Academy of Accounting and Financial Studies Journal (Print ISSN: 1096-3685; Online ISSN: 1528-2635)

Research Article: 2021 Vol: 25 Issue: 3

Internal Auditing in the Public Sector: Issues of Risks Compliance Application

Tetiana Momot, O.M. Beketov National University of Urban Economy

Olena Vlasova, O.M. Beketov National University of Urban Economy

Natalia Gordienko, O.M. Beketov National University of Urban Economy

Maria Karpushenko, O.M. Beketov National University of Urban Economy

Olena Illyashenko, O.M. Beketov National University of Urban Economy

Ivan Yaroshenko, O.M. Beketov National University of Urban Economy

Olesia Solodovnik, Kharkiv National University of Civil Engineering and Architecture

Anastasiia Kozlova, O.M. Beketov National University of Urban Economy

Abstract

The paper examines the role of risk compliance application for the methodological support of internal audit and financial control services in the public sector to increase the level of transparency with the aim of the quality of government governance improving. The objectives of the study were to: study a theoretical background for risk compliance application as an innovative procedure of internal audit in the public sector; investigate the preconditions for the introduction of the internal audit system in the public sector of Ukraine; and identify the main risks that may arise in the process of functioning of public sector entities, which should be taken into account in the framework of risk compliance. Methods adopted were: abstract-logical analysis, theoretical generalization, systemic and statistical analysis. Results revealed that the implementation of risk compliance is the solution for internal auditing in the public sector. Also, this paper examines the applicability of risk compliance based on both financial and non-financial data in helping the internal audit departments towards increasing public sector management accountability. Risk compliance in the system of internal auditing on the base of relevant internal audit reporting allows improving risk management and public governance processes by facilitating management's efforts to improve their risk management processes.

Keywords

Risks Compliance, Internal Audit, Public Sector, Financial Control, Public Governance.

Introduction

Promoting transparency is essential for increasing public sector management accountability, which is one of the major defenses against corruption. In this light, self-assessment is an essential part of the control culture in the public sector.

Historically, financial control over public funds emerged in ancient times as a result of the expansion and development of the state and government; increasing the resources and functions of the state, which required finding new ways of more effective supervision to ensure the preservation of public finances. Despite this, the use of internal audit in the public sector as a form of financial control in public administration is quite new for both Western countries and Ukraine. This is due to technological innovations, changes in the size and structure of government, the introduction of a program-targeted approach in public administration, increasing society’s requirements for control over the formation, distribution, and use of public financial resources, and several other factors. Therefore, the study of foreign and domestic experience in the formation and development of internal audit in public administration to identify the causes, trends, and evolution of the methodology of its implementation is particularly relevant and interesting.

Theoretical Background

Following the definition of the Institute of Internal Auditors, internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes (The Institute of Internal Auditors, Global 2017b).

Dodge (1992) considered the internal audit as an integral part of internal control for control and analysis of economic activities. Robertson (1993) acknowledges that an internal audit is an independent review and evaluation activity of an organization.

There is a common understanding on the internal auditing in the public sector as a control of the public sector entities and execution of estimates by the organization by checking and monitoring compliance with the legislation, ensuring the reliability of financial reporting data, and compliance with budgetary discipline, activities aimed at targeted and reasonable spending off, which is an object of study for economists in Ukraine and abroad.

The major contribution to the functioning of internal auditing in the public sector was done by (Brown, 1983; Robert de Koning, 1993; Gao & Zhang, 2006; Porter, 2009; Gracheva, 2013; Stepashin, 2014; Anderson et al., 2017).

The concept of Public Internal ƒinancial Control (unique logo is PIƒC) was developed by the European Commission during the second half of the 1990s (Robert de Koning, 1993) as an up-to-date internal control system, which is based on the following three elements: financial management and control system (FMC); functional independent internal audit (IA); centralized organization responsible for harmonizing and coordinating the establishment, implementation and improvement of FMC and IA, usually called a Central Harmonisation Unit (CHU).

Gao & Zhang (2006) linked stakeholder engagement, social auditing, and corporate sustainability intending to apply dialogue-based social auditing to improve the social, environmental, and economic performance of an organization.

