audit Create positive control environment Maintain independence Ensure professional competence of Assesses risks its staff Design and implement controls Verify compliance with controls through audits Create awareness about controls Recommend ways to improve Monitor control operations operations and controls Respective roles of Management and Internal Audit 30. Similarly, Internal Organization of Supreme Audit Institutions (INTOSAI) notes that ‘Responsibility for providing an adequate and effective internal control structure rests with an organization’s management. The head of each governmental organization must ensure that a proper internal control structure is instituted, reviewed, and updated to keep it effective. A positive and supportive attitude on part of all managers is critical. All managers must be individuals of personal and professional integrity. They should maintain a level of competence that allows them to understand the importance of developing, implementing, and maintaining effective internal controls.’ 31. The Government of India’s General Financial Rules 2005 defines the role of Chief Accounting Officer as below: The Secretary of a Ministry / Department who is the Chief Accounting Authority of the Ministry / Department shall a. be responsible and accountable for financial management of his Ministry or Department. b. ensure that the public funds appropriated to the Ministry or Department are used for the purpose for which they were meant. c. be responsible for the effective, efficient, economical and transparent use of the resources of the Ministry or Department in achieving the stated project objectives of that Ministry or Department, whilst complying with performance standards. d. appear before the Committee on Public Accounts and any other Parliamentary Committee for examination. e. review and monitor regularly the performance of the programmes and projects assigned to his Ministry to determine whether stated objectives are achieved. Centre for Good Governance 12 Strategy for strengthening Internal Audit in GoB f. be responsible for preparation of expenditure and other statements relating to his Ministry or Department as required by regulations, guidelines or directives issued by Ministry of Finance. g. shall ensure that his Ministry or Department maintains full and proper records of financial transactions and adopts systems and procedures that will at all times afford internal controls. h. shall ensure that his Ministry or Department follows the Government procurement procedure for execution of works, as well as for procurement of services and supplies, and implements it in a fair, equitable, transparent, competitive and cost-effective manner; i. shall take effective and appropriate steps to ensure his Ministry or Department: -  collects all moneys due to the Government and  avoids unauthorized, irregular and wasteful expenditure 32. Thus, distinguishing the respective roles of management and internal audit is central to strategy for strengthening internal audit. Audit is no doubt a mechanism to ensure accountability. Howsoever strong, the internal audit will fight a losing battle if the general internal control environment in government is poor. Fiduciary risks are mitigated when standard internal controls such as effective supervision, proper authorizations, timely reconciliations and maintenance of proper records operate as they should. The most important factor contributing to heightened fiduciary risk is the poor capacity of persons handling financial matters. It is felt that many cases of ‘special audits’ in GoB point to failure of internal controls across the government. 33. It is recommended that the government must first of all try to improve the general control environment in the offices by a) sensitizing the managers about the risks and their responsibilities in mitigating them through a sustained campaign about importance of internal controls by means of training programmes and seminars; b) building the capacity of its finance and accounting staff so that they are able to discharge their responsibilities competently; and c) comprehensively reviewing the availability of qualified accounting staff and take suitable measures to supplement them. Though not a part of this project deliverable, CGG offers to a) conduct a half-a-day workshop for Senior Officers (Principal Secretaries / Secretaries) on internal control framework of government and their responsibilities; and b) conduct a Training of Trainers (ToT) module for Drawing and Disbursing Officers on financial accountability. Clarify the role and position of Internal Audit through a Charter 34. As mentioned above, it is exceptional that there is an internal audit section working directly under Finance Department with an organized cadre of audit staff headed by a Joint Secretary level officer. However, an internal audit charter that reiterates the nature, role and functioning of the internal audit in the government would be helpful. 35. In order to strengthen internal audit in the eyes of audited units, the government should issue a formal charter setting out the role of Internal Audit and the expectation from the auditee units. A model charter is given in Annexure A for guidance. Centre for Good Governance 13 Strategy for strengthening Internal Audit in GoB 36. Similarly, it would be helpful if the government evolve s Internal Audit policies covering:  Operational independence (communicated through the Charter)  Professional competence and training  Resources  Scope of work to be undertaken  Involvement in risk management and developing internal control policies and procedures  Reporting and  Quality review Consider setting up an independent Directorate for Internal Audit 37. Position of internal audit under PS, Finance is satisfactory in the sense it enjoys independence from the departments that are subject to its audit. However, as suggested by Bihar State Administrative Reforms Commission, the government may consider setting up Internal Audit as a separate directorate reporting either to the PS, Finance or Chief Secretary. Independent directorate gives IA a higher profile in the government thereby sending