According to Gracheva (2013), financial control is regulated by legal norms of state, city, state bodies and organizations, other business entities to check the observance of legality by all entities in the process of carrying out financial activities for socially significant goals. The most important tool for correlating costs with their socially significant result in the public sector is performance audit (Stepashin, 2014).

The study of western scholars is in majority applied and analytical in terms of studying the functioning of internal auditing services in the public sector in different countries such as Denmark, Finland, Iceland, Norway, Sweden, Canada, Saudi Arabia (Juillet, 2016; Jóhannesdóttir et al., 2018; Liston-Heyes & Juillet, 2020).

Based on a national survey of Canadian public sector internal auditors activity eight areas where improvements are possible to deliver more value of audit services as a learning and management tool are identified: expanding the use of advisory services; improving auditors’ knowledge of operations; improving the communication of audit findings; balancing the need for transparency, accountability, and learning; averaging audit findings for enterprise-wide improvements; engaging in a more concerted effort to expand the use of data analytics; expanding the role of internal auditing in enterprise-wide risk management; improving collaboration with the program evaluation function (Juillet, 2016).

The status of internal auditing within the public sector in the Nordic countries is summarized in the comprehensive study of (Jóhannesdóttir et al., 2018). The authors proved that the recommendations from internal audit units have preventive control effects and contribute to helping the organizations to achieve their goals. On the base of their research, the following issues of internal audit within the public sector are needed to be addressed for further development: policymaking, strengthen the regulatory basis for internal audit, defining who is doing what and prevent overlaps, use the opportunity for the international cooperation in implementing internal audit within the public sector.

Furthermore, the important issues that need to be under consideration are the policy, regulatory framework, and models for the set-up for the operation of internal audit in the framework of public financial control.

Conceptual bases of public financial control and internal audit practice in Ukraine have been studying by the following researchers: (Chumakova, 2011; Hlushchenko & Khmelkov, 2012; Natarova, 2015; Dikan, 2017), and others. However, the issues of standardization of methodology and systematic improvement of public internal audit, especially given the current trend of public administration improving and implementation of relevant international standards, have not been sufficiently developed.

Research Objectives

The purpose of the paper is to define the essence and develop theoretical and practical approaches to the implementation of risk assessment procedures in the public sector as part of internal auditing in the framework of public financial control.

There are three research objectives in this research:

1. to study a theoretical background for risk compliance application as an innovative procedure of internal audit in the public sector;

2. to investigate the preconditions for the introduction of the internal audit system in the public sector of Ukraine;

3. to identify the main risks that may arise in the process of functioning of public sector entities, which should be taken into account in the framework of risk compliance.

Research Method

This study was based on the review of the professional and academic literature about the nature of internal auditing and its role in today’s public organizations in internal controls, risk management, and public governance processes improvement. In the course of processing, studying, and analyzing the accumulated materials, a set of general scientific methods abstract-logical analysis, theoretical generalization, the systemic and statistical analysis combined by a system approach to studying this problem were applied.

Results and Discussion

Since 2005, Ukraine has been reforming the system of public internal financial control - the Concept for the Development of Public Internal Financial Control has been approved; amendments were made to the Budget Code of Ukraine regarding the basic principles of organization and implementation of internal control and internal audit; adopted Standards of Internal Audit, Code of Ethics of employees of the internal audit department, etc.

The introduction of internal audit units in the Central Executive Bodies (CEB) officially began on January 1, 2012. During this time, internal audit activities should already yield tangible results. Instead, according to the report of the State Audit Service of Ukraine (SASU) for 2019, the identified loss of resources reaches more than 1,7 billion UAH. Institutions and organizations have established more than UAH 1.27 billion in illegal and non-targeted expenditures and shortages of material and financial resources, including almost UAH 430.0 million in operations with budget funds (SAS of Ukraine, 2020). In such conditions, it is vitally important to continue the development of the system of public financial control, which would be able effectively to perform the control function of public finance.

Today, the system of public internal financial control in Ukraine only partially takes into account the basic principles of public internal financial control systems in force in the EU, in particular concerning internal audit units and harmonization of procedures for their functioning. Although work in this direction is underway.

Thus, part three of Article 26 of the Budget Code of Ukraine (Budget Code of Ukraine, 2010) at the legislative level enshrines the personal responsibility of heads of budgetary institutions of all levels for the organization and implementation of internal control and internal audit and ensuring their implementation in their institutions and enterprises, institutions and organizations in the sphere of management of such administrators of budgetary funds.

The legislative level also defines the content of the state internal audit, which includes activities aimed at improving the management system, internal control, prevention of illegal, inefficient, and ineffective use of budget funds, errors, or other shortcomings in the activities of the budget manager and enterprises, institutions and organizations belonging to the scope of its management, and which provides for the provision of independent conclusions and recommendations. To carry out an internal audit, the manager of budget funds as the administrator forms an independent structural unit of internal audit, which is subordinate and accountable directly to such head (Budget Code of Ukraine, 2010, part 3 of Art. 26).

The Cabinet of Ministers of Ukraine and the Ministry of Finance of Ukraine are simultaneously in charge of developing the procedure for establishing internal audit units in public institutions and for organizational and methodological principles for conducting internal audits. To fulfill its responsibilities, today the Ministry of Finance of Ukraine has formed a foundation for the functioning of internal audit in the public sector in the form of adaptation of International Standards of Professional Practice in Internal Auditing, developed by the Institute of Internal Auditors (IIA) (IPPF, 2017), and development of National Standards internal audit (IAS, 2011) and Methodological guidelines on internal audit in the public sector of Ukraine (MGIAPS of Ukraine, 2019).

At the same time, given the not-so-comforting realities of the functioning of internal audit units in domestic public sector organizations, as well as current trends in public administration reform and implementation of program-oriented management, there is an urgent need to develop existing audit procedures by replacing them with the most modern and relevant in the world to ensure the high quality of work of state internal auditors. The list of such state-of-the-art audit procedures includes the identification and assessment of risks or so-called "compliance of risks".

Grounded on the Regulation on the Organization of Risk Management System in Banks and Bank Groups of Ukraine, that bases on principles of the Basel Committee on Banking Supervision and follows the best international practices the compliance of risks is defined as an assessment of the probability of losses (sanctions), additional losses or loss of planned income or loss of reputation due to non-compliance with legislation, regulations, market standards, fair competition rules, corporate ethics rules, conflicts of interest, and internal documents (the Regulation, 2018).

It should be noted that compliance of risk is currently one of the highly effective innovative management technologies already widely used in the private sector (Momot et al., 2016). The role of internal audit in the implementation of risk compliance involves identifying events that may cause risks that adversely affect the activities of the institution and the achievement of its objectives.

This allows the internal auditor to clearly understand important and relevant areas of the institution; identify a successful audit approach and the resources needed to conduct internal audit procedures. This will help increase the efficiency of internal audit and will guarantee the sustainable development of public sector entities, as it will contribute to:

1. coordination of strategic planning with the system of current goals;

2. achieving synergy in the activities of pooling resources, the efforts of individual employees and departments to achieve the mission of the governing body;

3. ensuring the flexibility of the management system;

4. anticipation of negative external influences on activities and the possibility of their reduction, etc.

The compliance of risks by internal auditors is related to the identification of such risks. The main risks that may arise in the process of functioning of public entities, which should be taken into account in the framework of risk compliance, are identified in Table 1.