an unequivocal message to all about the importance attached to IA function by the government. Secure able leadership of Internal Audit 38. Effectiveness of any organization depends upon the leadership provided by the head. Two basic requirements of a head of organization are: a) s/he has the necessary skills and competence to lead the organization and b) s/he gives the organization undivided attention. As for skills and competence, the head of Internal Audit should have in depth knowledge of the legal and institutional framework of the government i.e. the many codes and manuals that apply to a government department’s functioning. S/he should also be conversant with the latest audit techniques and methodologies including Information Systems Audit. Good computer skills and knowledge of statistical methods would be of added advantage. Head of IA to be truly independent must be free from fear of reprisals on his return to mainstream posting. 39. As already mentioned the charge of the FAS has generally been held as additional charge by an officer of Finance Department. Bihar State Administrative Reforms Commission has recommended that FAS be headed by an IAS officer or an officer from the Indian Audit and Accounts Service or any other central Financial / Accounting service. If internal audit function is to be strengthened one of the first requirements would be to post an officer full time in charge of IA. To be fair, a bright young IAS officer would look forward to a line department job rather than to posting as head of IA. Even the State Administration would be less inclined to spare services of such an officer for IA rather than use him/her in a line department. Availability of a willing and suitable IA&AS officer or a central service officer is matter of chance and therefore cannot be adopted as a policy. The other option would be to take a suitable retired officer from IAS, IA&AS or central service for a fixed tenure on a consolidated pay. 40. Given the uncertainties and imponderables mentioned above it would be difficult to prescribe a course of action. One possibility that the government should consider is to upgrade the CCOA post to the level of Secretary which would have following beneficial consequences: Centre for Good Governance 14 Strategy for strengthening Internal Audit in GoB a. A Secretary level officer with more years of experience in government would be able to better guide the Internal Audit; b. S/he would be able to obtain better compliance from the departments because of her/his seniority in the bureaucracy; and c. It would be easier find a candidate from both the IAS and other services at Secretary-level rather than at lower levels. West Bengal government had a senior officer from IA&AS as Special Secretary (Internal Audit). After his reversion to parent department, the GoWB have again taken another officer from IA&AS. Re-designate Chief Controller of Accounts as Director of Audit 41. The present designation of head of Internal Audit i.e. Chief Controller of Accounts is misleading as he does not keep any accounts nor is his duty only to audit accounts. It would be appropriate if the head of IA is re-designated as Director of Audit and officers below him suitable as Deputy and Assistant Director of Audit. Gradually enhance the scope of Internal Audit 42. Internal Auditing Standard with regard to performance lays down that: ‘The internal Audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.’ Presently, the internal audit is involved in regularity or special audits entailing investigation into reported irregularities. As long as the general control environment remains poor, there is no escape from the routine audits for internal audit. However, sooner rather than later, the IA would be expected to conduct value for audits as also information systems audit and also advise the government on various matters of controls in government. Thus, IA should build competence in all these areas. 43. The other aspect of scope of audit is coverage of departments. Internal audit department would not be able to cover all departments or all activities in their entirety nor is internal audit expected or required to cover them hundred percent. Therefore, internal audit department has to prioritize its audit by selecting the auditee units / transactions based on assessment of relative risks. 44. As IA’s observations should lead to bringing about recommended changes in internal control or strengthening it, it would be necessary that the evidence for the audit conclusions are so obtained that it should be possible to extrapolate them. In other words, IA should select transactions in such a manner that it should be possible to draw broad generalizations about the status of internal control. To illustrate, IA might find that cash book is not being maintained properly in a number of offices within a department. If the instances have been picked through statistical sampling methods, it would be possible to generalize about poor maintenance of cash book. Besides, the use of statistical methods would enable more efficient use of the scarce resources by facilitating extrapolating the results to draw inferences about the whole populations by actually auditing few transactions. Also all staff would need to have computer skills to Centre for Good Governance 15 Strategy for strengthening Internal Audit in GoB  use word processing software to prepare audit reports and for routine correspondence;  use simple database application to store/retrieve/ analyse past audit objections;  use simple computer assisted audit techniques (CAAT); and  do a basic information systems audit. While some basic computer skills may have to be imparted to all IA staff, the higher skills of IS audit / use of CAAT software and statistical methods may be either a) pooled for the entire organization in a small expert group or b) obtained through outsourcing. The latter topic i.e. outsourcing is discussed separately below. 45. Once the IA moves from propriety audit to value for money and performance audits, the IA staff would need to be imparted special training in these areas. In addition, they would also need exposure to audit of contracts, government accounts, and so on. IA should develop skills to do value for audit, information systems audit and prepare annual audit plan based on risk assessment of auditee units and use statistical methods where required. While some skills (e.g. value for money audit) would have to be more wide spread, others such as statistical methods, information systems audit, etc. could be initially provided in small expert groups. Government should develop a short term and a medium term plan for capacity building of IA, which could involve training existing staff and recruiting (co-opting and taking on deputation from outside GoB) some specialists for IA. The office of C&AG has several Regional Training Institutes (RTI) located across the country including Ranchi and Kolkatta. The RTIs conduct training programmes on various audit related subjects. GoB could request office of C&AG to provide training for its internal audit staff through RTIs at Ranchi and Kolkatta on payment of a course fee. Eventually, the state Administrative Training Institute should be able to adopt these courses and run them for new recruits and other government officers. Improve the morale of Internal Audit staff by ensuring timely promotions 46. It is understood that most of the internal audit staff have remained in the same grade as the grade in which they joined. As the staff is the basic resource for delivering the function, it is obvious that effective internal audit would be difficult with a workforce that is low on morale. There are as many as 7 posts of CoA, 16 posts of Dy. COA and 44 posts of Senior Auditor Grade I vacant. Non-promotion of eligible officers in a timely manner not only causes avoidable disaffection among staff but also leaves vital gaps in chain of command which adversely affect the management. 47. The Government should expeditiously convene the Departmental Promotion Committees and promote those who meet the eligibility criteria. This would send a positive message to staff and enhance their morale and their output. Complete the fresh recruitment of IA staff expeditiously 48. It is understood that recruitment of 150 Auditors is pending with BSPC. It is necessary to complete this process early, if it has already begun. Otherwise, it might be a good idea to first improve the profile of the internal audit in the government by placing it under the charge of Centre for Good Governance 16 Strategy for strengthening Internal Audit in GoB Secretary level officer and completing the promotions of eligible persons at all levels so that the recruitment would attract more qualified candidates. 49. Internal audit is a discipline that requires intimate knowledge of the procedures and processes in the government. As government accounts or procedures are not part of any course curriculum, it is obvious that anyone joining the IA would be not having much idea of these aspects. It is therefore necessary that the induction training for newly recruited auditors is rigorous in both theoretical and practical training so that it prepares them for the job adequately. Equip Internal Audit with modern equipment 50. For professionally upgrading the Internal Audit, it is important to equip it with computers, printers, photocopiers and fax machines. The Internal Audit reports should be prepared using word processing software so that they are available in a digitized form for easy reference at a latter date, even though hardcopies of reports may be preserved for some period. Outsource / engage qualified staff on contract basis in the interim 51. In order to meet the staff / skill shortages in the medium term, the government may: a. Engage qualified retired persons from both Finance Department / GOB itself as also from the office of Accountant General on a contract basis for short tenures of one to two years; b. Take officers from Accountant Generals’ office on deputation; and c. Outsource the work to an expert agency. 52. In case of outsourcing some part of internal audit, the Government / Internal Audit Department must ensure that the duties of outsourcing vendor are clearly spelt out in a written contract, often taking the form of engagement letter. Such a contract should include the following:  Define the expectations and responsibilities under the contract of both the parties;  Set the scope and frequency of, and the fees to be paid for, the work to be performed by the vendor;  Establish the process for changing the terms of service contract, especially for expansion of audit work if significant issues are found, stipulations for default and termination of the contract, and for resolving disputes;  State that the IA reports are the property of the government, and the government will be provided with any copies of the related working papers if required, and the government would have reasonable and timely access to the working papers; (alternatively, it could be stipulated that the working papers be also made over to government along with related reports)  Stipulate that the vendor will not engage in any other contracts that will conflict with his obligations under the engagement.  The government must perform due diligence to satisfy itself that the outsourcing vendor has the capacity to perform the contracted work. Centre for Good Governance 17 Strategy for strengthening Internal Audit in GoB Centre for Good Governance 18 Strategy for strengthening Internal Audit in GoB List of Recommendations Subject Sl. Recommendation Timeframe No Role, position and 1 Recognize internal audit as an assurance function Short Term status of Internal that complements strong internal control (Through issue of a Audit framework of the government. Government Order) 2 Improve the general control environment in the Short t Term offices by sensitizing the managers about the risks (By conducting reviews, and their responsibilities in mitigating them workshops, etc. and through a sustained campaign about importance of through circulars, internal controls by means of training programmes posters, etc.) and seminars. 