Table 1 Risks of Public Sector Entities Identification in the Framework of Risk Compliance
Risks
Operating IT systems and communication Legislative / legal Financial Fiscal Personnel Reputational
Failure to perform certain functions, processes, operations Lack of internet and telephone connection Non-compliance / abolition of legal principles of management of economic activity in the public sector, implementation and implementation of public-private partnership (concessions) Reduction of funding A decrease in the amount of net profit (income) deducted to the state budget by state unitary enterprises and dividends accrued on shares (stakes, units) of companies in the authorized capital of which is state property (compared to the planned amount) Loss of skilled workers (staff turnover, dismissal, retirement) Negative coverage of the institution's activities in the media
Lack of control over the implementation of processes and operations Insufficient or inaccurate data Absence, contradiction, or unclear regulation of essential provisions of the legislation Presence of facts of corruption and fraud Fulfillment of guarantee obligations by the state in case of impossibility for business entities to fulfill their obligations to creditors and to the guarantor Failure to take measures to train and improve staff skills Loss of stakeholders’ trust due to operational deficiencies
Lack of necessary performers The complexity of working with big data Improper claim activity Improper and inefficient use of state resources Provision of additional state aid in the form of subventions to cover unprofitable activities in accordance with the Law of Ukraine "On State Aid to Business Entities" Failure to form long-term vacancies and personnel reserve The dissatisfaction of employees of institutions (complaints, appeals, including to hotlines)
Absence / loss of other resources (transport, logistics, etc.) Virus attacks on basic software Lawsuits, breach of contracts (agreements), suspension of important activities Lack of funds for the maintenance of the institution and operations Other risks that may lead to financial and other losses or liquidity problems of the entity, which entail the spending of centralized funds of the state Decreased skills of employees due to rapid changes in technology and requirements for the functioning of institutions Negative information from government agencies, law enforcement agencies
Lack of necessary internal regulations of the institution Deleting / making invalid adjustments to the most important accounts or not accessing them Transformation of all unitary state enterprises into corporate or institutional ones Fines, penalties; loss of funds or assets      
Lack of responsibility for making and implementing management decisions at various levels Unauthorized leakage of sensitive information Abolition of limited property rights of economic management and operational management in state enterprises        

To implement compliance of risks, the internal audit department should take into account a wide range of both financial and non-financial data, including:

1. information on the financial, management, and operational control systems that apply to most individual assurance tasks;

2. data on typical/systemic violations and shortcomings identified as a result of previous internal audits;

3. notification of structural subdivisions of the relevant body, as well as enterprises, institutions, and organizations belonging to the sphere of its management, about problematic issues and risks in their activity;

4. information from the media, the Internet, complaints, appeals of state bodies, people's deputies, law enforcement agencies, external regulatory authorities;

5. information on reporting (for example, on financial and budgetary reporting, reports on the implementation of the budget program passport, reports on the implementation of financial plans of state enterprises).

Based on risks compliance, the state internal auditors compile the relevant Internal Audit Reports, which should contain:

1. risk profile, ie an overview or matrix of key risks that may arise in the activities of the governing body or its structural unit, including the level of impact (e.g. very high, high, medium, low), as well as the possibility or probability of adverse events (MGIAPS of Ukraine, 2019);

2. agreed on action plan and development of recommendations for reducing or leveling the impact of identified risks on the performance of functions, processes, or operations by the public sector institution.

At the same time, the internal audit department should, on the one hand, initiate changes and, on the other hand, develop measures to improve the relevant internal processes of public sector entities.

This compliance workload of the internal audit unit is due to the fact that it is more constructive to advise on the design of processes during the change process, rather than identifying problems after adverse events when it is often too late to change the situation. In our opinion, changing the guidelines of internal state auditors' services from control functions to preventive ones not only increases the efficiency of their work but can also contribute to the prompt implementation of best practices in public administration so that public sector organizations achieve the goals set by relevant legislative and executive bodies authorities and create effective systems to combat fraud and manipulation of public resources.

One of the important goals of the work of internal state auditors in the framework of risk compliance is to provide information to management about the areas of risk where measures need to be taken, and their relative priority (Dmytrenko, 2010). In this case, the grouping of risks should contain a limited number of groups (for example, very high, high, medium, low risk (MGIAPS of Ukraine, 2019), because too many groups can lead to the artificial separation of risks, which are difficult to distinguish. It should be understood that according to the requirements of International Internal Auditing Standards (IIA), internal auditors should refrain from assuming managerial responsibilities, ie from actual risk management (IPPF, 2017). Because the internal auditor is not responsible for the measures taken by the head of the institution to ensure the establishment and operation of the internal control system, as well as the development and implementation of control measures to influence risks. Such activities are carried out by the management of the institution and those responsible for the activities, regardless of audit activities.

Therefore, the decision on the gradation of risks should be made collectively based on the results of consultations of the head of the internal audit department with the head of the institution, while establishing the level of risk that is acceptable. The guidelines described in the Concept of Internal Control prepared by the Treadway Commission's Committee of Sponsoring Organizations (COSO, 1992; COSO II, 2004) and the Guidelines for the Organization of Internal Control, which take into account the approaches, can serve as a reference for this. regarding the construction of internal control provided by this Concept (GMICS, 2009; MROICMBFISBI, 2014).

In turn, risk compliance in the framework of internal audit involves identifying the objects of audit for which there is an excess of an acceptable level of risk for the public sector and the development of appropriate procedures to reduce it.

Despite a fairly thorough description of audit procedures for assessing risks and the likelihood of their occurrence, given in the Guidelines for Internal Audit in the Public Sector of Ukraine (MROICMBFISBI, 2014), the criteria for identifying risky transactions that should be verified by internal state auditors are ignored. Also, the methodological documents (IAS, 2011; MROICMBFISBI, 2014; IPPF, 2017; MGIAPS of Ukraine, 2019) developed by the Ministry of Finance of Ukraine do not mention acceptable methods of verification of such risky transactions. Thus, these issues need further clarification and development. Besides, the introduction of risks compliance technology by internal auditors in the public sector requires addressing several issues, including lack of sufficient experience in conducting this type of audit activity; lack of a regulatory framework for internal audit (duties, responsibilities, etc.); insufficient number of qualified personnel; insufficient attention to preventive control actions that would ensure the preventive function of the audit; low responsibility of participants in the budget process; failure to ensure proper interaction between internal and external bodies of state financial control, which increases duplication and parallelism in work; computerization of audit, etc.

Conclusions

Internal audit as an element of internal state financial control of the activities of public entities is an important tool for further normalization of the functioning of the institutional framework of the state financial control to enhance its efficiency and effectiveness, to reach the goals for transparency and thus to ensure the proper level of fiscal discipline in the country.

The fight against corruption is a central pillar of reforming the public sector in Ukraine. Recognizing this, risk compliance as an effective tool of internal audit should be a constant continuous process, given the dynamic changes in external and internal conditions of government. This tool identifies and analyzes these changing conditions, opportunities, and threats and plays a key role in selecting appropriate controls in the governing body for achieving public trust in public institutions and attaining sustainable economic growth.

As a result of our research, the main risks that may arise in the process of functioning of public entities, which should be taken into account in the framework of internal auditing are summarized. The role of internal auditing is crucial to build more effective, transparent, and accountable institutions and combat all forms of corruption in the public sector.

At present in Ukraine, the legislative framework for internal auditing in the public sector is created, the methodological approaches are elaborated, etc. However, further solutions to problems that interfere with the proper functioning of internal auditing are needed. Further scientific research of the issues raised in the article may relate to the development of methodological approaches to risk compliance in the implementation of various forms of public internal financial control in Ukraine.