3 Build the capacity of its finance and accounting Medium Term staff so that they are able to discharge their (Through extensive responsibilities competently. training programmes to be conducted by ATI) 4 a) Comprehensively review the availability of Short Term qualified accounting staff and b) Take suitable measures to supplement them. Medium Term 5 Issue a formal charter to reiterate the role of Short term Internal Audit and the expectation from the auditee units. 6 Similarly, it would be helpful if the government Short term evolve s Internal Audit policies covering:  Operational independence (communicated through the Charter)  Professional competence and training  Resources  Scope of work to be undertaken  Involvement in risk management and developing internal control policies and procedures  Reporting and  Quality review 7 Set up Internal Audit as a separate directorate Short term reporting either to the PS, Finance or Chief  Short Term – 0-12 months; Medium Term – 2 – 3 years; and Long term - 4-5 years Centre for Good Governance 19 Strategy for strengthening Internal Audit in GoB Secretary as suggested by Bihar State Administrative Reforms Commission. Leadership of IA 8 Re-designate Chief Controller of Accounts as Short term Director of Audit and officers below him suitable as Deputy and Assistant Director of Audit. 9 Upgrade the post of head of IA to Secretary level. Short term 10 Post a Secretary level officer from IAS, or IA&AS or Short term some other accounting service as head of IA Scope of Internal 11 Develop a short term and a medium term plan for Short term Audit capacity building of IA in line with enhanced scope of internal audit. Capacity building of 12 Train existing staff in basic computer skills and Medium Term Internal Audit staff conduct refresher courses in regularity auditing. 13 Train a select number of IA staff on risk based Medium Term auditing, Computer Assisted Audit Techniques, Value for Money audit, etc. 14 Recruit (by co-opting and taking on deputation Short Term from outside GoB) specialists in IS Audit, statistical methods, etc. IA Staff Morale 15 Expeditiously convene the Departmental Promotion Short term Committees and promote those who meet the eligibility criteria. 16 Complete the process of fresh recruitment of IA Short Term staff expeditiously 17 Equip IA with modern office equipment Short term Outsource some 18 Outsource some audits in the interim using the set Medium Term audit criteria so that IA can catch up with backlog. Centre for Good Governance 20 Strategy for strengthening Internal Audit in GoB Annexure A (Mod el) Charter of Internal Au d it Dep artm ent This charter of the internal audit department of Government of Bihar defines the internal audit's purpose, authority and responsibility. Accordingly it lays down (a) the internal audit’s position; (b) authorizes access to records, personnel and physical properties relevant to the performance of engagements; (c) defines the scope of internal audit activities. Position of Internal Audit in the government The Government of Bihar supports a system of Internal Audit as a staff function and as a coordinator of a State-wide, independent appraisal function to examine and evaluate the activities of the departments and autonomous organizations working under them. The Government supports this staff function as a service to the state administration in improving its efficiency and effectiveness. Director of Internal Audit The coordination of the internal auditing function is the responsibility of the Chief Controller of Accounts. The CCOA shall be of the rank of at least Secretary / Joint Secretary to Government. The post of CCOA may be filled by an officer of Bihar Financial Service, or from one of the central services such as IA&AS in which case he shall have put in at least eight years of service. He shall be appointed for a minimum tenure of minimum three years, unless special circumstances require him to be relieved from the post earlier. In order to secure independence and objectivity as required by Internal Auditing Standards, the CCOA shall report directly to the Chief Secretary / Principal Secretary Finance. Human and financial resources In order to enable Internal Audit Department to effectively discharge its functions the government shall ensure that a) the Internal Audit Department is provided with adequate number of posts; b) the posts are by and large filled always and c) it is given adequate budget for travel and other necessary expenses. Unrestricted access to records and documents In carrying out his duties and responsibilities, the Director of Internal Audit will have full, free and unrestricted access to all activities, records, property and personnel of each department and all the autonomous bodies attached to it. Scope of internal audit The internal auditing function consists of audit of transactions in government departments on a sample basis. Considering that the resources available will not be sufficient to subject every department to its audit, the Internal Audit shall conduct its audit in such a manner that it covers potentially high risk areas / transactions on priority. Although the scope of Internal Audit is to Centre for Good Governance 21 Strategy for strengthening Internal Audit in GoB verify compliance with internal controls, it may be extended to investigation of specific instances or evaluation of a particular scheme as decided by the Chief Secretary / Principal Secretary Finance. The Internal Audit Department or its staff shall not be entrusted with any responsibilities for daily operations, planning or designing any activity. Response to Internal Audit All departments shall furnish their replies to internal audit observation promptly. The concerned Heads of Offices and Heads of Departments shall ensure that the replies are furnished without delay. On its part, the Internal Audit should try to resolve as many issues as possible in the exit interview and report only those issues that could not be resolved. It should also pay due regard to materiality and not raise issues that are trivial. Chief Secretary Copy to All Secretaries / Heads of Departments/ Heads of Autonomous Bodies (other than government companies)/ Principal Accountant General (Civil Audit) and Accountant General (CRA) Centre for Good Governance 22