References

  1. Anderson, U., Head, M., Ramamoorti, S., Riddle, C., Salamasick, M., & Sobel, P. (2017).  Internal Auditing: Assurance & Advisory Services. Fourth Edition. Books and Book Chapters by the University of Dayton Faculty.
  2. Brown, P. (1983). Independent Auditor Judgment in the Evaluation of Internal Audit Functions. Journal of Accounting Research, 21(2), 444-455.
  3. Budget Code of Ukraine dated (2010). ? 2456-VI (as amended as of 28.08.2020). https://zakon.rada.gov.ua/laws/show/2456-17#n527
  4. Chumakova, Y. (2011). Internal Audit in Ukraine: Organizational Fundamentals of Creation in the Central Bodies of the Executive Power. Finance of Ukraine, 9, 95-109.
  5. Dikan, L., Deineko, Y., & Kalinkin, D. (2017). Public Internal Financial Control Reforming in Ukraine: Conceptual Foundations and Practices. Economic Annals-XXI, 165(5-6), 60-65.
  6. Dmytrenko, G. (2010). Risk Assessment in the System of State Internal Financial Control. Bulletin of the National Academy of Public Administration, 2, 127-135.
  7. Dodge, R. (1990). The Concise Guide to Auditing Standards and Guidelines. London: Chapman and Hall.
  8. Draft Law of Ukraine 2635. (2019). On Amendments to Certain Laws of Ukraine to Improve Civil Legislation. http://w1.c1.rada.gov.ua/pls/zweb2/webproc4_1?id=&pf3511=67704
  9. Gao, S., & Zhang, J. (2006). Stakeholder Engagement, Social Auditing and Corporate Sustainability. Business Process Management Journal, 12(6), 722-740. DOI: https://doi.org/10.1108/14637150610710891
  10. Guidance on Monitoring Internal Control Systems, GMICS. (2009). Committee of Sponsoring Organizations of the Treadway Commission (COSO). https://www.coso.org/
  11. Hlushchenko, V., & Khmelkov, A. (2012). Financial control in Ukraine: Vectors of Development. Finance of Ukraine, 6, 97-103.
  12. Internal Audit Standards, IAS. (2011). Ministry of Finance of Ukraine. https://zakon.rada.gov.ua/laws/show/z1219-11#Text
  13. International Professional Practices Framework, IPPF. (2017). The Institute of Internal Auditors, IIA 2017 edition. https://iia.org.ua/?page_id=189
  14. Jóhannesdóttir, A.M., Kristiansson, S.N., Sipiläinen, N., & Koivunen, R. (2018). Internal Audit in the Public Sector – Comparative Study Between the Nordic Countries. Icelandic Rewiev of Politics & Administration, 14(2), 19-44. DOI: https://doi.org/10.13177/irpa.a.2018.14.2.2
  15. Juillet L. (2016). Enhancing the Value of Internal Auditing in the Public Sector the Internal Auditor as an Agent of Organizational Learning: a Research Report Written for the Government Internal Auditors Council of Canada. https://chapters.theiia.org/quebeccity/Events/ChapterDocuments/GIACC_IA_Value_Published_Report.pdf
  16. Liston-Heyes C., & Juillet L. (2020). Burdens of Transparency: An Analysis of Public Sector Internal Auditing. Public Administration, 98(3), 659-674.
  17. Methodological Guidelines for Internal Audit in the Public Sector of Ukraine, MGIAPS of  Ukraine. (2019). National Academy for Finance and Economics Ministry of Finance of the Netherlands. https://mof.gov.ua/storage/files/METOD%20VKAZIVKY%202019.pdf
  18. Methodological Recommendations for the Organization of Internal Control by Managers of Budgetary Funds in their Institutions and Subordinate Budget Institutions, MROICMBFISBI. (2014). Ministry of Finance of Ukraine. zakon.rada.gov.ua/rada/show/v0995201-12#Text
  19. Momot, T., Mizik, Y., & Polituchyi, S. (2016). Anti-corruption compliance in strategic monitoring of personnel security at an enterprise. Actual Problems of Economics, 180(6), ???. 167-174.
  20. Natarova, O. (2015). Assessment of the state financial control condition in the public sector. Economic Annals-XXI, 1-2(1), 106-109.
  21. Porter, B. (2009). The Audit Trinity: The Key to Securing Corporate Accountability. Managerial Auditing Journal24 (February), 156-182. DOI: https://doi.org/10.1108/02686900910924563
  22. Robertson, J., & Louwers, T. (2002). Auditing and Assurance Services. New York:McGraw-Hill.
  23. Stepashin, S. (2014). State Audit as Means to Counteract with the Bureaucracy. RUDN Journal of Public Administration, 1, 14-20.
  24. The Concept of Public Internal Financial Control Development up to 2017 (Resolution). (2005). The Cabinet of Ministers of Ukraine. http://zakon3.rada.gov.ua/laws/show/158-2005-%D1%80
  25. The Institute of Internal Auditors, Global (2017a). “Definition of internal audit”. Retrieved from https://global.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-ofInternalAuditing.aspx
  26. The State Audit Service of Ukraine, SAS of Ukraine. (2020). http://dkrs.kmu.gov.ua/kru/doccatalog/document?id=158558
  27. The Regulation on the Organization of Risk Management System in Banks and Bank Groups of Ukraine. (2018). The NBU Board. https://old.bank.gov.ua/document/download?docId=71600453
Get the App